Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Is pysaml2 affected by CVE-2017-11427? #497

Closed
johnwheeler opened this issue Feb 27, 2018 · 5 comments
Closed

Is pysaml2 affected by CVE-2017-11427? #497

johnwheeler opened this issue Feb 27, 2018 · 5 comments

Comments

@johnwheeler
Copy link

Hello,

Just a quick sanity check to ensure pysaml2 isn't affected by the SAML vulnerabilities announced:

https://www.kb.cert.org/vuls/id/475445

The note does not mention pysaml2, but it would be great to hear it from the horse's mouth.

I apologize if this is not the appropriate venue for this type of query.

John
@johnwheeler johnwheeler changed the title Is pysaml2 affected by CVE-2017-11428? Is pysaml2 affected by CVE-2017-11427? Feb 27, 2018
@logston
Copy link

logston commented Feb 27, 2018
edited

I think so.

If I understand what I think I do...

StatusResponse (which is subclassed by AuthnResponse here gets its signature_check method from self.sec.correctly_signed_response here.

This, in turn, calls samlp.any_response_from_string here

pysaml2/src/saml2/sigver.py

Line 1710 in 86cf3a4

def correctly_signed_response(self, decoded_xml, must=False, origdoc=None,

That in turn calls response_from_string here

pysaml2/src/saml2/samlp.py

Line 1843 in fd7a4f6

for func in [status_response_type__from_string, response_from_string,

That in turn calls saml2.create_class_from_xml_string(Response, xml_string) here

pysaml2/src/saml2/samlp.py

Line 1620 in fd7a4f6

return saml2.create_class_from_xml_string(Response, xml_string)

That in turn calls defusedxml.ElementTree.fromstring(xml_string) here

pysaml2/src/saml2/__init__.py

Line 91 in 847e970

tree = defusedxml.ElementTree.fromstring(xml_string)

... which is the same library that OneLogin/python-saml had to patch here:

SAML-Toolkits/python-saml@fad881b

I think direct access of attributes on this DOM are risky.

Instead, something like etree.strip_tags(node, etree.Comment) needs to be done for each text node in the DOM. See: SAML-Toolkits/python-saml@fad881b#diff-7b29e1b5445a77441bbcbbd2b1b1bfd5R161

@bqumsiyeh
Copy link

I've been trying to reproduce, but I have not been able to yet. From what I can tell, the comments are stripped out appropriately.

In my local environment, I intercepted the SAML Response, and injected the comment in the user value. Here is a simple version of the POC:

...
# Get the SAMLResponse from the request
saml_response = request.POST['SAMLResponse']

# Base64 decode the SAML Assertion
decoded_saml_response = base64.b64decode(saml_response).decode('utf-8')

# Spoof the user
spoofed = decoded_saml_response.replace('user@user.com.evil.com', "user@user.com<!---->.evil.com")

# Encode back to base64
spoofed_saml_response = base64.b64encode(spoofed.encode('utf-8')).decode('utf-8')

# Parse and verify, as usual, with the spoofed SAML response
saml_client = saml_client_for(idp_name, retreived_metadata_url, request)
authn_response = saml_client.parse_authn_request_response(spoofed_saml_response, entity.BINDING_HTTP_POST)
authn_response.get_identity()

print(authn_response.name_id.text)
# This prints "user@user.com.evil.com"

@dcripplinger
Copy link

Also confirming in my system that pysaml2 already handles the injected comment fine, and the text before and after the comment are combined for the intended nameid. Same thing for an email attribute.

@c00kiemon5ter c00kiemon5ter mentioned this issue Mar 1, 2018
Closed
@Plazmaz
Copy link

Plazmaz commented Mar 1, 2018

In that case, should this be closed? Do we need more confirmation here @c00kiemon5ter?

c00kiemon5ter added a commit to c00kiemon5ter/pysaml2 that referenced this issue Mar 1, 2018
@c00kiemon5ter
Introduce xml_safe as a module to control xml opearations
5f86a15 
This is related to CVE-2017-11427[0] and VU#475445[1]
Related issues: IdentityPython#496 IdentityPython#497
Reported by duo[2] through this blog post[3]

pysaml2 is not affected, as, by default, the xml.etree.ElementTree and
xml.etree.cElementTree parsers ignore comments. However, this commit
makes sure that the ElementTree being used is set correctly through
defusexml lib and centralizes the control of which functions are exposed
and available for usage in the code. Any code that needs a function to
parse, modify or serialize XML should be obtain through the xml_safe
module. The new module asks defusexml to provide the function and if it
is not available it will fallback to the one provided by
xml.etree.cElementTree. This is a guarantee that functions like parse,
fromstring et al are provided by defusexml lib.

