... Loading ...

SSD Secure Disclosure

Disclosing vulnerabilities responsibly since 2007
Dark Theme

SSD Advisory – ZendXml Multibyte Payloads XXE/XEE

SecuriTeam Secure Disclosure
SecuriTeam Secure Disclosure (SSD) provides the support you need to turn your experience uncovering security vulnerabilities into a highly paid career. SSD was designed by researchers for researchers and will give you the fast response and great support you need to make top dollar for your discoveries.
ZendXml is a utility component for XML usage and best practices in PHP.
Vulnerability Details
The XML standard defines a concept of an external entites. XXE (XML eXternal Entity) attack is an attack on an application that parses XML input from untrusted sources using incorrectly configured XML parser. The application may be forced to open arbitrary files and/or network resources. Exploiting XXE issues on PHP applications may also lead to denial of service or in some cases (for example, when an ‘expect’ PHP module is installed) lead to command execution.
An independent security research of Zend Framework revealed that it is possible to bypass XXE security controls within the framework in case when the PHP application using Zend XML related classes (e.g Zend_XmlRpc_Server, Zend_Feed, Zend_Config_Xml etc.) from Zend Framework (including the latest version) is served via PHP FPM. Bypassing the controls may allow XXE attacks and lead to the aforementioned exploitation possibilities on systems where the XML parser is set to resolve entities.

Vulnerable Code
The security controls within the Zend Framework mitigate the XXE attack vectors by first calling libxml_disable_entity_loader(), and then looping through the DOMDocument nodes testing if any is of type: XML_DOCUMENT_TYPE_NODE If so, an exception is raised and PHP script execution is halted.
These controls have been included in the scan() function of a Zend_Xml_Security class located in the following paths depending on the code branch of Zend Framework:

In case of the latest version of ZendFramework-1.12.13, the relevant code blocks from the scan() function look as follows:

As we can see from the code, the application disables the entity loader (via libxml_disable_entity_loader), it also disables network access (LIBXML_NONET), and it additionally scans provided XML for the presence of XML entities to prevent potential entity expansion attacks. The code successfully prevents most XXE attacks.
However, as the PHP libxml_disable_entity_loader() function was reported to not be thread safe (the entity loader setting could potentially get overwritten between the hits in FPM processes), Zend Framework does not use it when the application is hosted in a PHP-FPM environment. Instead, another approach is taken to prevent the XXE attacks.
In the code above we see the check !self::isPhpFpm() which determines the type of interface between web server and PHP (through the php_sapi_name() function). If the SAPI is FPM-CGI (i.e. PHP-FPM) the following heuristicScan function gets executed:

It validates provided XML by searching for any entity declaration. It throws an exception if it finds one. Although this check cannot be bypassed by simply adding spaces or changing the characters to lower case (an XML parser would reject such declaration as invalid), this security check is nevertheless insufficient.
XML format allows for different types of encoding to be used, hence it is possible to bypass the check by supplying specifically encoded XML content. For example, a UTF-16 encoding which uses 2-byte characters would be enough to bypass the ENTITY string check.
Apart from the ENTITY check, the code also adds the aforementioned LIBXML_NONET parameter to catch entities refering to network resources. This limitation can also be bypassed as shown in the proof of concept exploit.
This makes the Zend Framework vulnerable to XXE injection attacks.
Proof of Concept
Below is a simple PHP application using Zend Framework to implement an XML-RPC server for demonstation:

This test application is hosted on an Apache server with PHP-FPM.

Should return:

In order to exploit the XXE vulnerability contained in the Zend framework an attacker can pass XML data containing external entities similar to:

Feeding the above data to the zend-xmlrpc-server.php script will result in an error:

Which is due to the heuristicScan ENTITy detection.
We can now encode the data to avoid the check.

Hex representation of the UTF-16 encoded XML file (including the change in the xml header to reflect the new encoding) looks as follows:

As can be seen on the hexdump, the ENTITY word is encoded using 2-byte characters.
Resupplying the encoded data contained in poc-utf16.xml to the Zend XMLRPC application, depending on the underlying libxml library, may result in a password file retrieval from the remote server:

If the password file is not returned, an attacker may try another version of an XXE attack using parameter entities and an out-of-band communication. Both of these can be used to exploit the vulnerability in Zend Framework on a greater number of libxml configurations.
Remote command execution may also be possible if the remote system has an ‘expect’ php module (libexpect-php) installed. If this is the case, we can for example execute ‘id’ command via injecting the entity:

Which should return a result similar to:

As mentioned in the description of this vulnerability, the Zend Framework adds a LIBXML_NONET flag to the loadXML() call in order to prevent reaching network resources through XXE.
As a result, requesting a network resource such as via XXE injection will fail.
This can be bypassed by using php://filter wrapper inside an entity, e.g:

This will return a base64 encoded response from the remote server bypassing the LIBXML_NONET restriction:

This vulnerability may also lead to Denial of Service if for example the attacker requests /dev/random file through XXE. This will cause the application to block on the endless input from the random generator pseudo device, until the maximum execution time is reached. Sending multiple requests of such kind would exhaust the maximum number of threads that the web server can create.
The unauthenticated remote exploitation may be possible on applications which make use of Zend_XmlRpc_Server with a public XML-RPC endpoint as demonstrated in this advisory. Authentication in case of XML-RPC is not required for exploitation as the XML needs to be processed first in order for the application to read the credentials passed from the login data within the xml-formatted input.
Zend_XmlRpc_Server is just one of the Zend Framework components that processes XML. There are many more vulnerable classes within the framework such as Zend_Config, SOAP RPC, RSS Feeds etc.
Systems Affected
All systems making use of Zend Framework in versions starting from 1.12.4 and 2.1.6 up to the latest versions of Zend Framework 1.12.13 (released 2015-05-20) and 2.4.2 (released 2015-05-11) contain the XXE injection vulnerability described in this advisory.
All Zend Framework classes making use of XML and calling the vulnerable Zend_Xml_Security::scan() function are affected by this issue. These include the following classes:

The vulnerability can be exploited in applications using vulnerable version of the framework, where PHP code is served with PHP-FPM, and when the xml parser installed in the system is set up to resolves entities.
PHP-FPM can be set up on popular web servers such as Apache, or Nginx on Linux/Unix, as well as Windows systems (as per the ‘fpm on cygwin’ setup guides available on the Internet).
Vulnerable Versions
Zend Framework version 2.4.2 and prior (XML eXternal Entity Injection (XXE) on PHP FPM)
Zend Framework version 1.12.13 and prior
Vendor Response
Zend have released a patch for this vulnerability, more information about it can be found here: ZF2015-06: XXE/XEE vector when using ZendXml on multibyte payloads

Print Friendly, PDF & Email

Leave a Reply