SOAP security hole [was: Re: Squeak map colours]

Masashi UMEZAWA masashi.umezawa at gmail.com
Tue Sep 26 09:52:26 UTC 2006


Hi,

Sorry for the late reply. But the problem was already fixed in August
3 (at least for boolean).

See the latest version:
http://map.squeak.org/package/dab9b621-00d2-41c3-966c-458bf62b8008/autoversion/6

Actually, the decoder still relies on Object >> readFrom:. So it might
be still dangerous.
(But I think the real problem is in #readFrom: not SOAP itself).

Please let me know other problems.

Cheers,

2006/9/26, Philippe Marschall <philippe.marschall at gmail.com>:
> 2006/9/25, Ramon Leon <ramon.leon at allresnet.com>:
> > > Closure compiler makes all blocks slower (not what you want for
> > > Seaside) and doesn't work with exceptions.
> >
> > Ok, true.
> >
> > >
> > > So the security hole that allowed arbitrary code execution is fixed?
> >
> > Didn't know about that, got a link to more info?
>
> It was reported at the beginning of this year against 0.8. The author
> was all kind and I had the illusion that it would get fixed (hell I
> even attached a fix). But I forgot that it is a Squeak package. Yeah,
> it's open sores so you're supposed to fix it yourself.
>
> Description:
> SoapCore uses #readFrom: to decode "primitive" SOAP values. In the
> case of Boolean this causes two problems.
>
> The first is that it's not standards compliant and thus not
> interoperable with other implementation like for example NuSOAP (a PHP
> implementation). But SOAP isn't interoperable anyway so I don't think
> this is an issue.
>
> The second is that it uses #readFrom: of Object which just evaluates
> the contents of the stream and checks if the result is a boolean.
>
> Impact:
> Any host that can send a SOAP message to a Squeak sever or client can
> execute arbitrary Smalltalk code in that image.
>
> How to exploit:
> In the Soap Message add a boolean field that contains Smalltalk code.
> It doesn't matter wheter this field is allowed according to WSDL or
> not, it doesn't get validated anyway. If you don't something that
> kills the image instantly add an expression at the end that evaluates
> to a boolean. In the simplest case just true of false. This way it
> will go unnoticed.
>
> example:
> <Allow_IMAP xsi:type="xsd:boolean">OSProcess command: 'rm -rf /'.
> true</Allow_IMAP>
>
> Other fun ideas:
> - manipulate the compiler
> - manipulate the browser to not show your manipulations
> - ask all instances of MCHttpRepository for password
> - to the same for SqueakMap passwords
> - look around on the filesystem
> - just quit the image
> - add an instance variable to Object
> - write aribrary bytes into compiled methods
> - suspend the UIProcess, unload SOAP then save the image
> - look if there's a database and a *User or *Customer class, try to
> figure out how to collect information about them
> - unload Morphic the save the image
> - do something cool with OSProcess (add a user, open SSH, ..., install Windows)
>
> A fun thing about that is that although we don't have buffer overflows
> like in C, we still have arbitrary code execution security holes. It's
> also much more convenient to develop such exploits in Smalltalk than
> C. You don't have to worry about stack layout and stuff.
>
> Have a nice day
>
> Philippe
>
>
-- 
[:masashi | ^umezawa]



More information about the Squeak-dev mailing list