我最近加入了watchtowr，所以是時候了 - 我的第一個watchtowr實驗室的時候了

肯蒂科（Kentico）的Xperience CMS脫穎而出，達到了幾個關鍵標準：這符合我們將其定義為“有趣”的標準，

Recently joining the watchTowr Labs team, I wanted to maintain the trail of destruction left by the team and so had to get my teeth into things quickly. Two primary goals were clear:

最近加入了Watchtowr Labs團隊，我想維持團隊留下的破壞之路，因此不得不迅速將我的牙齒付諸實踐。兩個主要目標很明確：

* Continue the legacy of high-quality research into interesting and impactful vulnerabilities.

*將高質量研究的遺產延續到有趣且有影響力的漏洞中。

* Contribute to the broader security community with our findings.

*通過我們的發現為更廣泛的安全社區做出了貢獻。

Kentico’s Xperience CMS stood out as promising, fulfilling several key criteria:

肯蒂科（Kentico）的Xperience CMS脫穎而出，符合幾個關鍵標準：

* It’s a widely used solution, powering a large portion of the web.

*這是一種廣泛使用的解決方案，為網絡的很大一部分提供動力。

* The Kentico security team has always been responsive and engaged in disclosing vulnerabilities.

* Kentico安全團隊一直反應迅速，並從事披露漏洞。

* It presented several interesting technical challenges that we enjoyed exploring.

*它提出了我們喜歡探索的幾個有趣的技術挑戰。

This meets the criteria of something we’d define as “interesting,” so we began. A few hours later, (sigh), we stumbled into our first Authentication Bypass vulnerability. Throughout this research, we identified the following vulnerabilities:

這符合我們將其定義為“有趣”的標準，因此我們開始了。幾個小時後，（嘆氣），我們偶然發現了第一個身份驗證旁路漏洞。在整個研究中，我們確定了以下漏洞：

* WT-2025-0006: Authentication Bypass in Kentico Xperience CMS Staging API

* wt-2025-0006：肯蒂科Xperience CMS的身份驗證旁路

* WT-2025-0007: Post-Auth Remote Code Execution in Kentico Xperience CMS Staging API

* wt-2025-0007：肯蒂科Xperience xperience cms staging api中的後作物後遠程代碼執行

* WT-2025-0011: Another Authentication Bypass in Kentico Xperience CMS Staging API

* WT-2025-0011：Kentico Xperience CMS分期API中的另一個身份驗證旁路

As we walk through this analysis, we’ll take you on our journey that allowed us to build exploit chains to achieve Remote Code Execution against (at the time) fully patched Kentico Xperience CMS deployments.

當我們仔細研究這一分析時，我們將帶您前進，使我們能夠建立利用鏈條，以實現（當時）完全修補的肯蒂科Xperience CMS部署的遠程代碼執行。

Time to dive in… (and until next time..)

是時候潛水了……（直到下一次..）

Vulnerable Configuration

脆弱的配置

脆弱的配置

Before we even start deep diving into the vulnerabilities, we want to be clear that the vulnerabilities highlighted in this blogpost do not affect every Kentico CMS installation (but do appear to affect common configurations).

在我們甚至開始深入研究漏洞之前，我們要清楚地表明，此博客文章中突出顯示的漏洞不會影響每個Kentico CMS安裝（但似乎確實會影響常見的配置）。

For the vulnerabilities we’re about to discuss, two requirements need to be fulfilled:

對於我們將要討論的漏洞，需要滿足兩個要求：

* The Staging Service must be enabled.

*必須啟用登台服務。

* The authentication type must be set to User name and password.

*身份驗證類型必須設置為用戶名和密碼。

However, based on our dataset and exposure across the watchTowr client base, we can confidently say that the above requirements appear to be a common configuration - please do not write these weaknesses off as requiring edge cases. Reassuringly, this seriousness and severity was reflected in the vendors response - the Kentico security team treated all vulnerabilities seriously, and we’ll discuss this further later.

