Saturday, March 24, 2007

Fun with Introspection on Public XML-RPC Servers

Somewhere I managed to find a list that someone had compile of sites that support XML-RPC (this is mostly for blog pingers) so for grins I tried iterating through them with system.listmethods() as I did for Python and Ruby previously. I guess I shouldn't have been surprised that so many had introspection enabled. The results?

A sampling of the server names that were returned:
  • Apache/1.3.33 (Debian GNU/Linux) PHP/4.3.10-18
  • Apache/1.3.29 (Unix) PHP/4.3.7
  • Apache/1.3.34 (Unix) mod_fastcgi/2.4.2 mod_ssl/2.8.25 OpenSSL/0.9.7e PHP/4.4.4 FrontPage/
  • Apache XML-RPC 1.0
  • Apache/2.0.55 (Ubuntu) PHP/5.1.2
  • psfe
  • Apache/2.0.52 (CentOS), X-Powered-By: PHP/5.1.6
  • Apache, X-Powered-By: PHP/4.4.2
  • SOAP::Lite/Perl/0.60
  • Apache Coyote 1.1

A lot of Apache servers (that didn't ID the XML-RPC implementation) returned message and flerror as valid methods. And the "expected result" for many others returned as little as:
  • system.listMethods
  • system.methodSignature
  • system.methodHelp
  • system.multicall
  • weblogUpdates.extendedPing

While the juiciest spit out:
  • syndic8.GetFeedCount
  • syndic8.GetLastFeed
  • syndic8.FindFeeds
  • syndic8.QueryFeeds
  • syndic8.FindSites
  • syndic8.GetFeedInfo
  • syndic8.FindUsers
  • syndic8.GetUserInfo
  • syndic8.SuggestDataURL
  • syndic8.SuggestSiteURL
  • syndic8.GetLicenses
  • syndic8.CreateSubscriptionListFromOPML
  • syndic8.CreateSubscriptionListFromHTML
  • weblogUpdates.Ping
And a whole lot more...

Some the servers that did not return any method names happily returned that system object wasn't present:

java.lang.Exception: RPC handler object "system" not found and no default handler registered

Can't evaluate the
expression because the name "system.listMethods" hasn't been defined.

Failed to access class (system): Perl v65280.0.0 required
(did you mean v65280.000?)--this is only v5.8.6,
stopped at (eval 119) line 1.\n

Is this a shock? No. Are these information disclosures the the end of the world? Certainly not. There are most likely all public API meant to be exposed to the world. What concerns me is the relatively small number of XML-RPC vulnerabilities that have been disclosed so far (CVE 2005-0089, CVE 2005-1921, CVE 2005-2498, CVE-2005-1992). I probably missed a few. Python, Ruby, and PHP PEAR XML-RPC implementations have all had shell command execution and object/method permission access issues. I guess only time will tell about the quality their Java and Perl counterparts and any other implementations out there.

No comments: