|Advisory Name||:||XML External Entity Injection in BroadWorks XSP XML Interface|
|Application||:||BroadWorks XSP XML Interface 17.0 XML Interface on TCP/8011|
|Platform||:||Linux||Severity||:||HIGH.Arbitrary File Retrieval|
|Discovered by||:||Jordan Carter
|Vendor Status||:||Resolved in May 2015 BroadWorks Update available from http://xchange.broadsoft.com/|
XML External Entity Injection
An XML external entity injection vulnerability was identified that allows an unauthenticated attacker to read arbitrary files from the server and enumerate internal web applications.
Applications that parse XML input may be vulnerable to security issues around XML External Entities. Many parsers are often vulnerable by default unless a developer takes deliberate steps to remove the vulnerability.
If a parser allows external entities to be defined and then called by an attacker this may allow an attacker to read arbitrary files, load content from applications that are only intended to be accessed internally, and potentially allow the attacker to perform a denial of service against the application server. In very rare cases XXE can lead to remote command execution.
When a specially crafted payload is supplied to the affected application listening on port TCP/8011 the server parses the supplied content as valid XML. This can be leveraged to read arbitrary server side files and communicate with internal network components.
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE convert[ <!ENTITY c SYSTEM "file:///etc/passwd">]><xsp:keepalive xmlns:xsp="http://schema.broadsoft.com/XspXMLInterface" version="17.0"><requestId>&c;</requestId><period>30</period></xsp:keepalive>
The above payload can be transmitted with free publically available tools, such as telnet and will result in a vulnerable server responding with the contents of the local /etc/passwd file. An attacker that is able to enumerate the location of sensitive files, such as configuration files, could gain unauthorised access to data such as system credentials. Additionally it should be noted that remote internal systems, that are generally not accessible to the attacker, could be targeted with payloads such as:
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE convert[ <!ENTITY c SYSTEM "http://10.50.1.1:80/">]><xsp:keepalive xmlns:xsp="http://schema.broadsoft.com/XspXMLInterface" version="17.0"><requestId>&c;</requestId><period>30</period></xsp:keepalive>
This will request the content from a web-server residing at 10.50.1.1 on port 80. A payload such as this could allow an attacker to enumerate internal web applications, potentially gain access to confidential data and conduct attacks on internal systems such as error based SQL injection. Potentially leading to further network compromise.
The vendor has patched the XXE Injection issues in the May 2015 BroadWorks update. Sec-1 would like to thank BroadSoft for their prompt and professional response.
Additional CVE Details
The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues. These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.
CVE : CVE-2015-4120 : Assigned to the XML External Entity (XXE) discovery. Assigned Bug ID# TAC-129144 by BroadSoft.
Copyright 2015 Sec-1 LTD. All rights reserved.