Vulnerability
================
Ektron CMS 9.20 SP2 allows remote attackers to call aspx pages via the "activateuser.aspx" page, even if a page
is located under the /WorkArea/ path, which is forbidden (normally available exclusively for local admins).
Proof of concept Exploit
========================
Pre-requisites:
- curl command deployed (Windows or Linux)
- Burpsuite Free/Pro deployed or any other WebProxy to catch/send GET request
Step (1): Launch the BurpSuite with default paramenter then request the follwing URL:
You should see now the following response 200 OK!:
HTTP/1.0 200 Connection established
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Now you got access to enable users, just send the repeat request into the browser using burpsuite
Have fun!
Mitigations
================
Install the latest patches available here:
PATCH ID: EKTR-508: Security enhancement for re-enabling a user
https://support.episerver.com/hc/en-us/articles/115002828112-9-2-SP2-Site-Update
Any of the below should fix CVE-2018-12596
9.3(main release)
9.2 SP2 Site CU 22
9.1 SP3 Site CU 45
9.0 SP3 Site CU 31
Disclosure policy
================
We believes in responsible disclosure.
Please contact us on Alex Hernandez aka alt3kx (at) protonmail com to acknowledge this report.
This vulnerability will be published if we do not receive a response to this report with 10 days.
Timeline
================
2018–06–08: Discovered
2018–06–11: Retest staging environment
2018–06–12: Restes live environment
2018–06–19: Internal communication
2018–06–21: Vendor notification
2018–06–21: Vendor feedback
2018–06–29: Vendor feedback product will be patched
2018–06–29: Patch available
2018–06–29: Agrements with the vendor to publish the CVE/Advisory.
2018–07–30: Internal communication
2018–09–15: Patches tested on LAB environment.
2018–10–08: Public report
Discovered by:
Alex Hernandez aka alt3kx:
================
Please visit https://github.com/alt3kx for more information.
My current exploit list @exploit-db: https://www.exploit-db.com/author/?a=1074