但是，基於我們在WatchTowr客戶群中的數據集和曝光度，我們可以自信地說上述要求似乎是一種常見的配置 - 請不要將這些弱點寫下來，因為需要邊緣案例。令人放心的是，這種嚴重性和嚴重性反映在供應商的回應中 - 肯蒂科安全團隊對所有漏洞進行了認真的處理，我們將在稍後再討論。

Our research, initially, was performed our initial research on Kentico Xperience 13.0.172. We also found a second Authentication Bypass, while reviewing Kentico Xperience 13.0.173. Although we never reviewed version 12 of Kentico Xperience (or below), we have high-confidence data that version 12 is also vulnerable to both WT-2025-0006 Authentication Bypass and WT-2025-0011 Authentication Bypass.

最初，我們的研究是對Kentico Xperience 13.0.172進行的最初研究。我們還發現了第二個身份驗證旁路，同時審查了Kentico Xperience 13.0.173。儘管我們從未審查過Kentico Xperience（或以下）的第12版，但我們具有高信心數據，即版本12也容易受到WT-2025-0006身份驗證繞道和WT-2025-0011身份驗證旁路的影響。

To get your system into a vulnerable position while you follow this post along at home, a Kentico administrative user can enable the Staging Service within the CMS settings functionality, while selecting the User name and password authentication type, as presented in the next screenshot:

為了使您的系統在沿著家里關注此帖子時將您的系統置於脆弱的位置，肯蒂科管理用戶可以在CMS設置功能中啟用登台服務，而選擇“用戶名和密碼身份驗證類型”，如下一個ScreenShot中所示：

With this configuration complete, the next step is to investigate how this authentication is being performed. Let's dive into the technical details!

完成此配置後，下一步是研究如何執行此身份驗證。讓我們研究技術細節！

WT-2025-0006: Authentication Bypass

WT-2025-0006：身份驗證旁路

WT-2025-0006：身份驗證旁路

When we review new solutions, as we’ve described before a basic aim is to understand the exposed attack surface of the solution and quickly get a feel for how it has been architected. In case of web applications, you may want to look for some REST- or SOAP-based APIs. Interestingly, Kentico’s Experience CMS does not expose a significant number of webservices and endpoints, presenting a relatively small attack surface.

當我們回顧新的解決方案時，正如我們在基本目的之前所描述的那樣，是要了解解決方案的裸露攻擊表面，並迅速了解其構建方式。對於Web應用程序，您可能需要尋找一些基於REST或SOAP的API。有趣的是，Kentico的經驗CMS不會暴露大量的網站服務和端點，從而表現出相對較小的攻擊表面。

However, a service called CMS.Synchronization.WSE3.SyncServer immediately caught our attention. It exposes a single endpoint, and was interesting for two reasons:

但是，一項名為CMS.Synchronization.wse3.syncserver的服務立即引起了我們的注意。它暴露了一個終點，很有趣，有兩個原因：

* It’s used for synchronization tasks between several Kentico instances.

*它用於在幾個Kentico實例之間同步任務。

* It’s part of the internal Kentico API, not something that is designed to be used by third-party services or applications.

*它是內部肯蒂科API的一部分，不是第三方服務或應用程序使用的東西。

Sounds like fun! Let's try to send a simple HTTP request targeting this web method and just see what happens through the power of FAFO:

聽起來很有趣！讓我們嘗試發送針對此Web方法的簡單HTTP請求，然後看看FAFO的力量會發生什麼：

We’re presented with the following error message:

向我們介紹了以下錯誤消息：

In the screenshot above presenting the definition of WebService, you may have noticed a mysterious Policy attribute. Its full class name is Microsoft.Web.Services3.PolicyAttribute, and it's implemented in Microsoft.Web.Services3.dll. We've never heard of this DLL before, and so found ourselves scratching our heads a little here.

在上面介紹Web服務的定義的屏幕截圖中，您可能已經註意到了一個神秘的政策屬性。它的完整名稱是Microsoft.web.services3.policyattribute，它在microsoft.web.services3.dll中實現。我們以前從未聽說過這個DLL，因此發現自己在這裡有點撓頭。

A quick Google search revealed that this is part of obsolete (probably since 2012) Web Services Enhancement 3.0 for Microsoft .NET. This is likely superseded by .NET WCF, but it'

快速的Google搜索顯示，這是Microsoft .NET的過時（可能是自2012年以來）Web Services增強3.0的一部分。這很可能被.NET WCF所取代，但它'