Slide 1

Slide 1 text

No content

Slide 2

Slide 2 text

Who we are • Zach Varnell • Senior Security Consultant @ VerSprite • Web App • Mobile • Network • Red Team • DevOps Background • Alejandro Parodi • Senior Security Consultant @ VerSprite • Security Researcher & Exploit Developer • Software Development Background

Slide 3

Slide 3 text

Why are we talking about XXE? • Prevalence • #4 on the 2017 OWASP Top 10 • Not a category on the 2013 OWASP Top 10 • Added due to supporting data from source code analysis tools • “not commonly tested as of 2017” - OWASP • 3,480 results for XXE on cvedetails.com • Google pays up to $13,337 for some XXE vulnerabilities • Can be present in web, desktop, and mobile applications

Slide 4

Slide 4 text

Definitions • eXtensible Markup Language (XML) • Designed to transport data in a format that is both machine and human readable. • XML Entity • Variables used to define shortcuts for frequently used text. • Internal entities are defined locally in the XML file. • The SYSTEM declaration is used to declare an eternal entity. • XML External Entity (XXE) processing • Type of attack that occurs when XML input is processed by an insecure XML parser.

Slide 5

Slide 5 text

XML Entity Use Cases • Example uses of XML Entities • Character Entities • String substitution • Less common characters • ¥

Slide 6

Slide 6 text

External XML Entity Use Cases • Even external XML entities have legitimate uses. • Include other XML files • Load a Document Type Definition (DTD) file to validate the XML

Slide 7

Slide 7 text

Example XML Uses • Parsing files for import (xlsx, docx, pptx) • Importing stored configurations • SOAP web services • Ajax requests • OpenID login (Login with Google / Facebook)

Slide 8

Slide 8 text

A Simple Example Request Response

Slide 9

Slide 9 text

A Simple Example – Denial of Service Request Response

Slide 10

Slide 10 text

A Simple Example – Local File Read Request Response

Slide 11

Slide 11 text

Other Abuse Cases • Expect:// code execution • ]> • Load files: • /etc/passwd • boot.ini • unattend.xml / autounattend.xml • wp-config.php • php://filter/read=convert.base64-encode/resource=/etc/issue

Slide 12

Slide 12 text

More Abuse Cases • Grab file over internal network • http://192.168.1.1/secret.txt • Internal network / localhost port scan • • Compare responses received to response for known-open port (e.g. 80)

Slide 13

Slide 13 text

Demos • Let’s see the following vulnerable source code:

Slide 14

Slide 14 text

Where is the bug?

Slide 15

Slide 15 text

XML Communication

Slide 16

Slide 16 text

Exploiting the Bug

Slide 17

Slide 17 text

SHOW ME THE WHOLE PROCESS!

Slide 18

Slide 18 text

No content

Slide 19

Slide 19 text

What about CVEs for XXE? Let’s play with real vulns!

Slide 20

Slide 20 text

CVE-2016-4264: ColdFusion Framework v11 XXE • Description: • The Office Open XML (OOXML) feature in Adobe ColdFusion 10 before Update 21 and 11 before Update 10 allows remote attackers to read arbitrary files or send TCP requests to intranet servers via a crafted OOXML spreadsheet containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. • What is OOXML? • Office Open XML is a zipped, XML-based file format developed by Microsoft for representing spreadsheets, charts, presentations and word processing documents. The format was initially standardized by Ecma, and by the ISO and IEC in later versions. • Office New File Format: • After Office 2003 all the files (docx, xlsx, pptx, etc) are based in XML.

Slide 21

Slide 21 text

Let’s Analyze some Facts… • We know that a Office File > 2003 is a zipped file with some XML content inside. • Could we un-compress the file? YES • Could we modify the file content? YES • Could we re-compress the file? YES • So… • Could we then inject our custom XML data? YES

Slide 22

Slide 22 text

How Does ColdFusion11< Update 10 Parse XLSX Files? • To parse DOCX and XLSX files ColdFusion uses a library called POI 3.10. • POI 3.10 allows the XML eXternal Entity Processing by default. • The real vulnerability is not in ColdFusion. It is in all the applications that use POI library < POI 3.17.

Slide 23

Slide 23 text

Exploiting CVE-2016-4264 • Let’s see the following ColdFusion application

Slide 24

Slide 24 text

Exploiting CVE-2016-4264 • Let’s see the application code:

Slide 25

Slide 25 text

Exploiting CVE-2016-4264 • So? Where is the bug? • In the application all looks great, and it is… because the issue is not a programming error! • It is a Framework Vulnerability!

