Output Encoding



By: vandepitte

October 19, 2010 12:33 pm

Reads: 177

Comments:0

Rating:0

[no-glossary]Hi folks,

This is my first contribution to the Novell community. Hope you like it!

My first ever experience with Novell IDM was the installation of the installation of the Delimited Text Driver about 9 months ago (IdM 3.6.1). After taking a glimpse at the policies, something got my attention. In fact something didn’t get my attention because it was missing: output encoding. I never reported this as a bug to the Novell developers team since one could argue this is not a bug but insecure default configuration, a violation to one of the basic security principles: establish secure defaults (see http://www.owasp.org/index.php/Category:Principle)…

Let’s get into the details…

Consider following standard (somewhat adapted for simplification) Delimited Text Driver XSLT Output Policy:

<?xml version="1.0" encoding="UTF-8"?><xsl:stylesheet version="1.0" xmlns:cmd="http://www.novell.com/nxsl/java/com.novell.nds.dirxml.driver.XdsCommandProcessor" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
	<xsl:param name="srcCommandProcessor"/>
	<!-- change the following line to change the delimiter from a comma to any other desired delimiter -->
	<xsl:variable name="delimiter" select="','"/>
	<xsl:template match="nds[input]">
		<!-- only look at <add> events and <instances> apply a template for each add transaction-->
		<xsl:apply-templates select="//add|//instance"/>
	</xsl:template>
	<xsl:template match="nds[output]">
		<xsl:copy-of select="."/>
	</xsl:template>
	<!-- now here's the template -->
	<xsl:template match="input/add|input/instance">
		<!-- output the fields in order -->
		<xsl:call-template name="output-field">
			<xsl:with-param name="field-value" select="*[(@attr-name = 'uid')][1]/value[1]"/>
		</xsl:call-template>
		<xsl:value-of select="$delimiter"/>
		<xsl:call-template name="output-field">
			<xsl:with-param name="field-value" select="*[(@attr-name = 'name')][1]/value[1]"/>
		</xsl:call-template>
		<xsl:value-of select="$delimiter"/>
		<xsl:call-template name="output-field">
			<xsl:with-param name="field-value" select="*[(@attr-name = 'role')][1]/value[1]"/>
		</xsl:call-template>
		<!-- finish the record with a newline -->
		<!-- uncomment next line to have DOS style end of line (0D0A), otherwise just 0A -->
		<!-- <xsl:value-of select="'
'"/> -->
		<xsl:value-of select="'
'"/>
	</xsl:template>
	<xsl:template name="output-field">
		<xsl:param name="field-value"/>
		<xsl:text>"</xsl:text>
		<xsl:value-of select="$field-value"/>
		<xsl:text>"</xsl:text>
	</xsl:template>
</xsl:stylesheet>

This generates a CSV file with the fields uid, name and role (in that order) delimited with a comma and enclosed in double quotes.

Take a look at following Command (e.g. as a result of an event in eDirectory):

<?xml version="1.0" encoding="UTF-8"?><nds dtdversion="3.5" ndsversion="8.x">
	<source>
		<product version="?.?.?.?">DirXML</product>
		<contact>Novell, Inc.</contact>
	</source>
	<input>
		<instance class-name="User">
			<attr attr-name="uid">
				<value type="string">user01</value>
			</attr>
			<attr attr-name="name">
				<value type="string">User name</value>
			</attr>
			<attr attr-name="role">
				<value type="string">none</value>
			</attr>
		</instance>
	</input>
</nds>

The output stylesheet generates:

"user01","User name","none"

Now let’s suppose there’s a user interface / driver without input validation, input sanization, so an evil guy could insert the following string into the name attribute for some user (preferrably himself) in eDirectory:

User name","ADMIN"<CRLF>"admin",Administrator Name

This generates the following Event:

<nds dtdversion="3.5" ndsversion="8.x">
  <source>
    <product version="3.6.10.4747">DirXML</product>
    <contact>Novell, Inc.</contact>
  </source>
  <input>
    <instance class-name="User">
      <attr attr-name="uid">
        <value type="string">user01</value>
      </attr>
      <attr attr-name="name">
        <value type="string">User name","ADMIN"
"admin","Administrator Name</value>
      </attr>
      <attr attr-name="role">
        <value type="string">none</value>
      </attr>
    </instance>
  </input>
</nds>

… which in turn is transformed to the following output:

"user01","User name","ADMIN"
"admin","Administrator Name","none"

Great! user01 is now ADMIN, moreover the administrator has role ‘none’! Even without newline character, an attack is possible (but more visible). Take a closer look at this Event: an attacker manages to insert ‘User name”,”ADMIN’ for his name.

