{"id":455,"date":"2019-07-23T10:31:04","date_gmt":"2019-07-23T08:31:04","guid":{"rendered":"https:\/\/www.calypt.com\/blog\/?p=455"},"modified":"2019-07-31T15:04:30","modified_gmt":"2019-07-31T13:04:30","slug":"cve-2019-13031-xxe-on-lemonldapng-2-0-5","status":"publish","type":"post","link":"https:\/\/www.calypt.com\/blog\/index.php\/cve-2019-13031-xxe-on-lemonldapng-2-0-5\/","title":{"rendered":"CVE-2019-13031 &#8211; XXE on LemonLDAP::NG < 2.0.5"},"content":{"rendered":"\n<figure class=\"wp-block-image is-resized\"><img decoding=\"async\" loading=\"lazy\" src=\"https:\/\/www.calypt.com\/blog\/wp-content\/uploads\/2019\/07\/661763-636519532411453000-16x9-533x300.jpg\" alt=\"\" class=\"wp-image-514\" width=\"586\" height=\"330\"\/><\/figure>\n\n\n\n<h2>Global presentation<\/h2>\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n<p style=\"text-align: justify;\">As described on&nbsp;<a href=\"https:\/\/lemonldap-ng.org\/start\">https:\/\/lemonldap-ng.org\/start :<\/a><\/p>\n<blockquote>\n<p style=\"text-align: justify;\">LemonLDAP::NG is an open source Web Single Sign On (WebSSO), Access Management and Identity Federation product, written in Perl and Javascript.<\/p>\n<p>LemonLDAP::NG is a free software, released under&nbsp;<abbr title=\"GNU General Public License\">GPL<\/abbr>&nbsp;license.<\/p>\n<p>LemonLDAP::NG is the first&nbsp;<abbr title=\"Single Sign On\">SSO<\/abbr>&nbsp;software deployed in French administrations. It can handle large-scale organization&nbsp;<em>(tested with hundreds of thousands users)<\/em>. Many private firms use it too.<\/p>\n<\/blockquote>\n<p>LemonLDAP has several features including (<a href=\"https:\/\/lemonldap-ng.org\/documentation\/features\">https:\/\/lemonldap-ng.org\/documentation\/features<\/a>) :<\/p>\n<ul>\n<li>Full Access Control<\/li>\n<li>Easy customization<\/li>\n<li>Easy integration<\/li>\n<li>Identity Federation<\/li>\n<li>Sessions explorer \/ restriction<\/li>\n<li><strong>Notifications<\/strong><\/li>\n<\/ul>\n\n\n<h2>Notification Feature<\/h2>\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n\n<p><\/p>\n\n\n<p>From <a href=\"https:\/\/lemonldap-ng.org\/documentation\/latest\/notifications :\" data-wplink-url-error=\"true\">https:\/\/lemonldap-ng.org\/documentation\/latest\/notifications :<\/a><\/p>\n<blockquote>\n<div class=\"level1\">\n<p>Since version 0.9.4, LemonLDAP::NG can be used to notify some messages to users: if a user has a message, the message will be displayed when he will access to the portal. If the message contains check boxes, the user has to check all of them else he can not access to the portal and get his session cookie.<\/p>\n<p>Since 1.1.0, a notification explorer is available in Manager, and notifications can be done for all users, with the possibility to display conditions. When the user accept the notification, the reference is stored in his persistent session.<\/p>\n<\/div>\n<\/blockquote>\n<div class=\"level1\">\n<div class=\"level2\">\n<div class=\"noteimportant\">From version 2.0, notifications are now stored in JSON format. However, it is still possible to choose the old format (XML) with an option in the manager (disabled by default) :<\/div>\n<\/div>\n<\/div>\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" loading=\"lazy\" width=\"1024\" height=\"296\" src=\"https:\/\/www.calypt.com\/blog\/wp-content\/uploads\/2019\/07\/2019-07-05-112734_1126x325_scrot-1024x296.png\" alt=\"\" class=\"wp-image-456\" srcset=\"https:\/\/www.calypt.com\/blog\/wp-content\/uploads\/2019\/07\/2019-07-05-112734_1126x325_scrot-1024x296.png 1024w, https:\/\/www.calypt.com\/blog\/wp-content\/uploads\/2019\/07\/2019-07-05-112734_1126x325_scrot-600x173.png 600w, https:\/\/www.calypt.com\/blog\/wp-content\/uploads\/2019\/07\/2019-07-05-112734_1126x325_scrot-768x222.png 768w, https:\/\/www.calypt.com\/blog\/wp-content\/uploads\/2019\/07\/2019-07-05-112734_1126x325_scrot.png 1126w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption>Old XML format is needed<\/figcaption><\/figure>\n\n\n<p>Also, &#8220;new JSON notifications can be inserted using REST or SOAP server. If enabled, the server&nbsp;<abbr title=\"Uniform Resource Locator\">URL<\/abbr>&nbsp;is&nbsp;<a class=\"urlextern\" title=\"https:\/\/auth.your.domain\/notifications\" href=\"https:\/\/auth.your.domain\/notifications\" rel=\"nofollow\">https:\/\/auth.your.domain\/notifications<\/a>.&#8221;&nbsp;<\/p>\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" loading=\"lazy\" width=\"1024\" height=\"250\" src=\"https:\/\/www.calypt.com\/blog\/wp-content\/uploads\/2019\/07\/2019-07-05-121004_1196x292_scrot-1024x250.png\" alt=\"\" class=\"wp-image-457\" srcset=\"https:\/\/www.calypt.com\/blog\/wp-content\/uploads\/2019\/07\/2019-07-05-121004_1196x292_scrot-1024x250.png 1024w, https:\/\/www.calypt.com\/blog\/wp-content\/uploads\/2019\/07\/2019-07-05-121004_1196x292_scrot-600x146.png 600w, https:\/\/www.calypt.com\/blog\/wp-content\/uploads\/2019\/07\/2019-07-05-121004_1196x292_scrot-768x188.png 768w, https:\/\/www.calypt.com\/blog\/wp-content\/uploads\/2019\/07\/2019-07-05-121004_1196x292_scrot.png 1196w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption>Notification server offer a user\/attaquer to post their notification in JSON or XML formats<br><br><br><\/figcaption><\/figure>\n\n\n\n<h2>XML External Entity<\/h2>\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n\n<h3>Vulnerability<\/h3>\n\n\n<p>In <em>lemonldap-ng-common\/lib\/Lemonldap\/NG\/Common\/Notifications\/XML.pm <\/em>and&nbsp;<em>lemonldap-ng-portal\/lib\/Lemonldap\/NG\/Portal\/Lib\/Notifications\/XML.pm&nbsp;<\/em>source files, the Perl module XML::LibXML is initialized without options, permitting classic out-of-band XXE.<\/p>\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter is-resized\"><img decoding=\"async\" loading=\"lazy\" src=\"https:\/\/www.calypt.com\/blog\/wp-content\/uploads\/2019\/07\/2019-07-05-123501_612x382_scrot.png\" alt=\"\" class=\"wp-image-464\" width=\"279\" height=\"174\" srcset=\"https:\/\/www.calypt.com\/blog\/wp-content\/uploads\/2019\/07\/2019-07-05-123501_612x382_scrot.png 612w, https:\/\/www.calypt.com\/blog\/wp-content\/uploads\/2019\/07\/2019-07-05-123501_612x382_scrot-481x300.png 481w\" sizes=\"(max-width: 279px) 100vw, 279px\" \/><figcaption>Vulnerable parser init<\/figcaption><\/figure><\/div>\n\n\n\n<h3>Exploitation<\/h3>\n\n\n<p>A Remote unauthenticated attaquer can exploit this vulnerabily to exfiltrate server files. We need to use &#8220;XXE Out of Band&#8221; techniques to exfiltrate files via http or ftp. The first step is to host our payload (<em>evil3.dtd<\/em>) at <em>http:\/\/attacker:9090\/evil3.dtd<\/em>.<\/p>\n<p>This payload will read local \/etc\/test file, then exfiltrate its content to a web or ftp server controlled by the attacker (here <em>attacker.com:2121<\/em>).<\/p>\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter is-resized\"><img decoding=\"async\" loading=\"lazy\" src=\"https:\/\/www.calypt.com\/blog\/wp-content\/uploads\/2019\/07\/2019-07-05-151425_964x132_scrot.png\" alt=\"\" class=\"wp-image-472\" width=\"459\" height=\"63\" srcset=\"https:\/\/www.calypt.com\/blog\/wp-content\/uploads\/2019\/07\/2019-07-05-151425_964x132_scrot.png 964w, https:\/\/www.calypt.com\/blog\/wp-content\/uploads\/2019\/07\/2019-07-05-151425_964x132_scrot-600x82.png 600w, https:\/\/www.calypt.com\/blog\/wp-content\/uploads\/2019\/07\/2019-07-05-151425_964x132_scrot-768x105.png 768w\" sizes=\"(max-width: 459px) 100vw, 459px\" \/><figcaption>evil3.dtd hosted on attacker server<\/figcaption><\/figure><\/div>\n\n\n<p>Once our payload hosted, we can launch our attack against vulnerable LemonLDAP::NG server (here auth.example.com:9595) :<\/p>\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" loading=\"lazy\" width=\"1024\" height=\"526\" src=\"https:\/\/www.calypt.com\/blog\/wp-content\/uploads\/2019\/07\/2019-07-05-152635_1070x550_scrot-1024x526.png\" alt=\"\" class=\"wp-image-478\" srcset=\"https:\/\/www.calypt.com\/blog\/wp-content\/uploads\/2019\/07\/2019-07-05-152635_1070x550_scrot-1024x526.png 1024w, https:\/\/www.calypt.com\/blog\/wp-content\/uploads\/2019\/07\/2019-07-05-152635_1070x550_scrot-584x300.png 584w, https:\/\/www.calypt.com\/blog\/wp-content\/uploads\/2019\/07\/2019-07-05-152635_1070x550_scrot-768x395.png 