-
Notifications
You must be signed in to change notification settings - Fork 422
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PySAML vulnerable to XXE #366
Comments
@rohe Any updates on this ? Was wondering if you need any help. This is a pretty serious issue. Also I wanted to let you know that an underlying library you use xmlsec is also vulnerable, so I have created a ticket on their side which might be related to yours. https://github.com/lsh123/xmlsec/issues |
@rohe it looks like your problem actually goes all the way down to libxml2 https://bugzilla.gnome.org/show_bug.cgi?id=772726 |
— Roland |
This fixes XXE issues on anything where pysaml2 parses XML directly as part of issue IdentityPython#366. It doesn't address the xmlsec issues discussed on that ticket as they are out of reach of a direct fix and need the underlying library to fix this issue.
@freedomcoder @rohe Could you imagine the impact this vulnerability causes? Is it possible to bypass authentication? Is it possible to get the content of some local files e.g. via error messages? As there is also Pull Request #366 fixed, will you release a new version of pysaml2 so that the debian package can be updated? Is the current git HEAD stable enough to use? |
same for gentoo, though we may need to backport this to 4.0.2 because of the pycryptome change in 4.0.3 and openstack not working with it. |
don't even know the sha for the 4.0.2 tag, not sure how we are going to deal with this... |
I do have a patch that works with 4.0.2 though |
passes tests, at least the tests I could run
neither of those files are ones that I touched at least and the second one was because of the missing test file. |
so, a few downstreams have requested, that since they do not package pycryptome and packaging it would be difficult that someone go back in history to the commit that was 4.0.2, check it out, branch from there, and create a 4.0.2.1 with the fix (possibly the patch I mangled). Then upload that to pypi. I don't know if this is feasible though... |
This fixes XXE issues on anything where pysaml2 parses XML directly as part of issue IdentityPython#366. It doesn't address the xmlsec issues discussed on that ticket as they are out of reach of a direct fix and need the underlying library to fix this issue.
Is this issue actually exploitable? Or is this only a theoretical issue? Using the following XML snipped:
Transforming it into a SAMLResponse request:
Turns in a exception but no external request is done:
|
@spaceone this is 100% exploitable. The way it was found was through exploitation so yes. The problem is on xmlsec1 and libxml itself. Which are currently being patched. |
@freedomcoder Is it possible to gain a local file through this? |
@freedomcoder Could you answer? We need to shutdown our services if that is possible. |
@spaceone I've been using this to test things. It is a shitty script I quickly build and I have not had time to refine into a proper tool. If you need help testing your UCS endpoints if you point me to a sample deployment. I can certainly test it and let you know privately the results. https://gist.github.com/FreedomCoder/77804052accd69e5d2a9ceb879d70143 |
@freedomcoder Thanks, I added some comments to your snipped. |
@spaceone correctly if I am wrong!! |
@freedomcoder @rohe Yes, as far as I can see defusedxml is used always before any call to xmldsig. The following exception is raised in case of such a XXE attack:
I tested only parse_authn_request_response() but I hope that every code path is similar to this method. |
When reverting 6e09a25 it is vulnerable again. |
Hi all -- I cannot seem to reproduce this, at least with pysaml 4.4.0 and 4.0.0 using a vulnerable xmlsec1 against my ACS view1 using the SAMLResponse suggested. As far as I can see from the commits + comments:
Here's my fake SAMLResponse which sends a request to my canary webserver when calling 1 I'd just like to disambiguate: is If so, on master? on latest release? |
When is the next release planned? |
pysaml2 version 4.5.0 has been released. This can now be closed. If you feel differently, please do reopen and lets re-examine this. Thanks |
This fixes XXE issues on anything where pysaml2 parses XML directly as part of issue IdentityPython#366. It doesn't address the xmlsec issues discussed on that ticket as they are out of reach of a direct fix and need the underlying library to fix this issue.
Roland (@rohe),
Description
An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.
It seams that the PySAML2 library does not contemplate the possibility of SAML "XML" requests or responses containing External Entities or File Local inclusion resulting on malicious XML requests or responses being able to trigger an XXE attack.
Proof of Concept SAMLResponse:
For more information refer to:
Recommendations:
It is my recommendation that you should disable all these by default and if necessary give the user the option to enable them on their settings.
The text was updated successfully, but these errors were encountered: