2024. szeptember 7., szombat

Gyorskeresés

eXplotable Markup Language bővített

Írta: | Kulcsszavak: exploit . hack . markup . language

[ ÚJ BEJEGYZÉS ]

Well known XML attacks

XSLT-related
XInclude attacks
Entity-based attacks
• Billion laughs
• XXE
Everybody should read “XML Schema, DTD, and
Entity Attacks” by VSR

DON’Ts
Lots of XXE-related web application attacks.
But the web is not the whole world. (not yet, anyways :) )
Won’t show any new XML vulnerabilities.

DOs
Show exciting ways to exploit
Deal with the client side
Deal with XML-derivatives, and files with
embedded XML parts
There are tons of these.
Often people don’t even realize they are dealing
with XML
Some examples: X3D, CML, BeerXML, GPX,
OpenDocument, EPUB, you name it.

XML entities
What are “entities” in XML-world?
OK, what are “external entities”?

XXE Intro
Most basic XXE: include resources
App has to display something from the XML

Out-of-Bounds
Sending local file content
External parameter entity
Different protocol handlers
FTP, HTTP, FILE
Differences in implementation
Visual Studio Express 2012
Domain Controller – Windows Server 2008 R2
Group Policy Preferences

XXE meets inter-protocol exploitation

Requirements
Encapsulation
Error tolerance
Main difficulty: limited character set
Let’s check some XML parsers’ badchars
Internet Explorer
• only ASCII
• URL-encodes some char (e.g. space -> %20)
• Cuts newlines
Visual Studio
• URL-encodes every non alphanumeric chars

Trigger BoF via XXE

Exploit: windows/ftp/freefloatftp_user
Victim
Windows Server 2003 with FreeFloat FTP
CentOS 6.5 with eXistDB
Scenario
Victim uploads a malicios XML file to the database
This triggers an FTP connection with the payload
The Calculator pops up on the Windows machine

Alphanum shellcode
In general, we can use alphanumeric characters
Metasploit Framework
Encoders: x86/alpha_mixed, x86/alpha_upper
Useful options: BufferRegister, AllowWin32SEH

Inter protocol SMTPloitation
Installed Pidgin
Jabber configured
accounts.xml
Request external DTD
Generating mailer payload
Sending malicious content
Authenticated as user

XXE the AV!

Original idea: .docx vs. virus scanners
Grepped ClamAV’s source for “xml”
It uses libxml2 to open XAR archives
basically an archive format with compressed XML
metadata
What other AV’s know this format?

EICAR string:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
XARd it, and sent to VirusTotal
Besides ClamAV, these can deal with XAR:

How to exploit?

libxml2 limitation: very strict URI checking
• for example, no newlines allowed
OOB attacks are very-very limited
• only files without newlines can be stolen.
SSRF to the rescue!
• only GET request
• only HTTP
• payload cannot contain non-ASCII chars

Finding suitable exploits

cat ~/msf_http.txt |while read line; do
grep -q -E -i "443|post|ssl" $line;
if[[ $? -ne 0 ]]; then
echo $line;
fi;
done > ~/msf_http_nossl_nopost.txt

Our choice: unix/webapp/freepbx_config_exec
Victim
• Debian mail server (Exim)
• Protected* with ClamAV
• FreePBX server on the same network
Scenario
• Attacker sends an email with a malicious XAR
attachement
• ClamAV scans the file before delivery
• The scan triggers the FreePBX exploit -> pwnd!

Further research
Games that use XML for game saves, network communication
• Skyrim
• Flight Gear
XML metadata
• rdf
Binary XML parsers
• Cwxml
• OpenEXI
• Exifficient
• AgileDelta
• Window EventLog format (since Vista)
Network Configuration Protocol (NETCONF)
XML databases
• IBM DB2
• Oracle
• MSSQL

ui: ezek nem a saját gondolataim, csupán egy előadás tartalmának a 85-90%-a. Mivel személy szerint rendkívül érdekesnek találom a dolgot, így gondoltam megosztom a nagyközönséggel. Az előadásért köszönet Szakály Tamásnak !!!

Copyright © 2000-2024 PROHARDVER Informatikai Kft.