768w, https:\/\/www.calypt.com\/blog\/wp-content\/uploads\/2019\/07\/2019-07-05-152635_1070x550_scrot.png 1070w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption>Notification that will order LemonLDAP to trigger<br>malicious payload hosted at http:\/\/attacker.com:9090\/evil3.dtd<\/figcaption><\/figure>\n\n\n<p>Finally, on the attacker side, the webserver at attacker.com:2121 receives the datas :<\/p>\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter is-resized\"><img decoding=\"async\" loading=\"lazy\" src=\"https:\/\/www.calypt.com\/blog\/wp-content\/uploads\/2019\/07\/2019-07-05-152033_693x29_scrot.png\" alt=\"\" class=\"wp-image-474\" width=\"483\" height=\"20\" srcset=\"https:\/\/www.calypt.com\/blog\/wp-content\/uploads\/2019\/07\/2019-07-05-152033_693x29_scrot.png 693w, https:\/\/www.calypt.com\/blog\/wp-content\/uploads\/2019\/07\/2019-07-05-152033_693x29_scrot-600x25.png 600w\" sizes=\"(max-width: 483px) 100vw, 483px\" \/><\/figure><\/div>\n\n\n\n<h3>Limitations<\/h3>\n\n\n<ul>\n<li>If extracted file contains &#8220;\\n&#8221; characters : the parser will fail with &#8220;invalid URI&#8221; error and the exploit did not work.<\/li>\n<li>If file is too long : the parser will fail with &#8220;Entity reference loop&#8221; error and the exploit did not work.<\/li>\n<li>Firewall restricting outbound traffic can block external DTD retrieval<\/li>\n<\/ul>\n\n\n<h3>Remediation<\/h3>\n\n\n<p>A fix prohibiting external entities has been deployed in <strong>v2.0.5<\/strong> and <strong>v1.9.20<\/strong> :<\/p>\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" loading=\"lazy\" width=\"1024\" height=\"564\" src=\"https:\/\/www.calypt.com\/blog\/wp-content\/uploads\/2019\/07\/2019-07-05-153900_1457x803_scrot-1024x564.png\" alt=\"\" class=\"wp-image-480\" srcset=\"https:\/\/www.calypt.com\/blog\/wp-content\/uploads\/2019\/07\/2019-07-05-153900_1457x803_scrot-1024x564.png 1024w, https:\/\/www.calypt.com\/blog\/wp-content\/uploads\/2019\/07\/2019-07-05-153900_1457x803_scrot-544x300.png 544w, https:\/\/www.calypt.com\/blog\/wp-content\/uploads\/2019\/07\/2019-07-05-153900_1457x803_scrot-768x423.png 768w, https:\/\/www.calypt.com\/blog\/wp-content\/uploads\/2019\/07\/2019-07-05-153900_1457x803_scrot.png 1457w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n","protected":false},"excerpt":{"rendered":"<p>Global presentation As described on&nbsp;https:\/\/lemonldap-ng.org\/start : LemonLDAP::NG is an open source Web Single Sign On (WebSSO), Access Management and Identity Federation product, written in Perl and Javascript. LemonLDAP::NG is a free software, released under&nbsp;GPL&nbsp;license. LemonLDAP::NG is the first&nbsp;SSO&nbsp;software deployed in French administrations. It can handle large-scale organization&nbsp;(tested with hundreds of thousands users). Many private firms [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_mi_skip_tracking":false},"categories":[1],"tags":[68,71,70,67,59,69,66],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v16.1.1 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<meta name=\"description\" content=\"How to exploit the XXE vulnerability on LemonLDAP::NG known as CVE-2019-13031. Out-of-band XXE on Lemonldap &lt; 2.0.5 and &lt; 1.9.20\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.calypt.com\/blog\/index.php\/cve-2019-13031-xxe-on-lemonldapng-2-0-5\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"CVE-2019-13031 - XXE on LemonLDAP::NG &lt; 2.0.5 - Calypt\" \/>\n<meta property=\"og:description\" content=\"How to exploit the XXE vulnerability on LemonLDAP::NG known as CVE-2019-13031. Out-of-band XXE on Lemonldap &lt; 2.0.5 and &lt; 1.9.20\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.calypt.com\/blog\/index.php\/cve-2019-13031-xxe-on-lemonldapng-2-0-5\/\" \/>\n<meta property=\"og:site_name\" content=\"Calypt\" \/>\n<meta property=\"article:published_time\" content=\"2019-07-23T08:31:04+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2019-07-31T13:04:30+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.calypt.com\/blog\/wp-content\/uploads\/2019\/07\/661763-636519532411453000-16x9-533x300.jpg\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\">\n\t<meta