lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAJ5ndowz5eQMfc=yH14C98zggotPJ3boLmSaWz05C75uZD1ONQ@mail.gmail.com>
Date: Thu, 15 Oct 2015 15:28:12 +0900
From: Takeshi Terada <mbsdtest01@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] CakePHP Xml class SSRF Vulnerability

=============================================================================
Title : CakePHP Xml class SSRF Vulnerability
CVE Number : N/A (not assigned)
Affected Software : Confirmed on CakePHP v3.0.5 (prior versions may
also be affected)
Credit : Takeshi Terada of Mitsui Bussan Secure Directions, Inc.
http://www.mbsd.jp/
Issue Status : v3.0.6/2.6.6 was released which fixes this issue
=============================================================================

Overview:
-----------------------------------------------------------------------------
  CakePHP is an open-source web application framework for PHP.
  CakePHP (v3.0.5) was confirmed to be vulnerable to SSRF (Server Side
  Request Forgery) attacks. Remote attacker can utilize it for at least
  DoS (Denial of Service) attacks, if the target application accepts
  XML as an input. It is caused by insecure design of Cake's Xml class.

Details:
-----------------------------------------------------------------------------
  Here is an abstract from Cake\Utility\Xml.php (v3.0.3).

   96: public static function build($input, array $options = [])
   97: {
       ....
  104:     if (is_array($input) || is_object($input)) {
  105:         return static::fromArray($input, $options);
  106:     }
  107:
  108:     if (strpos($input, '<') !== false) {
  109:         return static::_loadXml($input, $options);
  110:     }
  111:
  112:     if (file_exists($input)) {
  113:         return static::_loadXml(file_get_contents($input), $options);
  114:     }

  The problematic part is line 112-114, where $input is treated as a
  URL (file path) and the method tries to fetch the content of the URL,
  if it does not contain any '<' character.

  Therefore, if values such as those shown below are given to it,
  the application will block.

  1. file:///dev/random
     -> blocks permanently (until so much entropy supplied)

  2. /dev/urandom
     -> blocks until hitting memory limit

  3. ftp://very_slow_host/a
     -> blocks until socket timeout

  Attackers can exhaust MaxClients (on Apache), just by sending
  the number of requests with these values instead of normal XML.

  CakePHP seems to accept XML inputs when RequestHandlerComponent,
  which is designed to handle XHR requests that may contain XML or
  JSON in their body, is enabled.

  http://book.cakephp.org/3.0/en/development/rest.html
  http://book.cakephp.org/3.0/en/controllers/components/request-handling.html

  When the component is enabled and a request has necessary headers
  (Content-Type and X-Requested-With), raw body of the request is
  passed to Xml::build() directly (i.e. without validation), which
  can obviously be used for attacks.

  However, it seems hard to successfully conduct other types of
  attack than DoS, because there are some hurdles for attackers.
  Firstly, usual web applications are unlikely to return the full
  request data. This means there is very little opportunity for file
  theft attacks, regardless of whether the target file is XML or not.
  The second hurdle is file_exists() check in line 112, which results
  in URLs with interesting schemes like "expect" and "http" being
  rejected.

  But still DoS and timing attacks like internal network scan using
  ftp URL's are possible. Additionally, in CakePHP v2, attackers can
  also use http(s) URLs for such attacks, as Cake2 accepts URLs with
  these schemes.

Timeline:
-----------------------------------------------------------------------------
  2015/05/27  Reported to CakePHP Security ML
  2015/05/29  Vender announced v3.0.6 & 2.6.6
  2015/10/15  Disclosure of this advisory

Recommendation:
-----------------------------------------------------------------------------
  Upgrading to the latest versions is recommended, if your app
  accepts XML data, as stated in the release note.

  https://github.com/cakephp/cakephp/releases/tag/3.0.6

  One thing I think should be noted is that the default behavior
  of the method (Xml::build()) was kept as it had been, in order to
  avoid compatibility problems.

  https://github.com/cakephp/cakephp/commit/2cde19f24c3679e8162e3abbce73818a8b0c02a0

  This means you need to modify your program, if you pass untrusted
  data to the method in your own program code to deal with XML.
  Technically, specifying a newly created option (readFile = false)
  for the method disables URL loading feature, thus can prevent DoS
  and other relevant attacks. See the URL above (github commit log)
  for details.

-- 
Takeshi Terada
Mitsui Bussan Secure Directions, Inc.
http://www.mbsd.jp/

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