About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Cache Me If You - Sitecore Experience Platform Vulns- 1721

PIOTR BAZYDLO - WatchTowr Posted 6 Months Ago
  • Sitecore Experience Platform is a Content Management System (CMS). There are at least 22K public Sitecore instances, making this a fairly impactful target.
  • The HTTP handler XamlPageHandlerFactory has had many issues in the past. This works by internally fetching the handler responsible for page generation. Sitecore will generate the page and initialize every component described in the XAML definition. There are several parameters that can control this dispatch - __SOURCE and __PARAMETERS. Any sort of dynamic dispatch has the potential to go wrong and must be reviewed thoroughly.
  • The gathered handlers iterate over a method and call methodFiltered.Invoke after checking to see if the function is allowed to be called. There are two somewhat similar implementations of this dispatch, but with the type XmlControl as a valid type in the filtering. This second type is only extended by the handler HtmlPage.xaml.xml! Crazily enough, this allows for nesting dispatch calls.
  • To do this, call XmlControl that passes the whitelist check. Then, create the arbitrary XAML handler and call it. So, what can this WebControl actually call? The best primitive they found was AddToCache - this leads to an arbitrary cache poisoning vulnerability that is super bad.
  • Using the first primitive effectively turns this into an authentication bypass, since we could poison any page. While going through the codebase, they found the sink Base64ToObject. After some effort, they found a mechanism to trigger this via an HTML editor API—basic sink-to-source analysis.
  • I enjoyed this cache poisoning issue a lot. This is because finding this primitive through all of the functions took a long time to think through. What's the worst thing that we can reasonably do given the impact we have? Sometimes, the bug is the simple part, and it's the impact that is harder to figure out.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed