我最近加入了watchtowr，所以是时候了 - 我的第一个watchtowr实验室的时候了

肯蒂科（Kentico）的Xperience CMS脱颖而出，达到了几个关键标准：这符合我们将其定义为“有趣”的标准，

Recently joining the watchTowr Labs team, I wanted to maintain the trail of destruction left by the team and so had to get my teeth into things quickly. Two primary goals were clear:

最近加入了Watchtowr Labs团队，我想维持团队留下的破坏之路，因此不得不迅速将我的牙齿付诸实践。两个主要目标很明确：

* Continue the legacy of high-quality research into interesting and impactful vulnerabilities.

*将高质量研究的遗产延续到有趣且有影响力的漏洞中。

* Contribute to the broader security community with our findings.

*通过我们的发现为更广泛的安全社区做出了贡献。

Kentico’s Xperience CMS stood out as promising, fulfilling several key criteria:

肯蒂科（Kentico）的Xperience CMS脱颖而出，符合几个关键标准：

* It’s a widely used solution, powering a large portion of the web.

*这是一种广泛使用的解决方案，为网络的很大一部分提供动力。

* The Kentico security team has always been responsive and engaged in disclosing vulnerabilities.

* Kentico安全团队一直反应迅速，并从事披露漏洞。

* It presented several interesting technical challenges that we enjoyed exploring.

*它提出了我们喜欢探索的几个有趣的技术挑战。

This meets the criteria of something we’d define as “interesting,” so we began. A few hours later, (sigh), we stumbled into our first Authentication Bypass vulnerability. Throughout this research, we identified the following vulnerabilities:

这符合我们将其定义为“有趣”的标准，因此我们开始了。几个小时后，（叹气），我们偶然发现了第一个身份验证旁路漏洞。在整个研究中，我们确定了以下漏洞：

* WT-2025-0006: Authentication Bypass in Kentico Xperience CMS Staging API

* wt-2025-0006：肯蒂科Xperience CMS的身份验证旁路

* WT-2025-0007: Post-Auth Remote Code Execution in Kentico Xperience CMS Staging API

* wt-2025-0007：肯蒂科Xperience xperience cms staging api中的后作物后远程代码执行

* WT-2025-0011: Another Authentication Bypass in Kentico Xperience CMS Staging API

* WT-2025-0011：Kentico Xperience CMS分期API中的另一个身份验证旁路

As we walk through this analysis, we’ll take you on our journey that allowed us to build exploit chains to achieve Remote Code Execution against (at the time) fully patched Kentico Xperience CMS deployments.

当我们仔细研究这一分析时，我们将带您前进，使我们能够建立利用链条，以实现（当时）完全修补的肯蒂科Xperience CMS部署的远程代码执行。

Time to dive in… (and until next time..)

是时候潜水了……（直到下一次..）

Vulnerable Configuration

脆弱的配置

脆弱的配置

Before we even start deep diving into the vulnerabilities, we want to be clear that the vulnerabilities highlighted in this blogpost do not affect every Kentico CMS installation (but do appear to affect common configurations).

在我们甚至开始深入研究漏洞之前，我们要清楚地表明，此博客文章中突出显示的漏洞不会影响每个Kentico CMS安装（但似乎确实会影响常见的配置）。

For the vulnerabilities we’re about to discuss, two requirements need to be fulfilled:

对于我们将要讨论的漏洞，需要满足两个要求：

* The Staging Service must be enabled.

*必须启用登台服务。

* The authentication type must be set to User name and password.

*身份验证类型必须设置为用户名和密码。

However, based on our dataset and exposure across the watchTowr client base, we can confidently say that the above requirements appear to be a common configuration - please do not write these weaknesses off as requiring edge cases. Reassuringly, this seriousness and severity was reflected in the vendors response - the Kentico security team treated all vulnerabilities seriously, and we’ll discuss this further later.