  [0]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-11427
  [1]: https://www.kb.cert.org/vuls/id/475445
  [2]: https://duo.com
  [3]: https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations
@c00kiemon5ter c00kiemon5ter mentioned this issue Mar 1, 2018
Open
6 tasks
c00kiemon5ter added a commit to c00kiemon5ter/pysaml2 that referenced this issue Mar 2, 2018
@c00kiemon5ter
Introduce xml_safe as a module to control xml opearations
88d3a90 
This is related to CVE-2017-11427[0] and VU#475445[1]
Related issues: IdentityPython#496 IdentityPython#497
Reported by duo[2] through this blog post[3]

pysaml2 is not affected, as, by default, the xml.etree.ElementTree and
xml.etree.cElementTree parsers ignore comments. However, this commit
makes sure that the ElementTree being used is set correctly through
defusexml lib and centralizes the control of which functions are exposed
and available for usage in the code. Any code that needs a function to
parse, modify or serialize XML should be obtain through the xml_safe
module. The new module asks defusexml to provide the function and if it
is not available it will fallback to the one provided by
xml.etree.cElementTree. This is a guarantee that functions like parse,
fromstring et al are provided by defusexml lib.

  [0]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-11427
  [1]: https://www.kb.cert.org/vuls/id/475445
  [2]: https://duo.com
  [3]: https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations
c00kiemon5ter added a commit to c00kiemon5ter/pysaml2 that referenced this issue Mar 2, 2018
@c00kiemon5ter
Introduce xml_safe as a module to control xml opearations
1845dd7 
This is related to CVE-2017-11427[0] and VU#475445[1]
Related issues: IdentityPython#496 IdentityPython#497
Reported by duo[2] through this blog post[3]

pysaml2 is not affected, as, by default, the xml.etree.ElementTree and
xml.etree.cElementTree parsers ignore comments. However, this commit
makes sure that the ElementTree being used is set correctly through
defusexml lib and centralizes the control of which functions are exposed
and available for usage in the code. Any code that needs a function to
parse, modify or serialize XML should be obtain through the xml_safe
module. The new module asks defusexml to provide the function and if it
is not available it will fallback to the one provided by
xml.etree.cElementTree. This is a guarantee that functions like parse,
fromstring et al are provided by defusexml lib.

  [0]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-11427
  [1]: https://www.kb.cert.org/vuls/id/475445
  [2]: https://duo.com
  [3]: https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations
c00kiemon5ter added a commit to c00kiemon5ter/pysaml2 that referenced this issue Mar 3, 2018
@c00kiemon5ter
Introduce xml_safe as a module to control xml opearations
ab34e7c 
This is related to CVE-2017-11427[0] and VU#475445[1]
Related issues: IdentityPython#496 IdentityPython#497
Reported by duo[2] through this blog post[3]

pysaml2 is not affected, as, by default, the xml.etree.ElementTree and
xml.etree.cElementTree parsers ignore comments. However, this commit
makes sure that the ElementTree being used is set correctly through
defusexml lib and centralizes the control of which functions are exposed
and available for usage in the code. Any code that needs a function to
parse, modify or serialize XML should be obtain through the xml_safe
module. The new module asks defusexml to provide the function and if it
is not available it will fallback to the one provided by
xml.etree.cElementTree. This is a guarantee that functions like parse,
fromstring et al are provided by defusexml lib.

  [0]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-11427
  [1]: https://www.kb.cert.org/vuls/id/475445
  [2]: https://duo.com
  [3]: https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations
@dustin-decker
Copy link

Looks okay from @bqumsiyeh's attempt. This should probably be rolled into a pysaml2 test so people can easily verify behavior and if there are any changes to the XML library down the road you can be confident that it is still covered.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@Plazmaz @logston @bqumsiyeh @dustin-decker @johnwheeler @dcripplinger