Two months ago, we wrote about SAML Raider, a Burp extension which allows automating SAML attacks based on manipulations of the intercepted security assertion. Using this tool, we were able to identify a severe vulnerability in the service provider (SP) implementation of AdNovum‘s nevisAuth. The following conditions make exploitation possible:

  • SAML POST-Binding is used, i.e. the security assertion is transmitted from the identity provider (IdP) via the user-agent to the SP, therefore exposing the contents of valid assertions to the attacker.
  • The SP accepts signed assertions from one or more identity providers, whereas the signing X.509 certificate is embedded into the assertion.

As described in the previous blog post, SAML Raider features a certificate cloning utility that allows inserting a self-signed, rogue copy of the X.509 certificate into the assertion. The assertion details can then be modified to impersonate other users, grant additional rights, etc. Finally, the rogue certificate is used to sign the modified security assertion.

Due to a flaw in nevisAuth’s signature validation logic, only some attributes of the embedded signing certificate are matched against the legitimate certificate, originating from the IdP. For example the distinguished names (DN) of issuer and subject are checked, but no uniquely identifying attributes such as public key or fingerprint. Then, since both the embedded certificate and the legitimate certificate from the truststore are seen as equivalent, the implementation does not care which one is actually used to validate the assertion’s signature. Unfortunately, the embedded, rogue certificate is used, enabling the attacker to inject arbitrary assertions.

After addressing the issue with AdNovum, they responded very swiftly, providing a security bulletin, a patch and mitigation procedures to their customers a mere day later. After a grace period of a couple of months, the vulnerability was disclosed under the CVE id CVE-2015-5372.