SOAP/JAX-WS ThreadLocal Authentication Bypass

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

TL;DR

  • Baadhi ya middleware chains huhifadhi authenticated Subject/Principal ndani ya static ThreadLocal na kuirefresh tu wakati proprietary SOAP header inapoingia.
  • Kwa sababu WebLogic/JBoss/GlassFish hurudia kutumia worker threads, kuacha header hiyo husababisha Subject ya mwisho yenye privileges iliyosindikizwa na thread kutumika tena bila kusababisha tahadhari.
  • Shambulia endpoint dhaifu kwa bodies za SOAP bila header lakini zenye muundo sahihi hadi thread iliyotumiwa tena itakuwezesha kupata muktadha wa administrator uliyoibwa.

Root Cause

Handlers similar to the following only overwrite the thread-local identity when the custom header is present, so the previous request’s context survives:

public boolean handleMessage(SOAPMessageContext ctx) {
if (!outbound) {
SOAPHeader hdr = ctx.getMessage().getSOAPPart().getEnvelope().getHeader();
SOAPHeaderElement e = findHeader(hdr, subjectName);
if (e != null) {
SubjectHolder.setSubject(unmarshal(e));
}
}
return true;
}

Recon

  1. Taja kanuni za reverse proxy / routing ili kubaini miti iliyofichwa ya SOAP ambayo inaweza kuzuia ?wsdl lakini inakubali POSTs (zifanye ramani pamoja na mtiririko katika 80,443 - Pentesting Web Methodology).
  2. Fungua artifacts za EAR/WAR/EJB (unzip *.ear) na kagua application.xml, web.xml, @WebService annotations, na handler chains (mfano, LoginHandlerChain.xml) ili kugundua handler class, SOAP header QName, na majina ya EJB yanayounga mkono.
  3. Iki metadata haipo, fanya brute-force kwenye njia za ServiceName?wsdl zinazowezekana au pusha proxies za lab kwa muda, kisha ingiza WSDL yoyote uliyoipata kwenye zana kama Burp Suite Wsdler ili kutengeneza envelopes za msingi.
  4. Kagua vyanzo vya handler kutafuta ThreadLocal keepers (mfano, SubjectHolder.setSubject()) ambazo hazifutwi kamwe wakati header ya uthibitisho haipo au imeharibika.

Exploitation

  1. Tuma ombi halali na header ya proprietary ili ujifunze normal response codes na makosa yanayotumika kwa invalid tokens.
  2. Tuma tena body ile ile ya SOAP huku ukiacha header. Hakikisha XML iko well-formed na heshimu namespaces zinazohitajika ili handler iondoke kwa usafi.
  3. Rudia ombi hilo; wakati linapofika kwenye thread ambayo hapo awali ilitekeleza kitendo chenye haki za ziada, Subject iliyotumika tena itaweka wazi operesheni zilizoambukizwa kama vile user au credential managers.
POST /ac-iasp-backend-jaxws/UserManager HTTP/1.1
Host: target
Content-Type: text/xml;charset=UTF-8

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:jax="http://jaxws.user.frontend.iasp.service.actividentity.com">
<soapenv:Header/>
<soapenv:Body>
<jax:findUserIds>
<arg0></arg0>
<arg1>spl*</arg1>
</jax:findUserIds>
</soapenv:Body>
</soapenv:Envelope>

Kuthibitisha Hitilafu

  • Ambatanisha JDWP (-agentlib:jdwp=transport=dt_socket,server=y,address=5005,suspend=n) au debugging hooks zinazofanana ili kuangalia yaliyomo ya ThreadLocal kabla na baada ya kila mwito, ukithibitisha kwamba ombi lisilothibitishwa liliwarithisha Subject ya msimamizi wa awali.

Marejeo

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks