<?xml version=“1.0”?><DOCTYPE presentation [<!ENTITY HacktivityLogo SYSTEM “http://hacktivity.com/logo.png”> ]><presentation>

<logos>&HacktivityLogo; </logos><title>

eXploitable Markup Language</title>

<speakers>

<speaker Name=“Rajtmár Ákos”>

<email>akos.rajtmar@praudit.hu</email>

</speaker>

<speaker Name=“Szakály Tamás”>

<email>tamas.szakaly@praudit.hu</email>

<twitter>@sghctoma</twitter>

</speaker>

</speakers>

</presentaion>

Possible Hacktivity topics

How secure are today’s games?

Possible vulns in the EventLog subsystem of recent Windows systems.

The security of smart houses.

Well known XML attacks

XSLT-related

XInclude attacks

Entity-based attacks

• Billion laughs

• XXE

Everybody should read “XML Schema, DTD, and Entity Attacks” by VSR

Lots of XML-related web application attacks.

But the web is not the whole world. (not yet, anyway :) )

Won’t show any new XML vulnerabilities.

DON’Ts

DOs

Show exciting ways to exploit

Deal with the client side

Deal with XML-derivatives, and files with embedded XML parts

There are tons of these.

Often people don’t even realize they are dealing with XML

Some examples: X3D, CML, BeerXML, GPX, OpenDocument, EPUB, you name it.

XML entities

What are “entities” in XML-world?

OK, what are “external entities”?

http://www.w3.org/TR/2006/REC-xml11-20060816/#sec-entity-decl

XXE Intro

Most basic XXE: include resources

App has to display something from the XML

Interesting protocol handlers

jar:// extract file from given .jar

file:// directory list

• php:// with filters (base64 encode a file)

Special type of entity

Using % instead of &

More flexible

Declaration of external DTD

Can not be used in XML body

XML syntax is not a must

DTD conformity

Parameter entities

Non XML conform content

combine.dtd:

<![CDATA[ ]]>

Sending local file content

External parameter entity

Different protocol handlers

FTP, HTTP, FILE

Differences in implementation

Out-of-Bounds

XXE meets inter-protocol exploitation

RequirementsEncapsulationError tolerance

Main difficulty: limited character setLet’s check some XML parsers’ badchars

Internet Explorer• only ASCII• URL-encodes some char (e.g. space -> %20)• Cuts newlines

Visual Studio• URL-encodes every non alphanumeric chars

Trigger BoF via XXE

http://exploit-db.com/exploits/31789

Alphanum shellcode

Restricted to alphanumeric characters

UTF-8 too!!

Metasploit Framework

Encoders: x86/alpha_mixed, x86/alpha_upper

Useful options: BufferRegister, AllowWin32SEH

The payload

qB8w

Need “jmp esp” with an ASCII-only address

0x77384271 in big endian is qB8w

Installed Pidgin

Jabber configured

accounts.xml

Request external DTD

Generating mailer payload

Sending malicious content

Authenticated as user

Inter protocol SMTPloitation

Garmin Training Center

+ Not bothering with \n

- Yet not able to evaluate &variables;

Possible implementation issue

Visual Studio 2012

+ Ability to evaluate &variables;

- A great fan of URL encoding

Permanent fail?

Slight possibility of using Garmin

I believe I saw it working

Finding another \n application

Visual Studio can be „controlled”

Sending multiple files

Delivering more attacks

Not at all

XXE the AV!

Original idea: .docx vs. virus scanners

Grepped ClamAV’s source for “xml”

It uses libxml2 to open XAR archives

basically an archive format with compressed XML metadata

What other AV’s know this format?

AVGAd-AwareAvastAviraBitDefenderDrWebESET-NOD32Emsisoft

F-SecureGdataKasperskyNANO-AntivirusQihoo-360nProtectMicroWorld-eScan

EICAR string: X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

XARd it, and sent to VirusTotal

Besides ClamAV, these can deal with XAR:

There Can Be Only One

AVs use XML parsers without knowledge of DTD

Except ClamAV• Only recent versions >= 0.98.1

So let’s hack ClamAV!

XAR format

XAR hexdump

PoC

Python script to create XARs with custom XML

Simple XML with HTTP external entity:

Scanned it with clamscan...

... and it worked!

&Some haxx0r stuff;

libxml2 limitation: very strict URI checkingfor example, no newlines allowed

OOB attacks are very-very limitedonly files without newlines can be stolen.

SSRF is our Super Mushroomonly GET request

only HTTP

payload cannot contain non-ASCII chars

Finding suitable exploits

cat ~/msf_http.txt |while read line; do grep -q -E -i "443|post|ssl" $line;if[[ $? -ne 0 ]]; then

echo $line;fi;

done > ~/msf_http_nossl_nopost.txt

linux/http/esva_exec

linux/http/dreambox_openpli_shell

linux/http/fritzbox_echo_exec

linux/http/symantec_web_gateway_lfi

linux/http/symantec_web_gateway_pbcontrol

linux/http/ddwrt_cgibin_exec

multi/http/struts_code_exec

multi/http/vtiger_install_rce

multi/http/v0pcr3w_exec

multi/http/snortreport_exec

multi/http/spree_search_exec

multi/http/phptax_exec

multi/http/gitorious_graph

multi/http/familycms_less_exec

multi/http/gestioip_exec

multi/http/freenas_exec_raw

multi/http/ajaxplorer_checkinstall_exec

multi/http/spree_searchlogic_exec

multi/http/oracle_reports_rce

multi/http/mobilecartly_upload_exec

unix/http/freepbx_callmenum

unix/webapp/cacti_graphimage_exec

unix/webapp/awstats_configdir_exec

unix/webapp/barracuda_img_exec

unix/webapp/invision_pboard_unserialize_exec

unix/webapp/basilic_diff_exec

unix/webapp/awstats_migrate_exec

unix/webapp/google_proxystylesheet_exec

unix/webapp/base_qry_common

unix/webapp/tikiwiki_graph_formula_exec

unix/webapp/mambo_cache_lite

unix/webapp/awstatstotals_multisort

unix/webapp/openview_connectednodes_exec

unix/webapp/php_charts_exec

unix/webapp/php_vbulletin_template

unix/webapp/freepbx_config_exec

unix/webapp/twiki_search

unix/webapp/twiki_history

unix/webapp/mitel_awc_exec

unix/webapp/instantcms_exec

unix/webapp/redmine_scm_exec

windows/http/sap_configservlet_exec_noauth

Our choice for the demo

unix/webapp/freepbx_config_exec

Further research

Games that use XML for game saves, network communication• Skyrim• Flight Gear

XML metadata• rdf

Binary XML parsers• Cwxml• OpenEXI• Exifficient• AgileDelta• Window EventLog format (since Vista)

Network Configuration Protocol (NETCONF)XML databases

• IBM DB2• Oracle• MSSQL

THX