Slide 26

Slide 26 text

Exploiting CVE-2016-4264 • The first step to exploit this vulnerability is getting a valid XLSX file and un-compress it.

Slide 27

Slide 27 text

Exploiting CVE-2016-4264 • Now, chose a XML File and add your payload! • Original Document:

Slide 28

Slide 28 text

Exploiting CVE-2016-4264 • Modified Document:

Slide 29

Slide 29 text

Exploiting CVE-2016-4264 • Re-Compress the file

Slide 30

Slide 30 text

Exploiting CVE-2016-4264 • Upload the file into the application and wait for the connection

Slide 31

Slide 31 text

Exploiting CVE-2016-4264 • Ok, we were able to exploit the bug and now what? • Let’s exfiltrate data! • We are going to target the file: • “/opt/coldfusion11/cfusion/lib/password.properties” • This file contains the hashed password of the ColdFusion Admin User. • 2 Steps Exploitation: • First Step: We are going to exploit the vulnerability to load a custom external DTD file (xml). • Second Step: Our custom DTD file is going to read the target file and send the data to our remote server!

Slide 32

Slide 32 text

Exploiting CVE-2016-4264 • First Step: Custom DTD File (payload.xml) hosted in our remote server:

Slide 33

Slide 33 text

Exploiting CVE-2016-4264 • Second Step: modified XLSX file crafted to trigger the bug and import our remote payload.xml (remote DTD file)

Slide 34

Slide 34 text

Exploiting CVE-2016-4264 • Last Step: • Start a Listening Server: • nc –l 8000 –vv • Re-Compress the new XLSX file and upload it to the application! • The XLSX file will import the remote payload.xml (first stage DTD) • When the bug is triggered, the payload file will read the password.properties file and will send the data to our remote server.

Slide 35

Slide 35 text

Exploiting CVE-2016-4264

Slide 36

Slide 36 text

Does this only happen with Web Applications?

Slide 37

Slide 37 text

CVE-2015-3784: XXE in Office Viewer in Apple iOS before 8.4.1 • Description: • Office Viewer in Apple iOS before 8.4.1 and OS X before 10.10.5 allow remote attackers to read arbitrary files via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. • • Where is the bug? • The bug resides in the libxml2 native library. • Sorry? What? • Yes, the vulnerability is in a native system library. • The impact of this issue goes really deep because of all the applications that use this library could be vulnerable only depending if the programmer implements some kind of validation or not before he calls the parser function of the affected library.

Slide 38

Slide 38 text

Exploiting CVE-2015-3784 • The exploitation of this bug is really simple: • Un-compress an DOCX/XLSX file. • Add your payload. • Load the file from a remote server in Safari. • This is not a bug of Safari, internally Safari triggers a call to the Apple Office Viewer that is the real vulnerable application.

Slide 39

Slide 39 text

Exploiting CVE-2015-3784 • Let’s Try it! This is how our XLSX Modified file is going to look.

Slide 40

Slide 40 text

Exploiting CVE-2015-3784 • Really Simple Steps: • Re-compress the file. • Serve the file with any web server (Ej. Python SimpleHTTPServer). • Open the URL with a vulnerable iOS Version. • Receive the inbound connection!

Slide 41

Slide 41 text

Exploiting CVE-2015-3784

Slide 42

Slide 42 text

Exploiting CVE-2015-3784 • To perform a complete exploitation that includes data exfiltration we just need to follow the same steps that we saw for the ColdFusion CVE-2016-4264.

Slide 43

Slide 43 text

Avoiding XXE • Secure Coding • Disable DTDs / External Entities / Entity Expansion / Entity Substitution • Terminology can vary • Often enabled by default. Doing nothing means it’s enabled. • Language Dependent • PHP - libxml_disable_entity_loader(true); • Java – disabled per XML parser used • .NET – Many XML parsers safe by default • Don’t introduce issues by allowing external entities where not needed • Use latest version of the XML parser. Some older versions not safe by default. • Sandboxing • Even if XXE succeeds, may not be able to grab sensitive files if properly sandboxed. • Mitigation • Do not show errors

Slide 44

Slide 44 text

Avoiding XXE – JSON Use • Security issues not inherent in JSON • Just parsing JSON is safe • Issues can arise in JSON exchanges (e.g. JavaScript's JSONP)

Slide 45

Slide 45 text

Questions? VerSprite.com @versprite