<nds dtdversion="3.5" ndsversion="8.x">
  <source>
    <product version="3.6.10.4747">DirXML</product>
    <contact>Novell, Inc.</contact>
  </source>
  <input>
    <instance class-name="User">
      <attr attr-name="uid">
        <value type="string">user01</value>
      </attr>
      <attr attr-name="name">
        <value type="string">User name","ADMIN</value>
      </attr>
      <attr attr-name="role">
        <value type="string">none</value>
      </attr>
    </instance>
  </input>
</nds>

This results in:

"user01","User name","ADMIN","none"

The stylesheet generates a CSV file with too many fields but I’m pretty sure very few consuming apps will complain about too many fields. They will just stop processing after the number of expected fields.

Here’s the remediation: output encoding in the output-field template. The XSLT Output transformation now looks like:

<?xml version="1.0" encoding="UTF-8"?><xsl:stylesheet version="2.0" xmlns:cmd="http://www.novell.com/nxsl/java/com.novell.nds.dirxml.driver.XdsCommandProcessor" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
    <xsl:strip-space elements="*" />
	<xsl:param name="srcCommandProcessor"/>
	<!-- change the following line to change the delimiter from a comma to any other desired delimiter -->
	<xsl:variable name="delimiter" select="','"/>
	<xsl:template match="nds[input]">
		<!-- only look at <add> events and <instances> apply a template for each add transaction-->
		<xsl:apply-templates select="//add|//instance"/>
	</xsl:template>
	<xsl:template match="nds[output]">
		<xsl:copy-of select="."/>
	</xsl:template>
	<!-- now here's the template -->
	<xsl:template match="input/add|input/instance">
		<!-- output the fields in order -->
		<xsl:call-template name="output-field">
			<xsl:with-param name="field-value" select="*[(@attr-name = 'uid')][1]/value[1]"/>
		</xsl:call-template>
		<xsl:value-of select="$delimiter"/>
		<xsl:call-template name="output-field">
			<xsl:with-param name="field-value" select="*[(@attr-name = 'name')][1]/value[1]"/>
		</xsl:call-template>
		<xsl:value-of select="$delimiter"/>
		<xsl:call-template name="output-field">
			<xsl:with-param name="field-value" select="*[(@attr-name = 'role')][1]/value[1]"/>
		</xsl:call-template>
		<!-- finish the record with a newline -->
		<!-- uncomment next line to have DOS style end of line (0D0A), otherwise just 0A -->
		<!-- <xsl:value-of select="'
'"/> -->
		<xsl:value-of select="'
'"/>
	</xsl:template>
	
	<xsl:template name="output-field">
		<xsl:param name="field-value"/>
		<xsl:text>"</xsl:text>
	    <xsl:call-template name="string-replace-all">
	      <xsl:with-param name="text">
	      	<xsl:call-template name="string-replace-all">
	      		<xsl:with-param name="text" select="$field-value" />
	      		<xsl:with-param name="replace" select="'
'" />
	      		<xsl:with-param name="by" select="''" />
	      	</xsl:call-template>
	      </xsl:with-param> 
	      <xsl:with-param name="replace" select="'"'" />
	      <xsl:with-param name="by" select="'""'" />
	    </xsl:call-template>		
		<xsl:text>"</xsl:text>
	</xsl:template>
	<!-- from http://geekswithblogs.net/Erik/archive/2008/04/01/120915.aspx -->
 <xsl:template name="string-replace-all">
    <xsl:param name="text" />
    <xsl:param name="replace" />
    <xsl:param name="by" />
    <xsl:choose>
      <xsl:when test="contains($text, $replace)">
        <xsl:value-of select="substring-before($text,$replace)" />
        <xsl:value-of select="$by" />
        <xsl:call-template name="string-replace-all">
          <xsl:with-param name="text"
          select="substring-after($text,$replace)" />
          <xsl:with-param name="replace" select="$replace" />
          <xsl:with-param name="by" select="$by" />
        </xsl:call-template>
      </xsl:when>
      <xsl:otherwise>
        <xsl:value-of select="$text" />
      </xsl:otherwise>
    </xsl:choose>
  </xsl:template>	
</xsl:stylesheet>

The output-field template escapes all double quotes (escape character: double quote) and replaces all new lines ( ) with empty strings.

Conclusion: as a Driver developer, policy writer, … please take a look at the OWASP project. Many principles from the webapps domain are applicable to our domain too!

Good luck!

Pieter
[/no-glossary]

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

Tags:
Categories: Uncategorized

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Comment