WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

FW: XML File Inclusion and Path Traversal Attacks (was RE: XML Port Scanning)

From: "Mark Mcdonald" <mmcdonald () staff iinet net au>
Date: Fri, 29 Sep 2006 14:04:30 +0800
Wrong email address got my original post bounced...

Keep in mind this is entirely theoretical and would be extremely difficult / unlikely in practice.

-----Original Message-----
From: Mark McDonald [mailto:mmcdonald () staff iinet net au]
Sent: Friday, September 29, 2006 9:19 AM
To: 'Jan P. Monsch'; 'Paul Theriault'; colin.wong () sift com au
Cc: pen-test () securityfocus com; webappsec () securityfocus com
Subject: RE: XML File Inclusion and Path Traversal Attacks (was RE: XML
Port Scanning)

I can see this problem getting progressively worse with the gradual
adoption of XML-based document formats.

For example, if an attacker knows the path (either by traversal as
mentioned below or through some other exposed mechanism), it would be
trivial to include the standard DTDs for the OpenDocument & MS suite of
document types.

Kudos to both teams for this research though, excellent stuff


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Jan P. Monsch
Sent: Thursday, September 28, 2006 3:28 AM
To: 'Paul Theriault'; colin.wong () sift com au
Cc: pen-test () securityfocus com; webappsec () securityfocus com
Subject: XML File Inclusion and Path Traversal Attacks (was RE: XML Port
Scanning)

Hi Paul, Hi Colin

Thank you for your nice paper on XML port scanning. The attack scheme

you

are describing is not new. It was already described in Oct 2002 by

Gregory

Steuck as "XML eXternal Entity Attack" (XXE):
http://www.securiteam.com/securitynews/6D0100A5PU.html

Actually the attack scheme is more potent than you imagine. Depending on
the
application it is possible to include server-side files into XML
documents.
If e.g. the content of the processed XML document is stored in database
and
it is possible to read the database through the same or other web

service

functions or web application then the file content is disclosed.

Due to the fact that directories can often be read just like a file, as

it

is the case in Java, it is possible to traverse directories and to read
files without guessing paths.

So far I have not succeeded in including arbitrary XML documents since
they
often violate DTD definitions of the surrounding XML. But if the DTD
allows
further XML tags in a field extraction of XML documents should also be
possible. But in general my experience shows that Java property files,
/etc/passwd, /etc/shadow or even PEM-encoded SSL key material pose no
problems.

Actually XML file inclusion is often practiced by Java web application
developers and system engineers to include external parts in web.xml and
Tomcat server.xml configuration files.

The key to solving this issue, as mentioned in the paper, is to harden

the

XML parser by setting restrictive entity parsing options and to

implement

custom entity resolvers. Additionally I recommend running the web
application with a low-privileged user account and restricting read and
write access for this user across the operating system. For the paranoid
among us who have deployed a Java based container should consider
restricting file and network access through Java policies and security
managers.

Samples request and response can be found on my web site:
http://www.iplosion.com/?p=36

Kind regards
Jan




-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On
Behalf Of Paul Theriault
Sent: Mittwoch, 27. September 2006 06:19
To: webappsec () securityfocus com
Subject: XML Port Scanning

SIFT has released a new Intelligence Report that provides a discussion

on

a
new network reconnaissance technique, using XML for completing remote

port

scans that effectively bypass a perimeter firewall. The technique

utilises

properties of XML parsers to perform the scanning of systems, and while
the
technique relies on some reasonably specific implementation details in
order
to be exploitable remotely, it is potentially applicable to any
application
that accepts XML document inputs.

Several workarounds exist and have been detailed in this paper and the
technique does not offer the ability to perform advanced fingerprinting

or

analysis of the underlying operating system of hosts. However, this
technique demonstrates the danger that inadequately configured XML

parsers

can pose to an organisation and highlights the inability of traditional
network security devices to handle application-level threats.

The report is available for download from the SIFT website:
http://www.sift.com.au/36/172/xml-port-scanning-bypassing-restrictive-
perime
ter-firewalls.htm


Regards,
Paul Theriault
www.sift.com.au

------------------------------------------------------------------------

-

Sponsored by: Watchfire

It's been reported that 75% of websites are vulnerable to attack. That's
because hackers know to exploit weaknesses in web applications.
Traditional approaches to securing these assets no longer apply.

Download

the "Addressing Challenges in Application Security" whitepaper today,

and

see for yourself.

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmw
------------------------------------------------------------------------

--




------------------------------------------------------------------------

-

Sponsored by: Watchfire

It's been reported that 75% of websites are vulnerable to attack. That's
because hackers know to exploit weaknesses in web applications.
Traditional approaches to securing these assets no longer apply.

Download

the "Addressing Challenges in Application Security" whitepaper today,

and

see for yourself.

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmw
------------------------------------------------------------------------

--
Previous By Date Next
Previous By Thread Next

Current thread: