synacktiv_drupal_xxe_services(1).pdf

(271 KB) Pobierz
Pre-authentication XXE vulnerability
in the
Services
Drupal module
Security advisory
24/04/2015
Renaud Dubourguais
www.synacktiv.com
14 rue Mademoiselle 75015 Paris
1. Vulnerability description
1.1. The
Services
Drupal module
From the Drupal website (https://www.drupal.org/project/services), the
Services
module is:
“A standardized solution of integrating external applications with Drupal. Service callbacks may be used with multiple
interfaces like REST, XMLRPC, JSON, JSON-RPC, SOAP, AMF, etc. This allows a Drupal site to provide web services via
multiple interfaces while using the same callback code."
The Services module can be configured to enable REST endpoints. The REST handler can deals with JSON messages,
PHP serialized objects and also XML messages.
1.2. The issue
We discovered that the function handling XML REST requests does not disable external entity loading when parsing XML
messages sent by remote users. If a user sends crafted XML messages referencing external resources such as local files,
the XML parser will load them during the message processing. Using several tricks, the remote user can read local files.
In addition, we discovered that authentication and user rights are checked after processing the message. Consequently, the
vulnerability can be triggered without being authenticated.
A successful exploitation could allow anyone to read arbitrary files on the remote file system, including the Drupal
settings.php
file.
1.3. Affected versions
To be vulnerable, the remote system must comply with the following pre-requisites:
Drupal 7.x
Services
module 3.x
PHP compiled with
libxml2
prior to 2.9.0
1 REST endpoint configured with 1 resource allowing data modification (create, delete, modify, etc.)
The RESTWS module prior to 2.4 is also affected by the same issue.
Notice that some changes in the
libxml2
behavior are indirectly fixing the vulnerability. They have been committed on the 23
th
of July 2012 and integrated to
libxml2
2.9.0. This version has been published on the 11
th
of September 2014 to fix a part of
the vulnerability CVE-2014-3660.
https://git.gnome.org/browse/libxml2/commit/?id=4629ee02ac649c27f9c0cf98ba017c6b5526070f
Concerning Ubuntu, this commit has been backported in version
2.7.8.dfsg-5.1ubuntu4
for
12.04 Precise
releases.
1.4. Mitigation
The RESTWS module has been fixed on the 16
th
April 2015, in the version 2.4 (https://www.drupal.org/node/2472449).
Concerning the Services module, no fix has been released yet. The only way to fix the issue is to use a
libxml
with a version
greater than 2.9.0.
2/13
1.5. Timeline
Date
04/06/2014
11/09/2014
23/03/2015
02/04/2015
06/04/2015
07/04/2015
09/04/2015
Action
Vulnerability discovered in the
Services
module during a travel to the SSTIC security
conference in Rennes
Changes in
libxml2
prevents exploitation of the vulnerability
Security report to the Drupal Security Team
Discovered that the exploit is working on the RESTWS module
Security fix for the Services module is released in the private Drupal ticketing service
Security fix for the RESTWS is released in the private Drupal ticketing service
As
libxml2
indirectly fixes the issue in current Linux distributions, the Drupal Security team
decides not to publish a security advisory, thus ignoring Windows systems using for example
Acquia Drupal
RESTWS is silently patched without a security advisory (“Disable
XML entity loading which is
not needed”)
Public vulnerability disclosure
16/04/2015
24/04/2015
3/13
2. Technical description and proof-of-concept
2.1. Setting up a vulnerable environment
2.1.1. Operating system and
libxml2
library
Several operating systems still use
libxml2
in a version prior to 2.9.0. Notice that most of them have indirectly patched the
vulnerability by backporting the previous patch in their repositories (Debian, Ubuntu, Red Hat, CentOS, etc). However, all
systems using a
libxml2
prior to 2.9.0 coming from the official website (http://www.xmlsoft.org/) instead of system's
repositories are vulnerable.
For example, we successfully exploited the vulnerability on Windows systems including Acquia Drupal, which is
recommended by the Drupal official website (https://www.drupal.org/documentation/install/windows).
2.1.2. Drupal configuration
By default, an attacker can't exploit the vulnerability as Drupal has to be configured to use the module to be vulnerable. First
of all, the Services module have to be installed (https://www.drupal.org/project/services). Next, the module must be
configured by using the
Configure
module's option:
From this menu, a REST endpoint must be created. It can be performed by accessing the
Add
menu and fulfilling the
following menu:
Once created, the endpoint must be configured through the
Edit Resources
menu. For example, node retrieval and creation
4/13
can be allowed (we just need a resource callable with a POST request, such as a creation or an update feature):
The URL
http://<yoursite>/?q=test/node
can be used to retrieve and create a Drupal node. GET requests allow node retrieval
and POST requests allow node creation. Of course, POST requests are authenticated, but as we'll see, it doesn't prevent
unauthenticated user to exploit the vulnerability.
2.2. Vulnerable code and exploitation
2.2.1. Vulnerability discovery
The vulnerability is located in the
ServicesParserXML
class (services/servers/rest_server/includes/ServicesParser.inc). When
an XML request is sent to a REST endpoint, the method
parse(ServicesContextInterface $context)
of this class is called. This
method aims to parse the XML message and return an array:
class ServicesParserXML implements ServicesParserInterface {
  public function parse(ServicesContextInterface $context) {
    // get/hold the old error state
    $old_error_state = libxml_use_internal_errors(1);
    // clear all libxml errors
    libxml_clear_errors();
    // get a now SimpleXmlElement object from the XML string
    $xml_data = simplexml_load_string($context­>getRequestBody());
    // if $xml_data is Null then we expect errors
    if (!$xml_data) {
      // build an error message string
      $message = '';
      $errors = libxml_get_errors();
      foreach ($errors as $error) {
        $message .= t('Line @line, Col @column: @message', array('@line' => $error­>line, 
'@column' => $error­>column, '@message' => $error­>message)) . "\n\n";
      } 
      
      // clear all libxml errors and restore the old error state
5/13

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika:

Zgłoś jeśli naruszono regulamin