CoreWCF: WS-Security signature substitution via document-wide Signature lookup
Impact
An unauthenticated remote attacker who can place a SOAP header lexically beforewsse:Security can embed a ds:Signature of their choosing inside that header and cause the server to verify the attacker-supplied signature instead of the one carried in the security header.Preconditions
Exploitation requires the endpoint be configured with an endorsing supporting token binding, and the attacker constructs ads:Signature whose KeyInfo resolves through the receive-side token resolver to a key under the attacker’s control. Both are conditions outside the attacker’s direct control on a generic deployment.