Upgrade to Pro — share decks privately, control downloads, hide ads and more …

XXE - OWASP

VerSprite, Inc
February 15, 2018
1
930

XXE - OWASP

VerSprite, Inc

February 15, 2018
Tweet

More Decks by VerSprite, Inc

See All by VerSprite, Inc
Application Security: Open Technologies, Tools, and Techniques for Running a Successful InfoSec Program
versprite
0
450
Threat Hunting: Utilizing threat Intelligence to Hunt the Unknown in Your Networks
versprite
2
810
Supply Chain Threat Models
versprite
0
690
Building a Valid Threat Library for Cloud Based Applications
versprite
0
310
Why Traditional SIEMs Are Falling Short
versprite
0
61
Automation AND Action: The Geopolitical Dimensions of Automating Security
versprite
0
180
Operationalizing Security Controls: Getting Your Program to Shift Left
versprite
0
220
Operationalizing Security Controls: Getting Your Security Program to Shift Left
versprite
0
110
Data Management Best Practices for Security & Privacy
versprite
0
260

Featured

See All Featured
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
126
18k
How STYLIGHT went responsive
nonsquared
95
5.2k
Large-scale JavaScript Application Architecture
addyosmani
510
110k
The Cult of Friendly URLs
andyhume
78
6k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
159
15k
Testing 201, or: Great Expectations
jmmastey
38
7.1k
Optimising Largest Contentful Paint
csswizardry
33
2.9k
How To Stay Up To Date on Web Technology
chriscoyier
788
250k
Bash Introduction
62gerente
608
210k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
44
2.2k
Teambox: Starting and Learning
jrom
133
8.8k
The Illustrated Children's Guide to Kubernetes
chrisshort
48
48k

Transcript

  1. None

  2. Who we are • Zach Varnell • Senior Security Consultant

    @ VerSprite • Web App • Mobile • Network • Red Team • DevOps Background • Alejandro Parodi • Senior Security Consultant @ VerSprite • Security Researcher & Exploit Developer • Software Development Background

  3. Why are we talking about XXE? • Prevalence • #4

    on the 2017 OWASP Top 10 • Not a category on the 2013 OWASP Top 10 • Added due to supporting data from source code analysis tools • “not commonly tested as of 2017” - OWASP • 3,480 results for XXE on cvedetails.com • Google pays up to $13,337 for some XXE vulnerabilities • Can be present in web, desktop, and mobile applications

  4. Definitions • eXtensible Markup Language (XML) • Designed to transport

    data in a format that is both machine and human readable. • XML Entity • Variables used to define shortcuts for frequently used text. • Internal entities are defined locally in the XML file. • The SYSTEM declaration is used to declare an eternal entity. • XML External Entity (XXE) processing • Type of attack that occurs when XML input is processed by an insecure XML parser.

  5. XML Entity Use Cases • Example uses of XML Entities

    • Character Entities • String substitution • Less common characters • ¥

  6. External XML Entity Use Cases • Even external XML entities

    have legitimate uses. • Include other XML files • Load a Document Type Definition (DTD) file to validate the XML

  7. Example XML Uses • Parsing files for import (xlsx, docx,

    pptx) • Importing stored configurations • SOAP web services • Ajax requests • OpenID login (Login with Google / Facebook)

  8. A Simple Example Request Response

  9. A Simple Example – Denial of Service Request Response

  10. A Simple Example – Local File Read Request Response

  11. Other Abuse Cases • Expect:// code execution • <!ENTITY xxe

    SYSTEM "expect://id" >]> • Load files: • /etc/passwd • boot.ini • unattend.xml / autounattend.xml • wp-config.php • php://filter/read=convert.base64-encode/resource=/etc/issue

  12. More Abuse Cases • Grab file over internal network •

    http://192.168.1.1/secret.txt • Internal network / localhost port scan • <!ENTITY test SYSTEM "http://localhost:22"> • Compare responses received to response for known-open port (e.g. 80)

  13. Demos • Let’s see the following vulnerable source code:

  14. Where is the bug?

  15. XML Communication

  16. Exploiting the Bug

  17. SHOW ME THE WHOLE PROCESS!

  18. None

  19. What about CVEs for XXE? Let’s play with real vulns!

  20. CVE-2016-4264: ColdFusion Framework v11 XXE • Description: • The Office

    Open XML (OOXML) feature in Adobe ColdFusion 10 before Update 21 and 11 before Update 10 allows remote attackers to read arbitrary files or send TCP requests to intranet servers via a crafted OOXML spreadsheet containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. • What is OOXML? • Office Open XML is a zipped, XML-based file format developed by Microsoft for representing spreadsheets, charts, presentations and word processing documents. The format was initially standardized by Ecma, and by the ISO and IEC in later versions. • Office New File Format: • After Office 2003 all the files (docx, xlsx, pptx, etc) are based in XML.

