Exploits / Vulnerability Discovered : 2018-09-13 |
Type : webapps |
Platform : windows
This exploit / vulnerability Apache syncope 2.0.7 remote code execution is for educational purposes only and if it is used you will do on your own risk!
# Vulnerability 1: Remote code execution by users with report and template privileges
# Description: A user with access to the Reports and Templates functionality can use XSL Transformations (XSLT)
# to perform malicious operations, including but not limited to file read, file write, and code execution.
# Apache Syncope uses XSLT to export report data into various formats. An attacker can perform malicious
# operations by crafting a XSL template, binding the template to a report, executing, then exporting the report.
# The following XSL can be used to read the Syncope security.properties file or execute the Windows
# calc program, respectively.
# Vulnerability 2: Information disclosure via FIQL and ORDER BY sorting
# Description: A user with entitlements to the /syncope/rest/users endpoint can recover sensitive
# security values using the fiql and orderby parameters.
# By default, Apache Syncope prevents sensitive values from being returned when querying
# the /syncope/rest/users endpoint. Fields such as securityAnswers or password will always return null.
# However the results returned can be filtered or sorted based on sensitive fields. By measuring how
# the results are returned the values of the desired fields can be successfully recovered. The fiql parameter
# can be used to recover full security answers, and the orderby parameter can be used to recover
# full security answers and partial information about password hashes.
# The fiql parameter allows filtering based on user attributes, including a user's security answer.
# By using FIQL filters (i.e. "securityAnswer==a*", "securityAnswer==b*", etc...) a user's
# securityAnswer can be recovered one letter at a time.
# The orderby parameter allows sorting based on user attributes, including a user's security
# answer and password. The following example shows how orderby sorting can be exploited.
# User Bob exists with the security answer "test". A malicious user creates a user Alice with the
# security answer "ta". The malicious actor then calls the /syncope/rest/users endpoint with orderby=securityAnswer".
# By sorting using the "securityAnswer" attribute, the result will have Alice sorted ahead of Bob,
# due to the value "ta" being before the value "test". By sequentially changing Alice's security
# question and comparing the sorted result, Bob's security answer can be recovered one letter
# at a time. A similar technique can be used to reveal partial information about user password hashes.
Orderby Example Results:
Alice's security answer, Order of results returned
ta, [Alice, Bob]
tb, [Alice, Bob]
tc, [Alice, Bob]
td, [Alice, Bob]
te, [Alice, Bob]
tf, [Bob, Alice]
tea, [Alice, Bob]
teb, [Alice, Bob]