The presentation focuses on vulnerabilities associated with XML, particularly related to XXE (XML External Entity) attacks and their implications on various systems, including smart houses and gaming. It discusses known XML-related exploits, their application in web technologies, and potential attack vectors through XML entities in different contexts. The presenters, Rajtmár Ákos and Szakály Tamás, emphasize the limitations and difficulties encountered in exploiting XML systems while highlighting specific implementation issues with various XML parsers.

1. <?xml version=“1.0”?>
<DOCTYPE presentation [
<!ENTITY HacktivityLogo SYSTEM “http://hacktivity.com/logo.png”> ]>
<presentation>
<logos>&HacktivityLogo; </logos>
<title>
eXploitable Markup Language
</title>
<speakers>
<speaker Name=“Rajtmár Ákos”>
<email>akos.rajtmar@praudit.hu</email>
</speaker>
<speaker Name=“Szakály Tamás”>
<email>tamas.szakaly@praudit.hu</email>
<twitter>@sghctoma</twitter>
</speaker>
</speakers>
</presentaion>

2. Possible Hacktivity topics
How secure are today’s games?
Possible vulns in the EventLog subsystem of recent
Windows systems.
The security of smart houses.

4. Well known XML attacks
XSLT-related
XInclude attacks
Entity-based attacks
• Billion laughs
• XXE
Everybody should read “XML Schema, DTD, and
Entity Attacks” by VSR

5. Lots of XML-related web application attacks.
But the web is not the whole world. (not yet, anyway :) )
Won’t show any new XML vulnerabilities.
DON’Ts

6. DOs
Show exciting ways to exploit
Deal with the client side
Deal with XML-derivatives, and files with
embedded XML parts
There are tons of these.
Often people don’t even realize they are dealing
with XML
Some examples: X3D, CML, BeerXML, GPX,
OpenDocument, EPUB, you name it.

7. XML entities
What are “entities” in XML-world?
OK, what are “external entities”?
http://www.w3.org/TR/2006/REC-xml11-20060816/#sec-entity-decl

8. XXE Intro
Most basic XXE: include resources
App has to display something from the XML

10. Interesting protocol handlers
jar:// extract file from given .jar
file:// directory list
• php:// with filters (base64 encode a file)

12. Special type of entity
Using % instead of &
More flexible
Declaration of external DTD
Can not be used in XML body
XML syntax is not a must
DTD conformity
Parameter entities

14. Non XML conform content
combine.dtd:
<![CDATA[ ]]>

16. Sending local file content
External parameter entity
Different protocol handlers
FTP, HTTP, FILE
Differences in implementation
Out-of-Bounds

21. XXE meets inter-protocol exploitation
Requirements
Encapsulation
Error tolerance
Main difficulty: limited character set
Let’s check some XML parsers’ badchars
Internet Explorer
• only ASCII
• URL-encodes some char (e.g. space -> %20)
• Cuts newlines
Visual Studio
• URL-encodes every non alphanumeric chars

22. Trigger BoF via XXE
http://exploit-db.com/exploits/31789

26. Alphanum shellcode
Restricted to alphanumeric characters
UTF-8 too!!
Metasploit Framework
Encoders: x86/alpha_mixed, x86/alpha_upper
Useful options: BufferRegister, AllowWin32SEH

27. The payload

28. qB8w
Need “jmp esp” with an ASCII-only address
0x77384271 in big endian is qB8w

30. Installed Pidgin
Jabber configured
accounts.xml
Request external DTD
Generating mailer payload
Sending malicious content
Authenticated as user
Inter protocol SMTPloitation

37. Garmin Training Center
+ Not bothering with n
- Yet not able to evaluate &variables;
Possible implementation issue
Visual Studio 2012
+ Ability to evaluate &variables;
- A great fan of URL encoding
Permanent fail?

38. Slight possibility of using Garmin
I believe I saw it working
Finding another n application
Visual Studio can be „controlled”
Sending multiple files
Delivering more attacks
Not at all

39. XXE the AV!
Original idea: .docx vs. virus scanners
Grepped ClamAV’s source for “xml”
It uses libxml2 to open XAR archives
basically an archive format with compressed XML
metadata
What other AV’s know this format?

40. AVG
Ad-Aware
Avast
Avira
BitDefender
DrWeb
ESET-NOD32
Emsisoft
F-Secure
Gdata
Kaspersky
NANO-Antivirus
Qihoo-360
nProtect
MicroWorld-eScan
EICAR string:
X5O!P%@AP[4PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
XARd it, and sent to VirusTotal
Besides ClamAV, these can deal with XAR:

41. There Can Be Only One
AVs use XML parsers without knowledge of DTD
Except ClamAV
• Only recent versions >= 0.98.1
So let’s hack ClamAV!

42. XAR format

43. XAR hexdump

44. PoC
Python script to create XARs with custom XML
Simple XML with HTTP external entity:
Scanned it with clamscan...

45. ... and it worked!

49. &Some haxx0r stuff;
libxml2 limitation: very strict URI checking
for example, no newlines allowed
OOB attacks are very-very limited
only files without newlines can be stolen.
SSRF is our Super Mushroom
only GET request
only HTTP
payload cannot contain non-ASCII chars

50. Finding suitable exploits
cat ~/msf_http.txt |while read line; do
grep -q -E -i "443|post|ssl" $line;
if[[ $? -ne 0 ]]; then
echo $line;
fi;
done > ~/msf_http_nossl_nopost.txt

51. linux/http/esva_exec
linux/http/dreambox_openpli_shell
linux/http/fritzbox_echo_exec
linux/http/symantec_web_gateway_lfi
linux/http/symantec_web_gateway_pbcontrol
linux/http/ddwrt_cgibin_exec
multi/http/struts_code_exec
multi/http/vtiger_install_rce
multi/http/v0pcr3w_exec
multi/http/snortreport_exec
multi/http/spree_search_exec
multi/http/phptax_exec
multi/http/gitorious_graph
multi/http/familycms_less_exec
multi/http/gestioip_exec
multi/http/freenas_exec_raw
multi/http/ajaxplorer_checkinstall_exec
multi/http/spree_searchlogic_exec
multi/http/oracle_reports_rce
multi/http/mobilecartly_upload_exec
unix/http/freepbx_callmenum
unix/webapp/cacti_graphimage_exec
unix/webapp/awstats_configdir_exec
unix/webapp/barracuda_img_exec
unix/webapp/invision_pboard_unserialize_exec
unix/webapp/basilic_diff_exec
unix/webapp/awstats_migrate_exec
unix/webapp/google_proxystylesheet_exec
unix/webapp/base_qry_common
unix/webapp/tikiwiki_graph_formula_exec
unix/webapp/mambo_cache_lite
unix/webapp/awstatstotals_multisort
unix/webapp/openview_connectednodes_exec
unix/webapp/php_charts_exec
unix/webapp/php_vbulletin_template
unix/webapp/freepbx_config_exec
unix/webapp/twiki_search
unix/webapp/twiki_history
unix/webapp/mitel_awc_exec
unix/webapp/instantcms_exec
unix/webapp/redmine_scm_exec
windows/http/sap_configservlet_exec_noauth

52. Our choice for the demo
unix/webapp/freepbx_config_exec

58. Further research
Games that use XML for game saves, network communication
• Skyrim
• Flight Gear
XML metadata
• rdf
Binary XML parsers
• Cwxml
• OpenEXI
• Exifficient
• AgileDelta
• Window EventLog format (since Vista)
Network Configuration Protocol (NETCONF)
XML databases
• IBM DB2
• Oracle
• MSSQL

59. THX