RE: XML File Inclusion and Path Traversal Attacks (was RE: XML Port Scanning)




I talked about this and other attack vectors based on some of our research
and some of the other material we gathered. The presentation is available
under resources on our website or through the following link
http://www.securitycompass.com/resources/SecurityCompass-Web%20Services.pdf.


Unfortunately the majority of the organizations haven't followed this
thought process and still end up enabling "SYSTEM", which is the root cause
for most of these attacks. In some implementations "SYSTEM" is enabled by
default however, in others where it is not enabled by default, because of
lack of knowledge on the impact of this enabling, we have seen it being
enabled by dev. This technique can not only be used to port scan but also
browse internal sites, shares and browse the internet using the DTD.

It is great to see that the community is putting out such papers to get the
momentum going on how insecure web services are making our infrastructure if
not configured properly.


Nish Bhalla

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On
Behalf Of Mark Mcdonald
Sent: Thursday, September 28, 2006 9:19 PM
To: Jan P. Monsch; Paul Theriault; colin.wong@xxxxxxxxxxx
Cc: pen-test@xxxxxxxxxxxxxxxxx; webappsec@xxxxxxxxxxxxxxxxx
Subject: RE: XML File Inclusion and Path Traversal Attacks (was RE: XML Port
Scanning)

I can see this problem getting progressively worse with the gradual adoption
of XML-based document formats.

For example, if an attacker knows the path (either by traversal as mentioned
below or through some other exposed mechanism), it would be trivial to
include the standard DTDs for the OpenDocument & MS suite of document types.

Kudos to both teams for this research though, excellent stuff

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx
[mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of Jan P. Monsch
Sent: Thursday, September 28, 2006 3:28 AM
To: 'Paul Theriault'; colin.wong@xxxxxxxxxxx
Cc: pen-test@xxxxxxxxxxxxxxxxx; webappsec@xxxxxxxxxxxxxxxxx
Subject: XML File Inclusion and Path Traversal Attacks (was RE: XML
Port
Scanning)

Hi Paul, Hi Colin

Thank you for your nice paper on XML port scanning. The attack scheme
you are describing is not new. It was already described in Oct 2002 by
Gregory Steuck as "XML eXternal Entity Attack" (XXE):
http://www.securiteam.com/securitynews/6D0100A5PU.html

Actually the attack scheme is more potent than you imagine. Depending
on the application it is possible to include server-side files into
XML documents.
If e.g. the content of the processed XML document is stored in
database and it is possible to read the database through the same or
other web service functions or web application then the file content
is disclosed.

Due to the fact that directories can often be read just like a file,
as it is the case in Java, it is possible to traverse directories and
to read files without guessing paths.

So far I have not succeeded in including arbitrary XML documents since
they often violate DTD definitions of the surrounding XML. But if the
DTD allows further XML tags in a field extraction of XML documents
should also be possible. But in general my experience shows that Java
property files, /etc/passwd, /etc/shadow or even PEM-encoded SSL key
material pose no problems.

Actually XML file inclusion is often practiced by Java web application
developers and system engineers to include external parts in web.xml
and Tomcat server.xml configuration files.

The key to solving this issue, as mentioned in the paper, is to harden
the XML parser by setting restrictive entity parsing options and to
implement custom entity resolvers. Additionally I recommend running
the web application with a low-privileged user account and restricting
read and write access for this user across the operating system. For
the paranoid among us who have deployed a Java based container should
consider restricting file and network access through Java policies and
security managers.

Samples request and response can be found on my web site:
http://www.iplosion.com/?p=36

Kind regards
Jan




-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx
[mailto:listbounce@xxxxxxxxxxxxxxxxx]
On
Behalf Of Paul Theriault
Sent: Mittwoch, 27. September 2006 06:19
To: webappsec@xxxxxxxxxxxxxxxxx
Subject: XML Port Scanning

SIFT has released a new Intelligence Report that provides a discussion
on a new network reconnaissance technique, using XML for completing
remote port scans that effectively bypass a perimeter firewall. The
technique utilises properties of XML parsers to perform the scanning
of systems, and while the technique relies on some reasonably specific
implementation details in order to be exploitable remotely, it is
potentially applicable to any application that accepts XML document
inputs.

Several workarounds exist and have been detailed in this paper and the
technique does not offer the ability to perform advanced
fingerprinting or analysis of the underlying operating system of
hosts. However, this technique demonstrates the danger that
inadequately configured XML parsers can pose to an organisation and
highlights the inability of traditional network security devices to handle
application-level threats.

The report is available for download from the SIFT website:
http://www.sift.com.au/36/172/xml-port-scanning-bypassing-restrictive-
perime
ter-firewalls.htm


Regards,
Paul Theriault
www.sift.com.au

----------------------------------------------------------------------
---
Sponsored by: Watchfire

It's been reported that 75% of websites are vulnerable to attack.
That's because hackers know to exploit weaknesses in web applications.
Traditional approaches to securing these assets no longer apply.
Download the "Addressing Challenges in Application Security"
whitepaper today, and see for yourself.

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008V
mw
----------------------------------------------------------------------
----



----------------------------------------------------------------------
---
Sponsored by: Watchfire

It's been reported that 75% of websites are vulnerable to attack.
That's because hackers know to exploit weaknesses in web applications.
Traditional approaches to securing these assets no longer apply.
Download the "Addressing Challenges in Application Security"
whitepaper today, and see for yourself.

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008V
mw
----------------------------------------------------------------------
----


-------------------------------------------------------------------------
Sponsored by: Watchfire

It's been reported that 75% of websites are vulnerable to attack. That's
because hackers know to exploit weaknesses in web applications.
Traditional approaches to securing these assets no longer apply. Download
the "Addressing Challenges in Application Security" whitepaper today, and
see for yourself.

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmw
--------------------------------------------------------------------------


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------



Relevant Pages

  • RE: XML File Inclusion and Path Traversal Attacks (was RE: XML Port Scanning)
    ... I talked about this and other attack vectors based on some of our research ... Subject: XML File Inclusion and Path Traversal Attacks (was RE: XML Port ... So far I have not succeeded in including arbitrary XML documents since ... highlights the inability of traditional network security devices to handle ...
    (Pen-Test)
  • RE: XML File Inclusion and Path Traversal Attacks (was RE: XML Port Scanning)
    ... Subject: XML File Inclusion and Path Traversal Attacks (was RE: XML Port ... Steuck as "XML eXternal Entity Attack": ... new network reconnaissance technique, using XML for completing remote port ... network security devices to handle application-level threats. ...
    (Pen-Test)
  • [NT] XXE (Xml eXternal Entity) Attack
    ... XXE attack is an attack on an application that ... parses XML input from untrusted sources using incorrectly configured XML ... to its use of MinML parser which doesn't support external entities. ...
    (Securiteam)
  • [Full-Disclosure] XXE (Xml eXternal Entity) attack
    ... XXE attack is an attack on an application that parses ... XML input from untrusted sources using incorrectly configured XML parser. ... due to its use of MinML parser which doesn't support external entities. ...
    (Full-Disclosure)
  • XXE (Xml eXternal Entity) attack
    ... XXE attack is an attack on an application that parses ... XML input from untrusted sources using incorrectly configured XML parser. ... due to its use of MinML parser which doesn't support external entities. ...
    (Bugtraq)