• Aucun résultat trouvé

What should a hacker know about WebDav? Vulnerabilities in various WebDav implementations

N/A
N/A
Info
Télécharger
Protected

Academic year: 2022

Partager "What should a hacker know about WebDav? Vulnerabilities in various WebDav implementations"

Copied!
18
0
0

Chargement.... (Voir le texte intégral maintenant)

Texte intégral

(1)

What should a hacker know about WebDav?

Vulnerabilities in various WebDav implementations

Mikhail Egorov

(2)

Short BIO – Mikhail Egorov

▶ Application Security Engineer at Odin [ http://www.odin.com ]

▶ Security researcher and bug hunter

▶ Graduated from BMSTU with MSc. in Information Security [ IU8 ]

▶ Holds OSCP and CISSP certificates

▶ See my blog [ http://0ang3el.blogspot.com ]

(3)

WebDav is complex

▶ Many standards that prescribes how to implement various WebDav methods

RFC 4918, RFC 3253, RFC 3648, RFC 3744, RFC 5323, RFC 4437, RFC 5842

▶ Many WebDav methods

OPTIONS, TRACE, GET, HEAD, POST, PUT, DELETE, COPY, MOVE, PROPPATCH, PROPFIND, MKCOL, LOCK, UNLOCK, SEARCH, BIND, UNBIND, REBIND, MKREDIRECTREF, UPDATEREDIRECTREF, ORDERPATCH, ACL, REPORT

▶ Different Webdav implementations

(4)

Generic approach

▶ Try various XXE attacks

▶ Issue OPTIONS requests and see what “interesting” methods are supported by WebDav library

▶ Try attack that follows from security considerations section of RFCs and

“common sense” for all “interesting” methods

▶ Observe source code, if available, to find various implementation flaws

(5)

WebDav XXE attacks

▶ Methods PROPPATCH, PROPFIND, LOCK, etc. accept XML as input

▶ Especially Java implementations are vulnerable 

(6)

Apache Jacrabbit WebDav XXE

▶ CVE-2015-1833 [ http://www.securityfocus.com/archive/1/535582 ]

▶ Exploit code [ https://www.exploit-db.com/exploits/37110/ ]

▶ Video PoC [ https://www.youtube.com/watch?v=Hg3AXoG89Gs ]

(7)

Milton WebDav XXE

▶ CVE-2015-7326 [ http://www.securityfocus.com/archive/1/536813 ]

(8)

cloudme.com XXE

CloudMe is a secure European service that makes your life a little bit easier.

With CloudMe you don’t have to think twice about where your files are, they’re always with you …

▶ https://webdav.cloudme.com is vulnerable WebDav endpoint

(9)

Apache Sling OOXML parsing XXE

▶ Apache Tika OSGi bundle to parse documents

▶ Apache POI is used to parse OOXML documents

▶ Apache POI library XXE [ https://access.redhat.com/security/cve/CVE-2014-3529 ]

(10)

Apache Jackrabbit WebDav CSRF

▶ JCR-3909 [ https://issues.apache.org/jira/browse/JCR-3909 ]

▶ POST request is allowed and treated as PUT

▶ There is Refer-based CSRF protection, but empty Referer bypasses it

Could be used to mount XXE attack for systems in the internal network!

(11)

Exploiting WebDav XXE tricks

▶ Create resource

PUT /resource HTTP/1.1 Hack

▶ Write content of the file to a property of the resource with PROPPATCH method

PROPPATCH /resource HTTP/1.1

<?xml version=“1.0” encoding=“UTF-8”?>

<!DOCTYPE propertyupdate [

<!ENTITY loot SYSTEM “file:///etc/passwd”> ]>

<D:propertyupdate xmlns:D=“DAV:”><D:set><D:prop>

<a xmlns=“http://this.is.xxe.baby”>&loot;</a>

</D:prop></D:set></D:propertyupdate>

(12)

Exploiting WebDav XXE tricks

▶ Read property with content of the file with PROPFIND method

PROPFIND /resource HTTP/1.1

<?xml version=“1.0” encoding=“UTF-8”?>

<propfind xmlns=“DAV:”><prop>

<q:a xmlns:q=“http://this.is.xxe.baby”/>

</prop></propfind>

(13)

