Wechat Pay SDK XXE Injection Vulnerability

07/03/2018

This threat warning article was first published on the WeChat public account secfamily which is the official account of NSFOCUS Beijing Security Service and Delivery Department.

Redirect URL: https://mp.weixin.qq.com/s?__biz=MzUzNjcyMDU0Mw==&mid=2247483812&idx=1&sn=37e5bdbcd0784fcbb9b0b07e737bf65f&chksm=faf0a454cd872d423cca95ee12ff15b548f44cb29f467c71206c082acc0214ed32f44171b1ba&mpshare=1&scene=1&srcid=1229n1vePeCGdQ6SpoPRFZ0J#rd


Threat

Wechat Pay SDK XXE Injection Vulnerability

Disclosure Time

07/03/2018

Description

On July 2, 2018, Rose Jackcode disclosed the WeChat Pay SDK XXE injection vulnerability on packetstormsecurity site. The vulnerability is in a position of a function which process XML file which offers merchant to receive an asynchronous payment message after the user's payment is completed, and is transmitted to a publicly disclosed API interface in the SDK of WeChat Pay. And the interface body provides a webservice interface service.

The vulnerability could lead to the disclosure of sensitive information on the merchant server (including user orders, user private data, etc.), and even obtain relevant key data (md5-key and merchant-id, etc.) to forge payment packets to bypass the payment link restrict. The batch document has taken the instance of Momo and vivo which are successfully used the automated tool to read the data information from the Internet diclosure API.

Vulnerability Analysis

The source code sample for this vulnerability is downloaded from the following URL:

https://pay.weixin.qq.com/wiki/doc/api/download/WxPayAPI_JAVA_v3.zip

Vulnerable code position URI:

\java-sdk-v3\src\main\java\com\github\wxpay\sdk\WXPayUtil.java, Line 42

The description file README.md has shown that the usage of this function is mainy be used to verify whether the signature was verified when the payment result was fed back to the user.

File Position:

\java-sdk-v3\README.md

Vulnerability Impact

This problem still exists in the latest official version, and the old version has not been detected yet.

Temporary Fix Resort

Reference link:

https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#JAXP_DocumentBuilderFactory.2C_SAXParserFactory_and_DOM4J

Add Java security code which set features before the following position in the function Map():

\java-sdk-v3\src\main\java\com\github\wxpay\sdk\WXPayUtil.java, Line42

Choose one of the following:

FEATURE = "http://apache.org/xml/features/disallow-doctype-decl";
dbf.setFeature(FEATURE, true);


FEATURE = "http://xml.org/sax/features/external-general-entities";
dbf.setFeature(FEATURE, false);


FEATURE = "http://xml.org/sax/features/external-parameter-entities";
dbf.setFeature(FEATURE, false);


FEATURE = "http://apache.org/xml/features/nonvalidating/load-external-dtd";
dbf.setFeature(FEATURE, false);


dbf.setXIncludeAware(false);
dbf.setExpandEntityReferences(false);