March 1, 2018 at 13:37

SAML Authorization Bypass

    image

     
    A critical vulnerability was discovered in SAML (Security Assertion Markup Language), which
    could be used to bypass authorization. Vulnerabilities are affected by the decisions of various SSO providers and several libraries using SAML SSO (Single Sign-On).


    Security Assertion Markup Language (SAML) is an open XML-based standard for exchanging authentication and authorization data between process parties. Using the SAML protocol, users can access many of their cloud applications with just one username and password. Single Sign-On (SSO) is a common technology that allows you to log in to a web application through a "third party" as a third-party web application.


    It is in this implementation that an error lies that allows an attacker to place a comment inside the username field, the only condition is the presence of a valid username.


    The problem lies in the comment processing method in the XML markup. When you place a comment code in the username field, a line break occurs. When processing a user name, the preprocessor "cuts off" the value after the comment field and does not take it into account when checking:


    import xml.etree.ElementTree as et
doc = "testuser"
data = et.fromstring(payload)
return data.text # returns 'testuser'

    The expected value is "testuser", but after the "break" only the value of "test" will be returned.


    An example of the implementation of this attack by a user with access to the user@user.com.evil.com account can change SAML to replace NameID with user@user.com during SP processing:


    https://idp.com/user@user.com.evil.com
            some base64 data that represents the signature of the assertion

    The following solutions are subject to this attack:


    • OneLogin - python-saml - CVE-2017-11427
    • OneLogin - ruby-saml - CVE-2017-11428
    • Clever - saml2-js - CVE-2017-11429
    • OmniAuth-SAML - CVE-2017-11430
    • Shibboleth - CVE-2018-0489
    • Duo Network Gateway - CVE-2018-7340

    It is worth noting that the attack does not work against accounts protected by two-factor authentication (which is included in ~ 10% of users according to Google statistics).


    To prevent such attacks, it is necessary to update the libraries used, disable the public registration of user accounts in important networks, or abandon the canonization algorithm that does not skip comments.

    Tags:

    Also popular now: