Keyoti SearchUnit Server-Side Request Forgery Vulnerability

A Server-Side Request Forgery (SSRF) vulnerability has been identified in Keyoti SearchUnit versions prior to 9.0.0. The vulnerability exists in the SearchService.svc/GetResults and SearchService.svc/GetLocationAndContentCategories endpoints. An attacker can exploit this vulnerability by specifying their own SMB server as the indexDirectory value in POST requests. This allows the attacker to manipulate the SearchUnit server into reading and writing configuration and log files to and from the attacker's server.

Impact

Exploitation of this vulnerability allows for unauthorized SMB connections from the vulnerable server to the attacker's SMB server, potentially leading to NTLM hash leakage from the account under which the Keyoti application is running.

Reproduction

To reproduce this vulnerability, send a POST request to either '/Keyoti_SearchEngine_Web_Common/SearchService.svc/GetResults' or '/Keyoti_SearchEngine_Web_Common/SearchService.svc/GetLocationAndContentCategories' with a crafted indexDirectory parameter that points to an SMB share controlled by the attacker. Ensure that the 'Keyoti-SearchEngine-ShowDetailedErrors' setting is enabled in the application's web.config file to expose verbose error messages that can aid in exploitation.

Remediation

Users are advised to update to Keyoti SearchUnit version 9.0 or later, as this version addresses the vulnerability by preventing SMB paths from being accepted in the indexDirectory parameter. Additionally, organizations should consider moving to a supported version of the .NET Framework.