Exploiting WebDav XXE tricks

▶ OOB XXE will work with any method that supports XML input

When general external entities are prohibited

▶ SSRF attack will work with any method that supports XML input

When only external DTDs are allowed

(14)

Milton WebDav AUTHN bypass

Cookie AUTHN [ preferred method in Windows, from Win7 ]

miltonUserUrl=/users/admin/;Path=/;Expires=Thu, 06-Mar-2014 20:55:23 GMT;Max-Age=31536000

miltonUserUrlHash=0.884150694443924:9c74dc9fb62c2926c911ce07b5e7dcb2;Path=/;Expires=Thu, 06-Mar-2014 20:55:23 GMT;Max-Age=31536000;HttpOnly

Cookie is signed using HMAC-SHA1

key is in keys.txt file stored in java.io.tmpdir directory

Path traversal in Destination header of MOVE and COPY requests

http://127.0.0.1:8080/../../../../../../../../../../_DAV/HACK/tmp

We can overwrite keys.txt file

After app server restart we can craft valid cookies

(15)

Confluence WebDav DoS attack

▶ Based on Apache Jackrabbit WebDav code

▶ Supports Depth: infinity header in PROPFIND request

▶ Allows DOCTYPE declaration

Billion Laughs like attack, but with limited number [ 64000 ] of entity expansions, is possible

▶ Xerces-J library vulnerable to CVE-2013-4002 have been used

https://jira.atlassian.com/browse/CONF-37991

(16)

Yandex.Disk invalidated redirect

▶ WebDav access to Yandex.Disk – http://webdav.yandex.ru

▶ Supports MKREDIRECTREF request

▶ It is possible to create resource that will redirect the victim from Yandex.Disk to arbitrary site

MKREDIRECTREF /good.txt HTTP/1.1 Host: webdav.yandex.ru

<?xml version="1.0" encoding="utf-8" ?>

<D:mkredirectref xmlns:D="DAV:">

<D:reftarget>

<D:href>http://evil.com</D:href>

</D:reftarget>

</D:mkredirectref>

(17)

Takeaways

▶ WebDav is a complex protocol, it extends attack surface of your system

▶ WebDav-related RFCs have security considerations parts, unfortunately, many WebDav implementations ignore security considerations

▶ WebDav libraries in Java suffers from XXE issues, because most XML parsers in Java are insecure in default configuration

(18)

Questions?

? ? ?

Références

Télécharger maintenant ( PDF - 18 Page - 0.99 MB )

Documents relatifs

Protocole des collections ordonnée des auteurs et des versions distribuées sur la Toile (WebDAV)

Comme plusieurs changements peuvent être demandés dans une seule demande ORDERPATCH, le serveur DOIT retourner une réponse 207 (Multi-Status) (définie dans la [RFC2518]) contenant

Extensions de versions à WebDAV (Protocole de collecte ordonnée desauteurs et des versions distribuée sur la Toile)

(DAV:one-baseline-controlled-collection-per-history-per-workspace) : Si l'URL de demande identifie un espace de travail ou un membre d'un espace de travail, et si une ligne de base

Extensions de HTTP pour la rédaction distribuée(WEBDAV)

Si une ressource, source ou destination, se trouvant à l'intérieur du champ d'application de la méthode ayant un en-tête Depth est verrouillée de telle manière que la méthode

Extensions de HTTP pour la rédaction distribuée(WEBDAV)

Si une ressource, source ou destination, se trouvant à l'intérieur du champ d'application de la méthode ayant un en-tête Depth est verrouillée de telle manière que la méthode

Security Considerations for Tablet-based eHealth Applications

are either used alone or as an integrated part of several different assessment tools [10, 11].The McGill pain questionnaire can be used for follow up on pain management or to

Abstract All RFCs are required to have a Security Considerations section

Note: In general, the IESG will not approve standards track protocols which do not provide for strong authentication, either internal to the protocol or through tight binding to

Many security problems can be traced to improper implementations

Insisting that certain mechanisms are mandatory to implement means that those end-users who need the protocol provided by the security mechanism have it available when

Protocol elements are defined to let clients and servers specify the datatype, and to instruct the WebDAV method PROPFIND to return datatype information

Although servers must support XML content in property values, it may be desirable to persist values as scalar values when possible and to expose the data’s type when the