SOAP security hole [was: Re: Squeak map colours]

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

SOAP security hole [was: Re: Squeak map colours]

Philippe Marschall
2006/9/25, Ramon Leon <[hidden email]>:
> > Closure compiler makes all blocks slower (not what you want for
> > Seaside) and doesn't work with exceptions.
>
> Ok, true.
>
> >
> > So the security hole that allowed arbitrary code execution is fixed?
>
> Didn't know about that, got a link to more info?

It was reported at the beginning of this year against 0.8. The author
was all kind and I had the illusion that it would get fixed (hell I
even attached a fix). But I forgot that it is a Squeak package. Yeah,
it's open sores so you're supposed to fix it yourself.

Description:
SoapCore uses #readFrom: to decode "primitive" SOAP values. In the
case of Boolean this causes two problems.

The first is that it's not standards compliant and thus not
interoperable with other implementation like for example NuSOAP (a PHP
implementation). But SOAP isn't interoperable anyway so I don't think
this is an issue.

The second is that it uses #readFrom: of Object which just evaluates
the contents of the stream and checks if the result is a boolean.

Impact:
Any host that can send a SOAP message to a Squeak sever or client can
execute arbitrary Smalltalk code in that image.

How to exploit:
In the Soap Message add a boolean field that contains Smalltalk code.
It doesn't matter wheter this field is allowed according to WSDL or
not, it doesn't get validated anyway. If you don't something that
kills the image instantly add an expression at the end that evaluates
to a boolean. In the simplest case just true of false. This way it
will go unnoticed.

example:
<Allow_IMAP xsi:type="xsd:boolean">OSProcess command: 'rm -rf /'.
true</Allow_IMAP>

Other fun ideas:
- manipulate the compiler
- manipulate the browser to not show your manipulations
- ask all instances of MCHttpRepository for password
- to the same for SqueakMap passwords
- look around on the filesystem
- just quit the image
- add an instance variable to Object
- write aribrary bytes into compiled methods
- suspend the UIProcess, unload SOAP then save the image
- look if there's a database and a *User or *Customer class, try to
figure out how to collect information about them
- unload Morphic the save the image
- do something cool with OSProcess (add a user, open SSH, ..., install Windows)

A fun thing about that is that although we don't have buffer overflows
like in C, we still have arbitrary code execution security holes. It's
also much more convenient to develop such exploits in Smalltalk than
C. You don't have to worry about stack layout and stuff.

Have a nice day

Philippe

Reply | Threaded
Open this post in threaded view
|

Re: SOAP security hole [was: Re: Squeak map colours]

Ramon Leon-4
> The second is that it uses #readFrom: of Object which just evaluates
> the contents of the stream and checks if the result is a boolean.
>
> Impact:
> Any host that can send a SOAP message to a Squeak sever or client can
> execute arbitrary Smalltalk code in that image.
>

Ouch, guess I won't be hosting any web services in Squeak.  None of this
affects me though, since I'm only using it as a SoapClient, and I
control the server side services, so I trust them.  But thanks for the
warning, guess I'll continue using .Net for writing all my Services and
Squeak for the web GUI against those services.


Reply | Threaded
Open this post in threaded view
|

Re: SOAP security hole [was: Re: Squeak map colours]

stephane ducasse-2
In reply to this post by Philippe Marschall
Philippe

did you propose a fix?

(Was the fix included?)
        ifFalse: [ philippeAndOther publishAnotherPackageWithFix ]
        IfTure: [ beHappy]
We cannot force people to accept our fix but we can create new packages

Stef


On 26 sept. 06, at 08:38, Philippe Marschall wrote:

> 2006/9/25, Ramon Leon <[hidden email]>:
>> > Closure compiler makes all blocks slower (not what you want for
>> > Seaside) and doesn't work with exceptions.
>>
>> Ok, true.
>>
>> >
>> > So the security hole that allowed arbitrary code execution is  
>> fixed?
>>
>> Didn't know about that, got a link to more info?
>
> It was reported at the beginning of this year against 0.8. The author
> was all kind and I had the illusion that it would get fixed (hell I
> even attached a fix). But I forgot that it is a Squeak package. Yeah,
> it's open sores so you're supposed to fix it yourself.
>
> Description:
> SoapCore uses #readFrom: to decode "primitive" SOAP values. In the
> case of Boolean this causes two problems.
>
> The first is that it's not standards compliant and thus not
> interoperable with other implementation like for example NuSOAP (a PHP
> implementation). But SOAP isn't interoperable anyway so I don't think
> this is an issue.
>
> The second is that it uses #readFrom: of Object which just evaluates
> the contents of the stream and checks if the result is a boolean.
>
> Impact:
> Any host that can send a SOAP message to a Squeak sever or client can
> execute arbitrary Smalltalk code in that image.
>
> How to exploit:
> In the Soap Message add a boolean field that contains Smalltalk code.
> It doesn't matter wheter this field is allowed according to WSDL or
> not, it doesn't get validated anyway. If you don't something that
> kills the image instantly add an expression at the end that evaluates
> to a boolean. In the simplest case just true of false. This way it
> will go unnoticed.
>
> example:
> <Allow_IMAP xsi:type="xsd:boolean">OSProcess command: 'rm -rf /'.
> true</Allow_IMAP>
>
> Other fun ideas:
> - manipulate the compiler
> - manipulate the browser to not show your manipulations
> - ask all instances of MCHttpRepository for password
> - to the same for SqueakMap passwords
> - look around on the filesystem
> - just quit the image
> - add an instance variable to Object
> - write aribrary bytes into compiled methods
> - suspend the UIProcess, unload SOAP then save the image
> - look if there's a database and a *User or *Customer class, try to
> figure out how to collect information about them
> - unload Morphic the save the image
> - do something cool with OSProcess (add a user, open SSH, ...,  
> install Windows)
>
> A fun thing about that is that although we don't have buffer overflows
> like in C, we still have arbitrary code execution security holes. It's
> also much more convenient to develop such exploits in Smalltalk than
> C. You don't have to worry about stack layout and stuff.
>
> Have a nice day
>
> Philippe
>


Reply | Threaded
Open this post in threaded view
|

SOAP security hole [was: Re: Squeak map colours]

Göran Krampe
In reply to this post by Philippe Marschall
"Philippe Marschall" <[hidden email]> wrote:
[SNIP]
> Other fun ideas:
> - manipulate the compiler
> - manipulate the browser to not show your manipulations
> - ask all instances of MCHttpRepository for password
> - to the same for SqueakMap passwords

Just a sidenote: The SqueakMap passwords are not stored in clear text in
people's images.

regards, Göran

Reply | Threaded
Open this post in threaded view
|

Re: SOAP security hole [was: Re: Squeak map colours]

Masashi UMEZAWA-2
In reply to this post by Philippe Marschall
Hi,

Sorry for the late reply. But the problem was already fixed in August
3 (at least for boolean).

See the latest version:
http://map.squeak.org/package/dab9b621-00d2-41c3-966c-458bf62b8008/autoversion/6

Actually, the decoder still relies on Object >> readFrom:. So it might
be still dangerous.
(But I think the real problem is in #readFrom: not SOAP itself).

Please let me know other problems.

Cheers,

2006/9/26, Philippe Marschall <[hidden email]>:

> 2006/9/25, Ramon Leon <[hidden email]>:
> > > Closure compiler makes all blocks slower (not what you want for
> > > Seaside) and doesn't work with exceptions.
> >
> > Ok, true.
> >
> > >
> > > So the security hole that allowed arbitrary code execution is fixed?
> >
> > Didn't know about that, got a link to more info?
>
> It was reported at the beginning of this year against 0.8. The author
> was all kind and I had the illusion that it would get fixed (hell I
> even attached a fix). But I forgot that it is a Squeak package. Yeah,
> it's open sores so you're supposed to fix it yourself.
>
> Description:
> SoapCore uses #readFrom: to decode "primitive" SOAP values. In the
> case of Boolean this causes two problems.
>
> The first is that it's not standards compliant and thus not
> interoperable with other implementation like for example NuSOAP (a PHP
> implementation). But SOAP isn't interoperable anyway so I don't think
> this is an issue.
>
> The second is that it uses #readFrom: of Object which just evaluates
> the contents of the stream and checks if the result is a boolean.
>
> Impact:
> Any host that can send a SOAP message to a Squeak sever or client can
> execute arbitrary Smalltalk code in that image.
>
> How to exploit:
> In the Soap Message add a boolean field that contains Smalltalk code.
> It doesn't matter wheter this field is allowed according to WSDL or
> not, it doesn't get validated anyway. If you don't something that
> kills the image instantly add an expression at the end that evaluates
> to a boolean. In the simplest case just true of false. This way it
> will go unnoticed.
>
> example:
> <Allow_IMAP xsi:type="xsd:boolean">OSProcess command: 'rm -rf /'.
> true</Allow_IMAP>
>
> Other fun ideas:
> - manipulate the compiler
> - manipulate the browser to not show your manipulations
> - ask all instances of MCHttpRepository for password
> - to the same for SqueakMap passwords
> - look around on the filesystem
> - just quit the image
> - add an instance variable to Object
> - write aribrary bytes into compiled methods
> - suspend the UIProcess, unload SOAP then save the image
> - look if there's a database and a *User or *Customer class, try to
> figure out how to collect information about them
> - unload Morphic the save the image
> - do something cool with OSProcess (add a user, open SSH, ..., install Windows)
>
> A fun thing about that is that although we don't have buffer overflows
> like in C, we still have arbitrary code execution security holes. It's
> also much more convenient to develop such exploits in Smalltalk than
> C. You don't have to worry about stack layout and stuff.
>
> Have a nice day
>
> Philippe
>
>
--
[:masashi | ^umezawa]