  21. Let’s Analyze some Facts… • We know that a Office

    File > 2003 is a zipped file with some XML content inside. • Could we un-compress the file? YES • Could we modify the file content? YES • Could we re-compress the file? YES • So… • Could we then inject our custom XML data? YES

  22. How Does ColdFusion11< Update 10 Parse XLSX Files? • To

    parse DOCX and XLSX files ColdFusion uses a library called POI 3.10. • POI 3.10 allows the XML eXternal Entity Processing by default. • The real vulnerability is not in ColdFusion. It is in all the applications that use POI library < POI 3.17.

  23. Exploiting CVE-2016-4264 • Let’s see the following ColdFusion application

  24. Exploiting CVE-2016-4264 • Let’s see the application code:

  25. Exploiting CVE-2016-4264 • So? Where is the bug? • In

    the application all looks great, and it is… because the issue is not a programming error! • It is a Framework Vulnerability!

  26. Exploiting CVE-2016-4264 • The first step to exploit this vulnerability

    is getting a valid XLSX file and un-compress it.

  27. Exploiting CVE-2016-4264 • Now, chose a XML File and add

    your payload! • Original Document:

  28. Exploiting CVE-2016-4264 • Modified Document:

  29. Exploiting CVE-2016-4264 • Re-Compress the file

  30. Exploiting CVE-2016-4264 • Upload the file into the application and

    wait for the connection

  31. Exploiting CVE-2016-4264 • Ok, we were able to exploit the

    bug and now what? • Let’s exfiltrate data! • We are going to target the file: • “/opt/coldfusion11/cfusion/lib/password.properties” • This file contains the hashed password of the ColdFusion Admin User. • 2 Steps Exploitation: • First Step: We are going to exploit the vulnerability to load a custom external DTD file (xml). • Second Step: Our custom DTD file is going to read the target file and send the data to our remote server!

  32. Exploiting CVE-2016-4264 • First Step: Custom DTD File (payload.xml) hosted

    in our remote server:

  33. Exploiting CVE-2016-4264 • Second Step: modified XLSX file crafted to

    trigger the bug and import our remote payload.xml (remote DTD file)

  34. Exploiting CVE-2016-4264 • Last Step: • Start a Listening Server:

    • nc –l 8000 –vv • Re-Compress the new XLSX file and upload it to the application! • The XLSX file will import the remote payload.xml (first stage DTD) • When the bug is triggered, the payload file will read the password.properties file and will send the data to our remote server.

  35. Exploiting CVE-2016-4264

  36. Does this only happen with Web Applications?

  37. CVE-2015-3784: XXE in Office Viewer in Apple iOS before 8.4.1

    • Description: • Office Viewer in Apple iOS before 8.4.1 and OS X before 10.10.5 allow remote attackers to read arbitrary files via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. • • Where is the bug? • The bug resides in the libxml2 native library. • Sorry? What? • Yes, the vulnerability is in a native system library. • The impact of this issue goes really deep because of all the applications that use this library could be vulnerable only depending if the programmer implements some kind of validation or not before he calls the parser function of the affected library.

  38. Exploiting CVE-2015-3784 • The exploitation of this bug is really

    simple: • Un-compress an DOCX/XLSX file. • Add your payload. • Load the file from a remote server in Safari. • This is not a bug of Safari, internally Safari triggers a call to the Apple Office Viewer that is the real vulnerable application.

  39. Exploiting CVE-2015-3784 • Let’s Try it! This is how our

    XLSX Modified file is going to look.

  40. Exploiting CVE-2015-3784 • Really Simple Steps: • Re-compress the file.

    • Serve the file with any web server (Ej. Python SimpleHTTPServer). • Open the URL with a vulnerable iOS Version. • Receive the inbound connection!

  41. Exploiting CVE-2015-3784

  42. Exploiting CVE-2015-3784 • To perform a complete exploitation that includes

    data exfiltration we just need to follow the same steps that we saw for the ColdFusion CVE-2016-4264.

  43. Avoiding XXE • Secure Coding • Disable DTDs / External

    Entities / Entity Expansion / Entity Substitution • Terminology can vary • Often enabled by default. Doing nothing means it’s enabled. • Language Dependent • PHP - libxml_disable_entity_loader(true); • Java – disabled per XML parser used • .NET – Many XML parsers safe by default • Don’t introduce issues by allowing external entities where not needed • Use latest version of the XML parser. Some older versions not safe by default. • Sandboxing • Even if XXE succeeds, may not be able to grab sensitive files if properly sandboxed. • Mitigation • Do not show errors

  44. Avoiding XXE – JSON Use • Security issues not inherent

    in JSON • Just parsing JSON is safe • Issues can arise in JSON exchanges (e.g. JavaScript's JSONP)

  45. Questions? VerSprite.com @versprite