Home > Security, Sitecore > Sitecore 10 Authenticated File upload to RCE / CVE-2021-38366

Sitecore 10 Authenticated File upload to RCE / CVE-2021-38366

10/08/2021 Leave a comment Go to comments

After looking for some extreme hardening of the Sitecore client I found a way to get Remote Code execution (RCE) via a Update center, described in this post.

It is possible for authenticated users, to upload arbitrary files, via update package functionality.It is possible for a malicious attacker to bypass file upload restrictions, hardened with the Sitecore hardening guide https://doc.sitecore.com/en/developers/101/platform-administration-and-architecture/security-guide.html and with secure file upload functionality, taken from this link
https://doc.sitecore.com/developers/100/platform-administration-and-architecture/en/secure-thefile-upload-functionality.html.

Test Instance information

The test of this was done on a local Windows 10 machine with Sitecore 10 XM installation, installed via Graphical installation wizard see more information below

System Information
Sitecore version information

The Additional Filed upload restriction package was also installed with the following settings.

<?xml version="1.0" encoding="utf-8"?>
<configuration xmlns:patch="http://www.sitecore.net/xmlconfig/">
<sitecore>
<processors>
<uiUpload>
<processor mode="on"
type="Sitecore.Pipelines.Upload.CheckExtension,
Sitecore.UploadFilter" patch:before="*[1]">
<param desc="Allowed extensions (comma separated)"></param>
<param desc="Blocked extensions (comma separated)">exe,dll,aspx</param>
</processor>
</uiUpload>
</processors>
</sitecore>
</configuration>

Steps to reproduce

Keep in mind this is a autheticated file upload, so a compromised user must be obtained.

  1. Authenticate / Login to Sitecore

2. Once correctly logged in. Navigate to the Upload center

Navigated to update center

3. Choose/click the option to upload custom update

Upload via custom upload

4. Pick your custom webshell

Upload of custom webshell

5. If the installer hangs click anywhere in the windows, this is expected.

Uplaoder timesout / hangs

6. Since uploads of updates packages always goes into the same folder

https://HOSTNAME/sitecore/admin/Packages/

to find the uploaded file in our case
https://sc101cm.dev.local/sitecore/admin/Packages/shell.aspx

7. Now all that is left is running the webshell.

Running our uploaded webshell

Remediation

Disabled the Update center functionality

One way of doing the in add restriction to path in web.config like below

 <location path="sitecore/api/ssc/updatecenter">
  <system.web>
      <authorization>
        <deny users="*" />
      </authorization>
    </system.web>
  </location>

Other

The findings has been reported to Sitecore, and the Update center is being deprecated, but until this happens a simple fix is as mentioned to disabled the Update center functionality.

This vulnerability has been given CVE-2021-38366

Advertisement
Categories: Security, Sitecore Tags: ,
  1. Kenneth McAndrew (@kmac23va)
    10/08/2021 at 21:19
    Reply

    You say the remediation is to disable the update center. How do you go about doing this?

    • istern
      11/08/2021 at 09:17
      Reply

      Hi Kenneth
      Sorry somehow this part was missing, I’ve added in again, there might be better ways to do it but then one shown will limit all access to the updatecenter

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

%d bloggers like this: