Exploiting XXE vulnerabilities in AMF libraries
Hello, AMF (aka "Action Message Format") is a binary format used by Flash applications communicating with server-side components. A few data types supported by AMF deal with XML content (for example the "XML Document" type in AMF0). In 2015, several AMF libraries (including BlazeDS and PyAMF) were identified as vulnerable to XXE (aka "XML External Entity") and SSRF (aka "Server Side Forgery") attacks. I wrote a blog-post detailing: - server-side exploitation of the PyAMF vulnerability - server-side exploitation of the BlazeDS vulnerability - client-side exploitation of the BlazeDS vulnerability The article also includes a basic AMF client (in Python) used to exploit these vulnerabilities (or interact with AMF gateways at large). Link: http://www.agarri.fr/kom/archives/2015/12/17/amf_parsing_and_xxe/index.html Cheers, Nicolas Grégoire signature.asc Description: This is a digitally signed message part
Bypassing blacklists based on IPy
IPy is a Python class and tools for handling of IPv4 and IPv6 addresses and networks (https://github.com/haypo/python-ipy). This library is sometimes used to implement blacklists forbidding internal, private or loopback addresses. Using octal encoding (supported by urllib2), it is possible to bypass checks based on the result of the iptype() function. For example, IP address '0177...0001' is considered as 'PUBLIC' but resolves to '127.0.0.1' when accessed via urllib2. Developers were informed, no news since then... More details on my blog: http://www.agarri.fr/kom/archives/2014/10/15/bypassing_blacklists_based_on_ipy/index.html Cheers, Nicolas Grégoire
Vulnerabilities in Apache Solr 4.6.0
Hello, Apache Solr is search platform edited by the Apache project. Quoting http://lucene.apache.org/solr/:its major features include powerful full-text search, hit highlighting, faceted search, near real-time indexing, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Several vulnerabilities were fixed in recent versions of Solr: - directory traversal when using XSLT or Velocity templates (CVE-2013-6397 / SOLR-4882) - XXE in UpdateRequestHandler (CVE-2013-6407 / SOLR-3895) - XXE in DocumentAnalysisRequestHandler (CVE-2013-6408 / SOLR-4881) These vulnerabilities were confirmed to be exploitable also on old versions like 3.6.2. Gaining remote code execution is easy by combining the directory traversal and XXE vulnerabilities. If you wonder how these vulnerabilities could be exploited in real life setups when Solr isn't reachable directly from the Internet, you may be interested in the following blog post: http://www.agarri.fr/kom/archives/2013/11/27/compromising_an_unreachable_solr_server_with_cve-2013-6397/index.html Cheers, Nicolas Grégoire
Results of a XSLT fuzzing effort
Hello, I published last week a blog post describing the results of the XSLT fuzzing campaign I did in 2012. Now that most of the discovered vulnerabilities are patched, I've chosen to give away a dozen of PoC regarding Adobe Reader, Microsoft MSXML, Firefox, Webkit, ... Even if you are not in XML technologies, I think that looking at pathological XSLT code may be interesting ;-) Url of the blog: http://www.agarri.fr/blog/index.html Cheers, Nicolas Grégoire
From XSLT code execution to Meterpreter shells
Hello, in the last weeks, I demonstrated at HackInTheBox Amsterdam and HackInParis a Metasploit module used to gain Meterpreter shells from XSLT vulnerabilities. Given the questions I received, I chose to publish a blog-post explaining the overall concept and some implementation details. The article is available here: http://www.agarri.fr/blog/ The vulnerable PHP and JSP applications used during the talk are included. Furthermore, the video of the HackInTheBox talk is online: http://www.youtube.com/watch?v=_0mNSAbsRaU Regards, Nicolas Grégoire
Re: Trigerring Java code from a SVG image
Did you checked if IE ,FF or other general browsers can be affected by this ?? There's probably some others softwares implementing this feature, but not browsers (luckily !). Regards, Nicolas
Trigerring Java code from a SVG image
Hello, SVG is a XML-based file format for static or animated images. Some SVG specifications (like SVG 1.1 and SVG Tiny 1.2) allow to trigger some Java code when the SVG file is opened. Given that I had to look at these features for a customer, I developed some PoC codes which are now available online: http://www.agarri.fr/docs/batik-evil.svg http://www.agarri.fr/docs/batik-evil.jar I published a more detailed article on my blog: http://www.agarri.fr/blog/ Regards, Nicolas Grégoire / @Agarri_FR
XEE vulnerabilities in SharePoint (MS11-074) and DotNetNuke
Hello, Microsoft recently published MS11-074. This bulletin concerns mainly SharePoint (2007 and 2010) but CVE-2011-1892 applies too to Office Groove (client and server), Office Forms Server 2007 and Office Web Apps 2010. The vulnerability is a XML External Entity Reference one, as described in CWE-611 [1]. The vulnerable component is XML Web Part and the following image demonstrates the exploit on a SharePoint 2007 server [2]. DotNetNuke has quietly patched this summer a very similar vulnerability in its XML component (v6.0.0 is OK [3]). As described in Microsoft documentation [4], setting XmlReaderSettings::XmlResolver to NULL is enough to correct this bug. Simple PoC for SharePoint and DotNetNuke : -- XML - !DOCTYPE doc [ !ENTITY boom SYSTEM c:\\windows\\system32\\drivers\\etc\\hosts ] docboom;/doc - -- XSL -- xsl:stylesheet version=1.0 xmlns:xsl=http://www.w3.org/1999/XSL/Transform; xsl:template match=/ xsl:apply-templates/ xsl:value-of select=doc/ /xsl:template /xsl:stylesheet - More details, in French, on my blog : http://goo.gl/hptbj 1: http://cwe.mitre.org/data/definitions/611.html 2: http://www.agarri.fr/docs/shpt-xee.png 3: http://dnnxml.codeplex.com/releases/view/62862 4: http://msdn.microsoft.com/en-us/library/ms172415.aspx Regards, Nicolas Grégoire / Agarri
[Tool] DoS for OpenSLP (and others)
Hello ! SLP (Service Location Protocol) is defined by RFC 2165 and RFC 2608. OpenSLP (the reference implementation) and others SLP softwares (like mSLP) are vulnerable to a denial of service vulnerability (CVE-2010-3609 aka CERT VU#393783). The affected softwares include VMware ESX and ESXi, Novell eDirectory, several SAN manufacturers, some Linux distributions, ... Here's a PoC triggering this vulnerability via either unicast (TCP or UDP), broadcast and multicast : http://www.agarri.fr/docs/SLPick.py More details (in French) on my blog : http://goo.gl/s0zHq Regards, Nicolas Grégoire / Agarri
SFCB vulnerabilities
[=] Product overview SBLIM SFCB is an Open Source implementation of a WBEM CIM broker. WBEM is a set of technologies aimed to monitor and administer (larges) pools of computing ressources, applications, hardware. It's used by computers management tools like HP Systems Insight Manager, VMware vSphere or IBM Director. SFCB usually listens on TCP ports 5988 (HTTP) or 5989 (HTTPS) and is used in many Linux distributions and some VMware / Dell products. [=] Vulnerabilities * CVE-2010-1937 (SFCB bug #3001896) : pre-auth remote heap overflow using a forged Content-Length header When parsing a HTTP request, SFCB will use any positive Content-Length value to allocate a buffer. Then, memcpy tries to copy the user-provided POST data in this buffer. By sending a small value in the Content-Length header and more data in the POST body, it's possible to overflow the previously allocated heap buffer. Vulnerable versions : up to 1.3.7 * CVE-2010-2054 (SFCB bug #3001915) : pre-auth remote integer overflow using a forged Content-Length header If the configuration option httpMaxContentLength is explicitly set to 0, SFCB will only check that the Content-Length value is positive and lower than UINT_MAX and use it (adding 8) to allocate a buffer. Then, memcpy tries to copy the user-provided POST data in this buffer. By sending a value between UINT_MAX-7 and UINT_MAX-1, it is possible to overflow a buffer of size 1 to 7. Vulnerable versions : from 1.3.4 to 1.3.7 [=] Note about VMware products VMware ESXi 3.5, ESXi 4 and ESX 4 are running by default a modified version of SFCB (v1.3.3 in ESX 4). However they were tested as non vulnerable : - CVE-2010-1937 has been silently patched in WMware products - CVE-2010-2054 doesn't affect versions lower than 1.3.4 [=] Mitigating factors None : - SSL authentication isn't used by SFCB - bugs are triggered before any HTTP-layer credential check - POST and M-POST are default methods used by WBEM [=] Vectors These vulnerabilities can be triggered by default on port TCP/5988 (HTTTP) or TCP/5989 (HTTPS), using POST or M-POST requests. [=] Solution Upgrade to version 1.3.8 [=] Links SBLIM SFCB : http://sourceforge.net/apps/mediawiki/sblim/index.php?title=Sfcb WBEM : http://en.wikipedia.org/wiki/Web-Based_Enterprise_Management CVE-2010-1937 : http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2010-1937 CVE-2010-2054 : http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2010-2054 SFCB bug #3001896 : http://sourceforge.net/tracker/?func=detailaid=3001896group_id=128809atid=712784 SFCB bug #3001915 : http://sourceforge.net/tracker/?func=detailaid=3001915group_id=128809atid=712784 Regards, Nicolas Grégoire / Agarri