但是，基于我们在WatchTowr客户群中的数据集和曝光度，我们可以自信地说上述要求似乎是一种常见的配置 - 请不要将这些弱点写下来，因为需要边缘案例。令人放心的是，这种严重性和严重性反映在供应商的回应中 - 肯蒂科安全团队对所有漏洞进行了认真的处理，我们将在稍后再讨论。

Our research, initially, was performed our initial research on Kentico Xperience 13.0.172. We also found a second Authentication Bypass, while reviewing Kentico Xperience 13.0.173. Although we never reviewed version 12 of Kentico Xperience (or below), we have high-confidence data that version 12 is also vulnerable to both WT-2025-0006 Authentication Bypass and WT-2025-0011 Authentication Bypass.

最初，我们的研究是对Kentico Xperience 13.0.172进行的最初研究。我们还发现了第二个身份验证旁路，同时审查了Kentico Xperience 13.0.173。尽管我们从未审查过Kentico Xperience（或以下）的第12版，但我们具有高信心数据，即版本12也容易受到WT-2025-0006身份验证绕道和WT-2025-0011身份验证旁路的影响。

To get your system into a vulnerable position while you follow this post along at home, a Kentico administrative user can enable the Staging Service within the CMS settings functionality, while selecting the User name and password authentication type, as presented in the next screenshot:

为了使您的系统在沿着家里关注此帖子时将您的系统置于脆弱的位置，肯蒂科管理用户可以在CMS设置功能中启用登台服务，而选择“用户名和密码身份验证类型”，如下一个ScreenShot中所示：

With this configuration complete, the next step is to investigate how this authentication is being performed. Let's dive into the technical details!

完成此配置后，下一步是研究如何执行此身份验证。让我们研究技术细节！

WT-2025-0006: Authentication Bypass

WT-2025-0006：身份验证旁路

WT-2025-0006：身份验证旁路

When we review new solutions, as we’ve described before a basic aim is to understand the exposed attack surface of the solution and quickly get a feel for how it has been architected. In case of web applications, you may want to look for some REST- or SOAP-based APIs. Interestingly, Kentico’s Experience CMS does not expose a significant number of webservices and endpoints, presenting a relatively small attack surface.

当我们回顾新的解决方案时，正如我们在基本目的之前所描述的那样，是要了解解决方案的裸露攻击表面，并迅速了解其构建方式。对于Web应用程序，您可能需要寻找一些基于REST或SOAP的API。有趣的是，Kentico的经验CMS不会暴露大量的网站服务和端点，从而表现出相对较小的攻击表面。

However, a service called CMS.Synchronization.WSE3.SyncServer immediately caught our attention. It exposes a single endpoint, and was interesting for two reasons:

但是，一项名为CMS.Synchronization.wse3.syncserver的服务立即引起了我们的注意。它暴露了一个终点，很有趣，有两个原因：

* It’s used for synchronization tasks between several Kentico instances.

*它用于在几个Kentico实例之间同步任务。

* It’s part of the internal Kentico API, not something that is designed to be used by third-party services or applications.

*它是内部肯蒂科API的一部分，不是第三方服务或应用程序使用的东西。

Sounds like fun! Let's try to send a simple HTTP request targeting this web method and just see what happens through the power of FAFO:

听起来很有趣！让我们尝试发送针对此Web方法的简单HTTP请求，然后看看FAFO的力量会发生什么：

We’re presented with the following error message:

向我们介绍了以下错误消息：

In the screenshot above presenting the definition of WebService, you may have noticed a mysterious Policy attribute. Its full class name is Microsoft.Web.Services3.PolicyAttribute, and it's implemented in Microsoft.Web.Services3.dll. We've never heard of this DLL before, and so found ourselves scratching our heads a little here.

在上面介绍Web服务的定义的屏幕截图中，您可能已经注意到了一个神秘的政策属性。它的完整名称是Microsoft.web.services3.policyattribute，它在microsoft.web.services3.dll中实现。我们以前从未听说过这个DLL，因此发现自己在这里有点挠头。

A quick Google search revealed that this is part of obsolete (probably since 2012) Web Services Enhancement 3.0 for Microsoft .NET. This is likely superseded by .NET WCF, but it'

快速的Google搜索显示，这是Microsoft .NET的过时（可能是自2012年以来）Web Services增强3.0的一部分。这很可能被.NET WCF所取代，但它'