name=\"twitter:data1\" content=\"3 minutes\">\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.calypt.com\/blog\/#website\",\"url\":\"https:\/\/www.calypt.com\/blog\/\",\"name\":\"Calypt\",\"description\":\"Security thoughts\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":\"https:\/\/www.calypt.com\/blog\/?s={search_term_string}\",\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.calypt.com\/blog\/index.php\/cve-2019-13031-xxe-on-lemonldapng-2-0-5\/#primaryimage\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/www.calypt.com\/blog\/wp-content\/uploads\/2019\/07\/661763-636519532411453000-16x9-533x300.jpg\",\"contentUrl\":\"https:\/\/www.calypt.com\/blog\/wp-content\/uploads\/2019\/07\/661763-636519532411453000-16x9-533x300.jpg\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.calypt.com\/blog\/index.php\/cve-2019-13031-xxe-on-lemonldapng-2-0-5\/#webpage\",\"url\":\"https:\/\/www.calypt.com\/blog\/index.php\/cve-2019-13031-xxe-on-lemonldapng-2-0-5\/\",\"name\":\"CVE-2019-13031 - XXE on LemonLDAP::NG < 2.0.5 - Calypt\",\"isPartOf\":{\"@id\":\"https:\/\/www.calypt.com\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.calypt.com\/blog\/index.php\/cve-2019-13031-xxe-on-lemonldapng-2-0-5\/#primaryimage\"},\"datePublished\":\"2019-07-23T08:31:04+00:00\",\"dateModified\":\"2019-07-31T13:04:30+00:00\",\"author\":{\"@id\":\"https:\/\/www.calypt.com\/blog\/#\/schema\/person\/b8e19734abc8e33cb4ae7cf56a4b9f73\"},\"description\":\"How to exploit the XXE vulnerability on LemonLDAP::NG known as CVE-2019-13031. Out-of-band XXE on Lemonldap &lt; 2.0.5 and &lt; 1.9.20\",\"breadcrumb\":{\"@id\":\"https:\/\/www.calypt.com\/blog\/index.php\/cve-2019-13031-xxe-on-lemonldapng-2-0-5\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.calypt.com\/blog\/index.php\/cve-2019-13031-xxe-on-lemonldapng-2-0-5\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.calypt.com\/blog\/index.php\/cve-2019-13031-xxe-on-lemonldapng-2-0-5\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"item\":{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.calypt.com\/blog\/\",\"url\":\"https:\/\/www.calypt.com\/blog\/\",\"name\":\"Home\"}},{\"@type\":\"ListItem\",\"position\":2,\"item\":{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.calypt.com\/blog\/index.php\/cve-2019-13031-xxe-on-lemonldapng-2-0-5\/\",\"url\":\"https:\/\/www.calypt.com\/blog\/index.php\/cve-2019-13031-xxe-on-lemonldapng-2-0-5\/\",\"name\":\"CVE-2019-13031 &#8211; XXE on LemonLDAP::NG &lt; 2.0.5\"}}]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.calypt.com\/blog\/#\/schema\/person\/b8e19734abc8e33cb4ae7cf56a4b9f73\",\"name\":\"Calypt\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.calypt.com\/blog\/#personlogo\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/559f7cccd6f8b48e554537c52d221ac4?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/559f7cccd6f8b48e554537c52d221ac4?s=96&d=mm&r=g\",\"caption\":\"Calypt\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","_links":{"self":[{"href":"https:\/\/www.calypt.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/455"}],"collection":[{"href":"https:\/\/www.calypt.com\/blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.calypt.com\/blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.calypt.com\/blog\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.calypt.com\/blog\/index.php\/wp-json\/wp\/v2\/comments?post=455"}],"version-history":[{"count":28,"href":"https:\/\/www.calypt.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/455\/revisions"}],"predecessor-version":[{"id":518,"href":"https:\/\/www.calypt.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/455\/revisions\/518"}],"wp:attachment":[{"href":"https:\/\/www.calypt.com\/blog\/index.php\/wp-json\/wp\/v2\/media?parent=455"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.calypt.com\/blog\/index.php\/wp-json\/wp\/v2\/categories?post=455"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.calypt.com\/blog\/index.php\/wp-json\/wp\/v2\/tags?post=455"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}