Listen to this Post
How the CVE Works:
The vulnerability lies in the HTTPRedirect binding of SimpleSAMLphp, specifically in versions prior to v5. The issue arises due to a signature confusion attack where the application incorrectly verifies the signature of a SAMLResponse while processing the contents of a SAMLRequest. The `data
` parameter is used for signature verification, but the code iterates through parameters and overrides `sigQuery` with the last occurrence of either `SAMLRequest` or <code>SAMLResponse</code>. This allows an attacker to append a malicious `SAMLRequest` before a signed <code>SAMLResponse</code>. The application verifies the signature of the `SAMLResponse` but processes the contents of the <code>SAMLRequest</code>, leading to unauthorized actions such as impersonation. This flaw is particularly critical in environments using Microsoft Azure AD/Entra, where signed LogoutResponse messages can be exploited.
<h2 style="color: blue;">DailyCVE Form:</h2>
Platform: SimpleSAMLphp
Version: v4
Vulnerability: Signature Confusion
Severity: Critical
Date: 2023-XX-XX
<h2 style="color: blue;">What Undercode Say:</h2>
<h2 style="color: blue;">Exploitation:</h2>
<ol>
<li>Extract Signed SAMLResponse: Capture a signed SAMLResponse from an IdP (e.g., Azure AD/Entra).</li>
<li>Craft Malicious SAMLRequest: Append a malicious `SAMLRequest` before the signed <code>SAMLResponse</code>.</li>
<li>Send Payload: Deliver the crafted payload to the target application.</li>
<li>Bypass Verification: The application verifies the `SAMLResponse` signature but processes the <code>SAMLRequest</code>.</li>
</ol>
<h2 style="color: blue;">Example Exploit Code:</h2>
[bash]
import requests
Crafted payload
payload = {
"SAMLRequest": "unverifieddata",
"SAMLResponse": "idpsigned",
"RelayState": "...",
"SigAlg": "...",
"Signature": "..."
}
Send payload to target
response = requests.get("https://target.com/saml-endpoint", params=payload)
print(response.status_code)
Protection:
- Upgrade to v5: SimpleSAMLphp v5 fixes this issue by ensuring the signed query is built from the same message that is processed.
- Input Validation: Implement strict validation to ensure `SAMLRequest` contains valid data.
- Signature Verification: Verify both `SAMLRequest` and `SAMLResponse` independently.
Example Mitigation Code:
// Verify both SAMLRequest and SAMLResponse
if (isset($_GET[bash]) {
verifySignature($_GET[bash], $_GET[bash]);
}
if (isset($_GET[bash])) {
verifySignature($_GET[bash], $_GET[bash]);
}
function verifySignature($data, $signature) {
// Implement signature verification logic
}
Analytics:
- Affected Systems: SimpleSAMLphp v4 installations using HTTPRedirect binding.
- Attack Vector: Remote, unauthenticated.
- Impact: Full impersonation and unauthorized access.
- Mitigation Difficulty: Low (upgrade to v5).
Commands:
1. Check Version:
php -r "include 'simplesamlphp/lib/SimpleSAML/Configuration.php'; echo SimpleSAML_Configuration::getVersion();"
2. Upgrade to v5:
composer require simplesamlphp/simplesamlphp:^5.0
3. Audit Logs:
grep "SAMLRequest" /var/log/simplesamlphp.log
This CVE highlights the importance of proper signature verification and input validation in SAML implementations.
References:
Reported By: https://github.com/advisories/GHSA-46r4-f8gj-xg56
Extra Source Hub:
Undercode
