.

WSDL - Reminder that not all hacks need to be 'hard'

<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Sun Sep 30, 2012 10:25 am

WSDL - Reminder that not all hacks need to be 'hard'

Just wanted to throw this out to the collaborative, as a reminder that sometimes you can try TOO hard to exploit a system, when the keys are really closely within reach.  This isn't always the case, but sometimes it doesn't take rocket science to pwn a system.  Rather, just a little time and minimal effort.  (Note: many of yur customers will overlook very simple things, that can lead to disastrous consequences.  Case in point, the one below.)

This past week, I was asked to assist with a pentest for a customer with multile web applications.  One application, in particular,  was  a prime example of using very basic wsdl enumeration to help gain the 'keys to the kingdom'

Due to the very highly sensitive nature of the customer, I don't have ANY screenshots to post, however, I will give some generalized info, below, as to how the application more or less gave me all the information for complete network compromise.

For this test, I was tasked to do both internal and external testing, but to focus mainly on internal, up front, as they wanted me to focus most of my efforts on a new application, which was to be an employee-only app, deployed for some workflow processes.

I began with some session captures, and traced some local workstation traffic, to see what sorts of data were being passed, and noted a very basic lack of good session handling /validation, specific to this application.  ("No-no" / oops number one)  After a bit of research, I found that the application didn't time out said sessions, either, so I knew that if I could take advantage of anyone's session data / cookies, I could theoretically impersonate them, and gain furter information.  Next, I fired up ethereal, and ARP poisoned the gateway and workstation of a user, and fired up a paros proxy, to see if I could get the data I needed.  A short time later, I had, in my possession all the data I needed:  cookie data for the user session.

I watched and noted that the user pretty much stayed in the application, most of the day.  SCORE!!!  Got my session to ride on.

Now that I had an authenticated session, I hit their web application, resending the session info from my proxy captures, and had an authenticated session.  Now, said application didn't have much 'critical' information, at least in the sense of credit card data ot anything, BUT it did have one very interesting caveat...  The wsdl file.

A very generic description of wsdl scanning (there are multiple tools that can be used to both scan and exploit wsdl) can be found here:

http://minsky.gsi.dit.upm.es/semanticwiki/index.php/WSDL_Scanning

Wsdl scanning can provide some very valuable information.  In this particular case, however, it was enough to completely pwn their network.  Their wsdl exposed an element called 'get_ldap_config'  (Yep, I'm sure you see this coming - injecting data into a request to get_ldap_config returned a full LDAP credentialled account.  Did I mention, the configured account was a Windows 2008 Domain Admin?  :-)  )

Lessons to be learned -

If you're this customer, employ better session handling and validation, as well as changing the LDAP account for the app to one that isn't so critical.

If you're the tester, be sure to closely examine the apps you're testing, because the right opportunity may be just out of plain sight.

One of many articles about WSDL hacking (I advise all web-app hackers to become familiar with WSDL, as web services are becoming the all the rave):

http://www.soapui.org/SOAP-and-WSDL/web-service-hacking.html

Please feel free to expound on this thread, for others who do these attacks regularly.
Last edited by hayabusa on Sun Sep 30, 2012 11:30 am, edited 1 time in total.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

tturner

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Thu Jun 26, 2008 4:50 pm

Post Sun Sep 30, 2012 2:54 pm

Re: WSDL - Reminder that not all hacks need to be 'hard'

That's awesome Hayabusa. I voraciously consume anything I can on web services. They are so prevalent and so shite half the time. Even great courses like SANS that list web services in the syllabus only spend 15 minutes or so on the topic. I was hoping the Mobile Pentest course (SEC575) I took in August would dig into it a bit but it really didnt. Lame. I'm still working up a review for that course btw. Looking forward to the dialogue on this topic. There's such a lacking of tools here for this stuff.
Last edited by tturner on Sun Sep 30, 2012 4:16 pm, edited 1 time in total.
Certifications:
CISSP, CISA, GPEN, GWAPT, GAWN, GCIA, GCIH, GSEC, GSSP-JAVA, OPSE, CSWAE, CSTP, VCP

WIP: Vendor WAF stuff

http://sentinel24.com/blog @tonylturner http://bsidesorlando.org
<<

m0wgli

User avatar

Sr. Member
Sr. Member

Posts: 308

Joined: Fri Jul 20, 2012 3:34 pm

Post Sun Sep 30, 2012 4:00 pm

Re: WSDL - Reminder that not all hacks need to be 'hard'

Thanks for sharing. This is something I'll definitely be looking into. I'd heard of WSDL before but couldn't remember where. Referring to my copy of the The Web Application Hackers Handbook (2nd Edition), web services are only covered on pages 56-57!
Security + | OSWP | eCPPT (Silver & Gold) | CSTA
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Sun Sep 30, 2012 7:21 pm

Re: WSDL - Reminder that not all hacks need to be 'hard'

Over the next few days, I'll see if I can post more of the WSDL-related stuff I've got.  This weekend has been hectic, on the personal side, but while this particular pentest was still fresh on my mind, I wanted to at least get the topic started.  :)
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Mon Oct 01, 2012 3:37 am

Re: WSDL - Reminder that not all hacks need to be 'hard'

Very nice, I sometimes use SoapUI and Burp (the Scanner Module and sometimes the Intruder) to attack WSDL's. It works okay, even though I have to do a lot of manual verification or whether an attack worked or not, plus Burp doesn't check for e.g. case-sensitive authentication, which is a common WSDL flaw plus a few other things I can't remember right now.

Anyway, it seems like the references you provided, pretty much cover the most common vulnerabilities of WSDL's. Haven't encountered any interesting bugs with WSDL's so far, even though it may just be me, but XML responses are boring compared to a website with developer comments, javascript containing sometimes bad functionality, or insecure scripts or backdoors.

The nice thing about both SoapUI and Burp is that they both support certificate based authentication, which is required by some WSDL's.


PS: Sent you a PM ;D
I'm an InterN0T'er
<<

Jamie.R

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Mon Aug 06, 2012 9:57 am

Location: UK

Post Mon Oct 01, 2012 5:38 am

Re: WSDL - Reminder that not all hacks need to be 'hard'

Thanks for the write up. I think its really good that you point you sometimes it the most simple methods in order to own something. I think a lot newbi to security sometimes miss the simple things and being aware of them separates the newbi from the pro.

I have not really done a lot on WSDL so this has opened my eyes to whats possible.
| OSWP | eCPPT Silver and Gold | eWPT |

I'm an InterN0T'er
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Mon Oct 01, 2012 6:29 am

Re: WSDL - Reminder that not all hacks need to be 'hard'

MaXe wrote:Anyway, it seems like the references you provided, pretty much cover the most common vulnerabilities of WSDL's. Haven't encountered any interesting bugs with WSDL's so far, even though it may just be me, but XML responses are boring compared to a website with developer comments, javascript containing sometimes bad functionality, or insecure scripts or backdoors.


While not a "bug," there may be additional functionality that could be abused. On one of my recent assessments, I found that they allowed entire SQL queries to be submitted in this manner. What!?

And yes, nice write-up, H.
The day you stop learning is the day you start becoming obsolete.
<<

rance

User avatar

Full Member
Full Member

Posts: 212

Joined: Thu Jan 03, 2008 5:24 pm

Location: Earth

Post Tue Oct 02, 2012 11:04 am

Re: WSDL - Reminder that not all hacks need to be 'hard'

tturner wrote:That's awesome Hayabusa. I voraciously consume anything I can on web services. They are so prevalent and so shite half the time. Even great courses like SANS that list web services in the syllabus only spend 15 minutes or so on the topic. I was hoping the Mobile Pentest course (SEC575) I took in August would dig into it a bit but it really didnt. Lame. I'm still working up a review for that course btw. Looking forward to the dialogue on this topic. There's such a lacking of tools here for this stuff.


I was kind of looking to SANS Sec 642 to get more in depth with web services, but the syllabus looks pretty lean for that topic still. :(
Poking at security since 1986.  +++ATH
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Tue Oct 02, 2012 11:36 am

Re: WSDL - Reminder that not all hacks need to be 'hard'

Yeah.  In all honesty, I'd LOVE to find some GOOD training on webapps, all around, since, as everyone is noting, there is a lack in quite a few areas.  WSDL is one of many web-related areas that I find lacking in any training offerings I've seen, or managed to attend.

SANS' courses are great, but I've heard a lot of people say the 542 wasn't as in-depth as they'd like, so I'm cautiously optimistic for 642.  I know Kevin Johnson is da' man, and I'd love to get a chance to take 542 and 642 from him, if for no other reason than to pick his brain on some things (while, I'm sure, still learning a ton!), but affordability, in my situation, isn't there.

So I'm open to any suggestions anyone has.  I'm also currently waiting to see what Joe McCray is putting together, for his updated web app pentesting course, and watching some others, too.  Time will tell.  (But I'm eager to find good web app stuff, while still being less than optimistic, at times...)
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Wed Oct 03, 2012 4:39 am

Re: WSDL - Reminder that not all hacks need to be 'hard'

I think WAHHv2 + MDSec labs is still the best resource IMO. Hacking Exposed Web Applications v3 is a decent supplement though. It doesn't go as in-depth on everything, but if I remember correctly, things like web services and Flash get a bit more love in that book.

eLearn has decent web content, but it doesn't get that advanced. Rumor has it that the new OffSec course will be available around the end of the year, and I'm eagerly anticipating that. They may not "teach" you everything, but you'll probably know it well once you go through the labs ;D

I think the SANS material needs to appeal to a broader audience in order to be commercially successful. I'm not sure if we'll ever see an OffSec-level of insanity from them. However, I haven't had any personal experience with the advanced courses either, so those may indeed be a cut-above.
The day you stop learning is the day you start becoming obsolete.

Return to Web Applications

Who is online

Users browsing this forum: No registered users and 2 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software