Analysis of zend framework xxe injection

A zend framework vulnerability was reported on the Internet a few days ago by mkods

According to the description, the vulnerability is a xxe (XML external entity) injection vulnerability in the xmlrpc module of zend framework, which can be used to read arbitrary files on the server, for example, PHP file source code. xmlrpc is a module that provides rpc (Remote process call) services. It uses the xml language to perform data interaction between the server and the client; the problem lies in the parsing of xml by the server and client;

I have already published an article on the Internet to prove this vulnerability and have successfully read the "/etc/passwd" file; to understand how the vulnerability is used and what conditions are required for successful exploitation, I wrote a simple program for testing. Since it is an rpc service, there must be a client and a server; the server provides a program hello. When a client requests the hello function from the server, the server executes the hello function, and return the running result "this is a zend framework xmlrpc helloword" to the client. The specific code is as follows:

Server code server. php:


Client code client. php

Put the code server. php, client. deploy php to apache, enable wireshark to capture packets, and then access http: // localhost/zendtest/client in the browser. php. The page is successfully displayed from the server. php string



Open wireshark to view the data packets generated during this process



The execution process is like this.
Browser --> client. php ---> server. php;
Server. php ---> client. php-> browser;
The two most critical data packets: 4th data packets are post data sent by client. php to request server. php to execute the hello function, and 5th data packets are the data returned by server. php to client. php;
The package content is as follows:

Packet 4:



Packet 5:



By viewing the data packets, we are familiar with the zend_xmlrpc workflow and the format and meaning of the data sent. Now we construct the data packets that will trigger the vulnerability according to the known format:



The purpose of this malicious packet is to read the "/etc/passwd" file of the server system;

For ease of testing, I wrote a python script to send packets to server. php. The Code is as follows:



Execute this python script and return the following results:



The content of the "/etc/passwd" file was successfully published;
Now let's sort out the process of this vulnerability:
1: server. php receives xml data and delivers it to zend_xmlrpc_server:



2: The Zend_Xmlrpc_server module directly uses new simpleXMLElement ($ xml) to parse xml and create an instance. The parsed xml instance is:



3: zend_xmlrpc_server reads the value of methodname (red text) as the function requested by the client;

4: because the requested function does not exist, zend_xmlrpc_server returns the error message xxx does not exits; (xxx is/etc/passwd)
The "/etc/passwd" content is leaked.

The new version of zend framework fixes this vulnerability. The code in the red line is the patch code:



Execute libxml_disable_entity_loader (true), so that SimpleXMLElement does not parse entity when parsing xml; this prevents file leakage.