XML External Entity Injection Opens Door to Attacks, Theft

XML is a popular language for web developers, partially due to its software and hardware independence. Recently, however, XML security is under threat from XML external entity injection (XXE) attacks, a dangerous vulnerability in XML web applications. Even the most secure app, including those from Facebook and Google, can be affected by this vulnerability.

The XML external entity injection vulnerability allows an attacker to exploit an application that parses XML input and reflects it back to the user without any validation. Basically it concerns the misconfiguration of the XML parser that executes malicious input. An attacker can compromise users through an XML external entity exploit and carry out serious attacks such as obtaining sensitive information, denial of service, port scanning, server side request forgery, and others.

Before stepping through an XXE exploit, let’s take a look at the role entity plays in an XML structure.

Entity is a shortcut that defines a value. It is very useful in XML when developers do not want to repeat their work for large items or want to use internal or external file content as a variable value. They can just use entity in place of reworking the same set of data. Entity generally has two types of declaration: internal and external.

Internal entity: The user sets the entity’s static value while defining it via XML document type definition. When the entity parsed, its value is the word “testing.”
Example:

<?xml version=”1.0″ encoding=”utf-8″?>

<!DOCTYPE Any [

<!ENTITY test “testing”>

]>

<xxx>&test;</xxx>

External entity: The user can set an internal (local path) or external reference as the entity’s value. When the entity parsed, its value is the referenced file, in this case boot.ini.

Example:

<?xml version=”1.0″ encoding=”utf-8″?>

<!DOCTYPE Any [

  <!ENTITY test SYSTEM “file:///c:/boot.ini“>

]>

<xxx>&test;</xxx>

The potentially vulnerable entry point in the web application occurs when a user’s XML input is parsed by the XML parser:

  • The application accepts user XML input and shows it in the response.
  • The application has a file-upload function and the uploaded file content is reflected to the user. This may happen through an XML file upload or .PPTX, .DOCX, .XLX, etc.

Manual test

Case 1: When user-given XML input is reflected in the response page:

Modify the user input in form of entity declaration and observe if the XML Parser provides the same response as with a static value. This can be done with any proxy server. In the following example we have modified tag value (“testuser”) in entity declaration.

Original request example:

20160802 XXE 1

Modified request example:

20160802 XXE 2

Now, if the XML parser parses both requests in the same way, with the same result, then the application is vulnerable to XXE. In such a case, try XXE exploits such as obtaining system files. Your results may depend on file permissions.

Example of XXE payload to access a system file:

20160802 XXE 3

You can find more exploit cases at this OWASP page.

Case 2: File upload function

XXE is also possible via file upload when XML is parsed in the file content (XML structure) and shown to the user in response. In such a case, an attacker may be able to upload a file with embedded XXE payloads. For more details, refer to the following article.

Tools

The proxy tool Burp can perform this check and report a blind XXE. For more details, refer to this link.

Solutions

  • Do not trust the user input and perform proper validation.
  • Disallow the uploading of any document that has entity declaration via document type definition.
  • Check out language-specific solutions suggested by OWASP.

References:

 

 

The post XML External Entity Injection Opens Door to Attacks, Theft appeared first on McAfee.

Cisco Releases Security Updates

Original release date: August 03, 2016

Cisco has released security updates to address vulnerabilities in several products. Exploitation of some of these vulnerabilities could allow an unauthenticated remote attacker to take control of an affected system.

US-CERT encourages users and administrators to review the following Cisco Security Advisories and apply the necessary updates:


This product is provided subject to this Notification and this Privacy & Use policy.


Mozilla Releases Security Updates

Original release date: August 03, 2016

Mozilla has released security updates to address multiple vulnerabilities in Firefox and Firefox ESR. Exploitation of some of these vulnerabilities may allow a remote attacker to take control of an affected system.

Available updates include:

  • Firefox 48
  • Firefox ESR 45.3

Users and administrators are encouraged to review the Mozilla Security Advisories for Firefox and Firefox ESR and apply the necessary updates.


This product is provided subject to this Notification and this Privacy & Use policy.


DNC staffers: FBI didn’t tell us for months about possible Russian hack

A report by Reuters suggests that the FBI was aware of a possibly Russian-sponsored intrusion into the network of the Democratic National Committee as early as last fall. But investigators from the FBI only initially told DNC staff that they should be on the lookout for strange activity on their network—and the feds didn't mention a potential state-sponsored attack until they informed the Clinton campaign in March about a phishing campaign.

Unnamed DNC staffers told Reuters' Mark Hosenball and John Walcott that the FBI had been investigating a potential intrusion into the DNC's network since the fall of 2015. After the initial warning to look for anything suspicious, DNC IT staff checked network logs and scanned files, finding nothing suspicious. When asked to provide more information to help identify a problem, the FBI "declined to provide it," according to the Reuters report.

It was not until March that the DNC IT team realized the severity of the intrusion of their systems, though Reuters did not report what triggered their realization. At about the same time, the FBI reportedly warned the Clinton campaign of the attempted attacks, according to a Yahoo News report. Spear-phishing attacks were detected in March and April against the DNC and the presidential campaign organization of Hillary Clinton by the security company SecureWorks, as Ars has previously reported.

Read 4 remaining paragraphs | Comments