GHSA-PXM4-R5PH-Q2M2

Vulnerability from github – Published: 2024-12-02 17:25 – Updated: 2024-12-13 20:39
VLAI?
Summary
SimpleSAMLphp SAML2 has an XXE in parsing SAML messages
Details

Summary

When loading an (untrusted) XML document, for example the SAMLResponse, it's possible to induce an XXE.

$options is defined as: https://github.com/simplesamlphp/saml2/blob/717c0adc4877ebd58428637e5626345e59fa0109/src/SAML2/DOMDocumentFactory.php#L41 including the DTDLoad option, which allows an attacker to read file contents from local file system OR internal network.

While there is the NONET option, an attacker can simply bypass if by using PHP filters: php://filter/convert.base64-encode/resource=http://URL OR FILE

From there an attacker can induce network connections and steal the targeted file OOB (haven't fully tested this).

RCE may be possible with the php://expect or php://phar wrappers, but this hasn't been tested.

Note: The mitigation here: https://github.com/simplesamlphp/saml2/blob/717c0adc4877ebd58428637e5626345e59fa0109/src/SAML2/DOMDocumentFactory.php#L63-L69 Comes too late, as the XML has already been loaded into a document. Mitigation:

Remove the LIBXML_DTDLOAD | LIBXML_DTDATTR options. Additionally, as a defense in depth measure, check if there is the string: <!DOCTYPE inside the XML before parsing it. (This is not a complete fix because someone may be able to exploit some parser differentials, to load a DOCTYPE, maybe through spacing like: <! DOCTYPE)

Severity ?
8.3 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
6.9 (Medium)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "simplesamlphp/saml2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.6.14"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "simplesamlphp/saml2-legacy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.6.14"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-52806"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-12-02T17:25:43Z",
    "nvd_published_at": "2024-12-02T17:15:12Z",
    "severity": "MODERATE"
  },
  "details": "Summary\n\nWhen loading an (untrusted) XML document, for example the SAMLResponse, it\u0027s possible to induce an XXE.\n\n$options is defined as: https://github.com/simplesamlphp/saml2/blob/717c0adc4877ebd58428637e5626345e59fa0109/src/SAML2/DOMDocumentFactory.php#L41\nincluding the DTDLoad option, which allows an attacker to read file contents from local file system OR internal network.\n\nWhile there is the NONET option, an attacker can simply bypass if by using PHP filters:\nphp://filter/convert.base64-encode/resource=http://URL OR FILE\n\nFrom there an attacker can induce network connections and steal the targeted file OOB (haven\u0027t fully tested this).\n\nRCE may be possible with the php://expect or php://phar wrappers, but this hasn\u0027t been tested.\n\nNote:\nThe mitigation here:\nhttps://github.com/simplesamlphp/saml2/blob/717c0adc4877ebd58428637e5626345e59fa0109/src/SAML2/DOMDocumentFactory.php#L63-L69\nComes too late, as the XML has already been loaded into a document.\nMitigation:\n\nRemove the LIBXML_DTDLOAD | LIBXML_DTDATTR options.\nAdditionally, as a defense in depth measure, check if there is the string: \u003c!DOCTYPE inside the XML before parsing it. (This is not a complete fix because someone may be able to exploit some parser differentials, to load a DOCTYPE, maybe through spacing like: \u003c! DOCTYPE)",
  "id": "GHSA-pxm4-r5ph-q2m2",
  "modified": "2024-12-13T20:39:57Z",
  "published": "2024-12-02T17:25:43Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/simplesamlphp/saml2/security/advisories/GHSA-pxm4-r5ph-q2m2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52806"
    },
    {
      "type": "WEB",
      "url": "https://github.com/simplesamlphp/saml2/commit/5fd4ce4596656fb0c1278f15b8305825412e89f7"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/simplesamlphp/saml2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L",
      "type": "CVSS_V4"
    }
  ],
  "summary": "SimpleSAMLphp SAML2 has an XXE in parsing SAML messages"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.