In a recent development, researchers have unveiled a groundbreaking method to exploit round-trip attacks and namespace confusion to gain unauthenticated admin access on GitLab Enterprise through the exploitation of the ruby-saml library.
The research was initially sparked by a post written by Juho Forsén, shedding light on an XML round-trip vulnerability. The exploration delved into the intricacies of SAML, revealing more than anticipated. Despite facing a hiccup in presenting the findings at Black Hat due to a research collision with Alexander Tan, the significance of the discoveries warranted sharing the insights.
SAML libraries commonly parse XML documents, store them as strings, and re-parse them with two different parsers in the case of Ruby-SAML – REXML for parsing and validating signatures, and Nokogiri for attribute access. The process of parsing and serializing the document consistently is crucial for secure authorization, as structural inconsistencies arising from mutations can be exploited in round-trip attacks.
The vulnerability was identified in the mutation of the document’s structure during parsing, allowing for the bypassing of signature verification and gaining unauthorized access by assuming another user’s identity. Through the manipulation of XML comments and CDATA sections, attackers could exploit these vulnerabilities to their advantage.
Further investigation led to the discovery of mutations introduced within the SYSTEM identifier during the parsing of the document, resulting in the unauthorized access by assuming a different user’s identity. The refined attack vector streamlined this process, enabling attackers to log in as any user and escalate it to gain unauthenticated administrator access on GitLab.
GitLab relies on the Ruby-SAML library for SAML authentication, where the validation process plays a critical role in the attack. By exploiting discrepancies between XML parsers and bypassing signature validation processes, attackers could forge assertions and manipulate certificates for full account takeovers without needing organizational credentials.
The research also uncovered challenges in forging valid signed XML documents due to XML schema validation using predefined schema files. However, the introduction of the namespace confusion attack provided a workaround to achieve unauthenticated access to applications using Ruby-SAML, such as GitLab.
By leveraging the discrepancies in how XML parsers handle validation and exploiting REXML’s handling of XML marshalling/unmarshalling, attackers could combine namespace confusion with round-trip attacks to bypass signature validation and gain unauthenticated access to GitLab.
The findings highlight the importance of consistency in XML parsing and the potential vulnerabilities arising from discrepancies in handling document validation. The key takeaways emphasize the need for robust security measures to mitigate such attacks, with GitLab addressing these vulnerabilities in recent updates.
To stay updated on the latest research and security insights, make sure to follow the official PortSwigger channels and join the PortSwigger Discord community.