Advisory: Truncation of SAML Attributes in Shibboleth 2 RedTeam Pentesting discovered that the shibd service of Shibboleth 2 does not extract SAML attribute values in a robust manner. By inserting XML entities into a SAML response, attackers may truncate attribute values without breaking the document's signature. This might lead to a complete bypass of authorisation mechanisms. Details ======= Product: Shibboleth 2 Affected Versions: before 2.6.1 (with XMLTooling-C prior 1.6.3) Fixed Versions: 2.6.1 Vulnerability Type: Authorisation Bypass Security Risk: high Vendor URL: http://ift.tt/2ypoqsW Vendor Status: notified Advisory URL: http://ift.tt/2DkTiR7 Advisory Status: public CVE: CVE-2018-0486 CVE URL: http://ift.tt/2my5mUv Introduction ============ "Shibboleth is among the world's most widely deployed federated identity solutions, connecting users to applications both within and between organizations. Every software component of the Shibboleth system is free and open source. Shibboleth is an open-source project that provides Single Sign-On capabilities and allows sites to make informed authorization decisions for individual access of protected online resources in a privacy-preserving manner." (from the Shibboleth Consortium's website [1]) More Details ============ Shibboleth 2 makes use of SAML 2 to communicate assertions between identity providers and service providers. In some modes of operation, SAML messages are relayed through a user's browser. Therefore, their integrity must be protected. SAML accomplishes this by utilizing the XML signature standard [2] to sign its messages. When employing signatures, it is important that signed data is interpreted in a consistent manner by all parties. RedTeam Pentesting discovered that by inserting XML entities into a SAML response, the XML signature processor and the Shibboleth application will interpret the response differently. Parts of the document, for example values of SAML attributes, can partially be substituted by XML entities. An inline document type definition at the beginning of the XML document is inserted to define these entities. During signature verification, the XML document is canonicalized, which includes resolution of entities. The definition of all entities is chosen such that, after their resolution, the original contents of the XML document appear again. For example, if "RedTeam" was replaced with "Re&x;am", the entity "x" will be defined as the string "dTe". Consequently, the signature remains intact as the content of the document was not changed. After validating the signature of a SAML response, Shibboleth will extract various information from the document, such as the values of SAML attributes. Extracting strings from the XML DOM is implemented by the function shown below (shortened and re-formatted):
Source: Gmail -> IFTTT-> Blogger
No comments:
Post a Comment