No content

Who we are • Zach Varnell • Senior Security Consultant @ VerSprite • Web App • Mobile • Network • Red Team • DevOps Background • Alejandro Parodi • Senior Security Consultant @ VerSprite • Security Researcher & Exploit Developer • Software Development Background

Why are we talking about XXE? • Prevalence • #4 on the 2017 OWASP Top 10 • Not a category on the 2013 OWASP Top 10 • Added due to supporting data from source code analysis tools • “not commonly tested as of 2017” - OWASP • 3,480 results for XXE on cvedetails.com • Google pays up to $13,337 for some XXE vulnerabilities • Can be present in web, desktop, and mobile applications

Definitions • eXtensible Markup Language (XML) • Designed to transport data in a format that is both machine and human readable. • XML Entity • Variables used to define shortcuts for frequently used text. • Internal entities are defined locally in the XML file. • The SYSTEM declaration is used to declare an eternal entity. • XML External Entity (XXE) processing • Type of attack that occurs when XML input is processed by an insecure XML parser.

XML Entity Use Cases • Example uses of XML Entities • Character Entities • String substitution • Less common characters • ¥

External XML Entity Use Cases • Even external XML entities have legitimate uses. • Include other XML files • Load a Document Type Definition (DTD) file to validate the XML

Example XML Uses • Parsing files for import (xlsx, docx, pptx) • Importing stored configurations • SOAP web services • Ajax requests • OpenID login (Login with Google / Facebook)

A Simple Example Request Response

A Simple Example – Denial of Service Request Response

A Simple Example – Local File Read Request Response

Other Abuse Cases • Expect:// code execution • ]> • Load files: • /etc/passwd • boot.ini • unattend.xml / autounattend.xml • wp-config.php • php://filter/read=convert.base64-encode/resource=/etc/issue

More Abuse Cases • Grab file over internal network • http://192.168.1.1/secret.txt • Internal network / localhost port scan • • Compare responses received to response for known-open port (e.g. 80)

Demos • Let’s see the following vulnerable source code:

Where is the bug?

XML Communication

Exploiting the Bug

SHOW ME THE WHOLE PROCESS!

No content

What about CVEs for XXE? Let’s play with real vulns!

CVE-2016-4264: ColdFusion Framework v11 XXE • Description: • The Office Open XML (OOXML) feature in Adobe ColdFusion 10 before Update 21 and 11 before Update 10 allows remote attackers to read arbitrary files or send TCP requests to intranet servers via a crafted OOXML spreadsheet containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. • What is OOXML? • Office Open XML is a zipped, XML-based file format developed by Microsoft for representing spreadsheets, charts, presentations and word processing documents. The format was initially standardized by Ecma, and by the ISO and IEC in later versions. • Office New File Format: • After Office 2003 all the files (docx, xlsx, pptx, etc) are based in XML.

Let’s Analyze some Facts… • We know that a Office File > 2003 is a zipped file with some XML content inside. • Could we un-compress the file? YES • Could we modify the file content? YES • Could we re-compress the file? YES • So… • Could we then inject our custom XML data? YES

How Does ColdFusion11< Update 10 Parse XLSX Files? • To parse DOCX and XLSX files ColdFusion uses a library called POI 3.10. • POI 3.10 allows the XML eXternal Entity Processing by default. • The real vulnerability is not in ColdFusion. It is in all the applications that use POI library < POI 3.17.

Exploiting CVE-2016-4264 • Let’s see the following ColdFusion application

Exploiting CVE-2016-4264 • Let’s see the application code:

Exploiting CVE-2016-4264 • So? Where is the bug? • In the application all looks great, and it is… because the issue is not a programming error! • It is a Framework Vulnerability!

Exploiting CVE-2016-4264 • The first step to exploit this vulnerability is getting a valid XLSX file and un-compress it.

Exploiting CVE-2016-4264 • Now, chose a XML File and add your payload! • Original Document:

Exploiting CVE-2016-4264 • Modified Document:

Exploiting CVE-2016-4264 • Re-Compress the file

Exploiting CVE-2016-4264 • Upload the file into the application and wait for the connection

Exploiting CVE-2016-4264 • Ok, we were able to exploit the bug and now what? • Let’s exfiltrate data! • We are going to target the file: • “/opt/coldfusion11/cfusion/lib/password.properties” • This file contains the hashed password of the ColdFusion Admin User. • 2 Steps Exploitation: • First Step: We are going to exploit the vulnerability to load a custom external DTD file (xml). • Second Step: Our custom DTD file is going to read the target file and send the data to our remote server!

Exploiting CVE-2016-4264 • First Step: Custom DTD File (payload.xml) hosted in our remote server:

Exploiting CVE-2016-4264 • Second Step: modified XLSX file crafted to trigger the bug and import our remote payload.xml (remote DTD file)

Exploiting CVE-2016-4264 • Last Step: • Start a Listening Server: • nc –l 8000 –vv • Re-Compress the new XLSX file and upload it to the application! • The XLSX file will import the remote payload.xml (first stage DTD) • When the bug is triggered, the payload file will read the password.properties file and will send the data to our remote server.

Exploiting CVE-2016-4264

Does this only happen with Web Applications?

CVE-2015-3784: XXE in Office Viewer in Apple iOS before 8.4.1 • Description: • Office Viewer in Apple iOS before 8.4.1 and OS X before 10.10.5 allow remote attackers to read arbitrary files via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. • • Where is the bug? • The bug resides in the libxml2 native library. • Sorry? What? • Yes, the vulnerability is in a native system library. • The impact of this issue goes really deep because of all the applications that use this library could be vulnerable only depending if the programmer implements some kind of validation or not before he calls the parser function of the affected library.

Exploiting CVE-2015-3784 • The exploitation of this bug is really simple: • Un-compress an DOCX/XLSX file. • Add your payload. • Load the file from a remote server in Safari. • This is not a bug of Safari, internally Safari triggers a call to the Apple Office Viewer that is the real vulnerable application.

Exploiting CVE-2015-3784 • Let’s Try it! This is how our XLSX Modified file is going to look.

Exploiting CVE-2015-3784 • Really Simple Steps: • Re-compress the file. • Serve the file with any web server (Ej. Python SimpleHTTPServer). • Open the URL with a vulnerable iOS Version. • Receive the inbound connection!

Exploiting CVE-2015-3784

Exploiting CVE-2015-3784 • To perform a complete exploitation that includes data exfiltration we just need to follow the same steps that we saw for the ColdFusion CVE-2016-4264.

Avoiding XXE • Secure Coding • Disable DTDs / External Entities / Entity Expansion / Entity Substitution • Terminology can vary • Often enabled by default. Doing nothing means it’s enabled. • Language Dependent • PHP - libxml_disable_entity_loader(true); • Java – disabled per XML parser used • .NET – Many XML parsers safe by default • Don’t introduce issues by allowing external entities where not needed • Use latest version of the XML parser. Some older versions not safe by default. • Sandboxing • Even if XXE succeeds, may not be able to grab sensitive files if properly sandboxed. • Mitigation • Do not show errors

Avoiding XXE – JSON Use • Security issues not inherent in JSON • Just parsing JSON is safe • Issues can arise in JSON exchanges (e.g. JavaScript's JSONP)

Questions? VerSprite.com @versprite