SOAP/JAX-WS ThreadLocal Authentication Bypass

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

TL;DR

  • Baadhi ya middleware chains huhifadhi Subject/Principal iliyothibitishwa ndani ya static ThreadLocal na huiboresha tena tu wakati header maalum ya SOAP inapofika.
  • Kwa sababu WebLogic/JBoss/GlassFish hurudisha tena worker threads, kuondoa header hiyo kunasababisha Subject ya mwisho yenye ruhusa iliyosindika na thread kutumika tena kwa kimya.
  • Tuma maombi mengi kwenye endpoint iliyo hatarini, ukiwa na miili ya SOAP zisizo na header lakini zimetengenezwa vizuri, hadi thread iliyotumika tena ikupatie muktadha wa msimamizi ulioporwa.
  • 2025 HID ActivID/IASP (HID-PSA-2025-002) ni mfano wa dunia halisi: JAX-WS handler huhifadhi SubjectHolder ThreadLocal kwenye cache, ikiruhusu simu za SOAP zisizothibitishwa kurithi utambulisho uliowekwa na maombi ya awali ya konsoli/SSP.

Chanzo

Handlers zinazofanana na zifuatazo zinabandika tena utambulisho wa thread-local tu wakati header maalum upo, kwa hivyo muktadha wa ombi la awali unaendelea kuishi:

public boolean handleMessage(SOAPMessageContext ctx) {
if (!outbound) {
SOAPHeader hdr = ctx.getMessage().getSOAPPart().getEnvelope().getHeader();
SOAPHeaderElement e = findHeader(hdr, subjectName);
if (e != null) {
SubjectHolder.setSubject(unmarshal(e));
}
}
return true;
}

Recon

  1. Orodhesha reverse proxy / routing rules ili kutambua miti ya SOAP iliyofichwa ambayo inaweza kuzuia ?wsdl lakini inakubali POSTs (iweka ramani pamoja na mtiririko katika 80,443 - Pentesting Web Methodology).
  2. Fungua artifacts za EAR/WAR/EJB (unzip *.ear) na kagua application.xml, web.xml, @WebService annotations, na handler chains (kwa mfano, LoginHandlerChain.xml) ili kubaini handler class, SOAP header QName, na majina ya backing EJB.
  3. Iki metadata inakosekana, brute-force njia zinazowezekana za ServiceName?wsdl au punguza kwa muda proxies za lab, kisha ingiza WSDL yoyote iliyopatikana kwenye zana kama Burp Suite Wsdler ili kutengeneza envelopes za msingi.
  4. Pitia vyanzo vya handler kwa ajili ya ThreadLocal keepers (mfano, SubjectHolder.setSubject()) ambazo hazifutwi wakati header ya authentication inakosekana au imeharibika.

Exploitation

  1. Tuma ombi halali kikiwa na proprietary header ili kujifunza codes za kawaida za mwitikio na makosa yanayotumika kwa tokens zisizokubalika.
  2. Tuma tena body ile ile ya SOAP ukiwa umeacha header. Hakikisha XML ni well-formed na heshimu namespaces zinazohitajika ili handler itoke kwa utulivu.
  3. Rudia ombi; pindi linapofika kwenye thread iliyotekeleza kitendo chenye ruksa hapo awali, Subject iliyotumika tena hufungua operesheni zilizo salama kama manejala wa watumiaji au wa credential.
POST /ac-iasp-backend-jaxws/UserManager HTTP/1.1
Host: target
Content-Type: text/xml;charset=UTF-8

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:jax="http://jaxws.user.frontend.iasp.service.actividentity.com">
<soapenv:Header/>
<soapenv:Body>
<jax:findUserIds>
<arg0></arg0>
<arg1>spl*</arg1>
</jax:findUserIds>
</soapenv:Body>
</soapenv:Envelope>

2025 HID ActivID/IASP case study (HID-PSA-2025-002)

  • Synacktiv ilionyesha kuwa JAX-WS LoginHandler katika ActivID 8.6–8.7 sets SubjectHolder.subject wakati mySubjectHeader SOAP header iko au wakati trafiki ya console/SSP inathibitisha, lakini haiifuti kamwe wakati header haitokuwapo.
  • Kila simu ya baadaye ya SOAP isiyo na header kwenye worker thread ileile inarithi ile Subject iliyohifadhiwa, ikiruhusu uundaji usio na uthibitisho wa watumiaji wa administrator au import ya credential kupitia endpoints kama UserManager au CredentialManager.
  • Muundo thabiti wa unyonyaji ulioonekana:
  1. Zindua muktadha uliothibitishwa kwenye threads nyingi (mfano, spam /ssp au ingia /aiconsole kama admin katika tabia nyingine ya browser).
  2. Piga kwa wingi SOAP bodies zisizo na header kwenye /ac-iasp-backend-jaxws/UserManager au endpoints nyingine za EJB-backed JAX-WS kwa paralelismi kubwa; kila hit inayotumia tena thread “iliyokuwa na maambukizi” itaendesha kwa Subject iliyoongezeka.
  3. Rudia hadi majibu yenye uwezo wa kipaumbele yaranibuke; tumia Keep-Alive connections na worker pools kubwa ili kuongeza uwezekano wa matumizi ya thread.
  • Kuhusu Handler na mtiririko wa mchakato:
  • LoginHandlerChain.xmlLoginHandler.handleMessage() unmarshals mySubjectHeader na huweka Subject katika SubjectHolder (ni ThreadLocal static).
  • ProcessManager.triggerProcess() baadaye huingiza SubjectHolder.getSubject() katika processes za kibiashara, hivyo headers zinazokosekana zinaacha vitambulisho vikali visivyofutwa.
  • PoC iliyotumika shambani kutoka advisory inatumia mbinu ya SOAP yenye hatua mbili: kwanza getUsers ili leak info, kisha createUser + importCredential kupandikiza admin haribifu wakati thread yenye kipaumbele inapigwa.

Validating the Bug

  • Unganisha JDWP (-agentlib:jdwp=transport=dt_socket,server=y,address=5005,suspend=n) au hooks za debugging zinazofanana ili kutazama yaliyomo ya ThreadLocal kabla na baada ya kila mwito, ukithibitisha kuwa ombi lisilo na uthibitisho lilirithi Subject ya administrator iliyotangulia.
  • Katika appliances za production unaweza pia kuingiza instrumentation kwa JFR au BTrace ili kutoa dump ya SubjectHolder.getSubject() kwa kila request, ukihakikisha reuse bila header.

References

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks