{"id":1870,"date":"2025-02-10T10:03:37","date_gmt":"2025-02-10T10:03:37","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/02\/10\/saml-bypass-authentication-on-github-enterprise-servers-to-login-as-other-user-account\/"},"modified":"2025-02-10T10:03:37","modified_gmt":"2025-02-10T10:03:37","slug":"saml-bypass-authentication-on-github-enterprise-servers-to-login-as-other-user-account","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/02\/10\/saml-bypass-authentication-on-github-enterprise-servers-to-login-as-other-user-account\/","title":{"rendered":"SAML Bypass Authentication on GitHub Enterprise Servers To Login as Other User Account"},"content":{"rendered":"

SAML Bypass Authentication on GitHub Enterprise Servers To Login as Other User Account
\n \t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n

A significant vulnerability has been identified in GitHub Enterprise Servers, allowing attackers to bypass SAML authentication and log in as other user accounts.<\/p>\n

This exploit leverages quirks in the libxml2<\/code> library, specifically related to XML entities, to deceive the verification process.<\/p>\n

The vulnerability, designated as CVE-2025-23369 and this security flaw highlights the importance of robust security measures<\/a> in authentication systems.<\/p>\n

SAML (Security Assertion Markup Language) is a protocol used for exchanging authentication and authorization data between systems.<\/p>\n

Security analyst at repz ret, hakivvi detected<\/a> that it operates similarly to OAuth2\/OpenID but instead of returning an access token, SAML provides a Response object containing user attributes like email and name.<\/p>\n

While this Response is protected by a digital signature to prevent tampering.<\/p>\n

<samlp:Response xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\">\n    <saml:Issuer>http:\/\/idp.example.com\/metadata.php<\/saml:Issuer>\n    <ds:Signature>...<\/ds:Signature>\n    <saml:Assertion>\n        <saml:Subject>\n            <saml:NameID SPNameQualifier=\"http:\/\/sp.example.com\/demo1\/metadata.php\">user@example.com<\/saml:NameID>\n        <\/saml:Subject>\n    <\/saml:Assertion>\n<\/samlp:Response><\/code><\/pre>\n
The Vulnerability<\/strong><\/h2>\n
The vulnerability exploits an inconsistency in how XML entities are handled during the signature verification process.<\/p>\n
By using an XML entity to define an ID attribute, an attacker can make the verification code mistakenly identify an arbitrary element (an Assertion<\/code>) as the root element (Response<\/code>).<\/p>\n
\n
\"\"
Root element ID (Source \u2013 repz ret)<\/figcaption><\/figure>\n<\/div>\n
require 'Nokogiri'\nxml = <<-XML\n<!DOCTYPE abcd [ <!ENTITY idViaEntity \"_129\"> ]>\n<samlp:Response ID=\"&idViaEntity;\">\n    <saml:Assertion ID=\"_129\">http:\/\/idp.example.com\/metadata.php<\/saml:Assertion>\n<\/samlp:Response>\nXML\ndoc = Nokogiri::XML(xml)\nputs doc.xpath('\/\/*[@ID=$uri or @wsu:Id=$uri]', {\"wsu\": \"http:\/\/docs.oasis-open.org\/wss\/2004\/01\/oasis-200401-wss-wssecurity-utility-1.0.xsd\"}).first<\/code><\/pre>\n
This code snippet shows that how the XPath query can return the Assertion<\/code> element instead of the expected Response<\/code> element due to the XML entity.<\/p>\n
To exploit this vulnerability, an attacker crafts a SAML Response with an XML entity defining the ID of the Response<\/code> element.<\/p>\n
This entity is then referenced in the Assertion<\/code> element, causing the verification code to mistakenly validate the signature against the Assertion<\/code> instead of the Response<\/code>.<\/p>\n
\n
\"\"
Referenced_node Mistake (Source \u2013 repz ret)<\/figcaption><\/figure>\n<\/div>\n
<!DOCTYPE abcd [ <!ENTITY idViaEntity \"id198723974770096182351422\"> ]>\n<saml2p:Response ID=\"&idViaEntity;\">\n    <!-- Injected Assertion -->\n    <saml2:Assertion ID=\"id198723974770096182351422\">\n        <!-- Original Assertion -->\n    <\/saml2:Assertion>\n<\/saml2p:Response><\/code><\/pre>\n
The CVE-2025-23369 vulnerability shows the importance of thoroughly testing and securing authentication systems.<\/p>\n
Not only that even it also highlights how subtle inconsistencies in XML parsing can lead to significant security breaches<\/a>.<\/p>\n
GitHub has addressed this issue, but it serves as a reminder for developers to scrutinize their authentication mechanisms closely.<\/p>\n
Developers should thoroughly test XML parsing libraries to ensure that they handle entities correctly and prevent similar exploits.<\/p>\n
They must also implement robust signature verification by checking signatures against the expected root element to avoid misidentification.<\/p>\n
Besides this, regularly updating dependencies, such as keeping libraries like libxml2 current, helps mitigate known vulnerabilities.<\/p>\n
By following these guidelines<\/a>, developers can enhance the security of their SAML-based authentication systems.<\/p>\n
Are you from SOC\/DFIR Team? - Join 500,000+ Researchers to Analyze Cyber Threats with ANY.RUN Sandbox -\u00a0Try for Free<\/a><\/code><\/strong><\/p>\n
The post SAML Bypass Authentication on GitHub Enterprise Servers To Login as Other User Account<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n
 \t

\n 
<\/BR>
\n    Tushar Subhra Dutta
\n \t

\n
<\/BR>
\nGo to cyber-security-news<\/a>
\n \t

\n 
<\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"
SAML Bypass Authentication on GitHub Enterprise Servers To Login as Other User Account A significant vulnerability has been identified in GitHub Enterprise Servers, allowing attackers to bypass SAML authentication and log in as other user accounts. This exploit leverages quirks in the libxml2 library, specifically related to XML entities, to deceive the verification process. The […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,649],"tags":[130],"class_list":["post-1870","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-threats","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/1870"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=1870"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/1870\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=1870"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=1870"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=1870"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}