Exploiting XXE in File Upload Functionality
Blackhat Webcast - 11/19/15
Will Vandevanter - @_will_is_
Agenda (30 minutes):
- OOXML Format, Demo
- Other File Formats, Demo
- Further Exploitation
Slides, References, and Code:
oxmlxxe.github.io
Office Open XML (OpenXML; OOXML; OXML)
- *.docx, *.pptx, *.xlsx
- "Open" File Format developed by Microsoft
- Available for Office 2003, Default in Office 2007
- ZIP archive containing XML and media files
General Parsing OOXML
- /_rels/.rels
- [Content_Types].xml
- Default Main Document Part
- /word/document.xml
- /ppt/presentation.xml
- /xl/workbook.xml
Bug Bounty: Slack.com
- File Sharing Functionality
Bug Bounty: Facebook Careers
- Q4 2014 - Mohamed Ramadan
- Resume Upload Functionality
oxml_xxe demo
XXE in docx
PDF XXE
- Javascript that included XML with an XXE
- Exploited in Adobe Reader 7; 2005-06-15
- Extensible Metadata Platform (XMP)
- ISO Standard, Created by Adobe
- Provides support for metadata without breaking readability
oxml_xxe demo
XXE in PDF
XMP In Image Formats
- GIF, PNG
- JPG
- Lens Blur Camera Photo Feature
Google Research - "Lens Blur in the new Google Camera App" (04/16/14)
oxml_xxe demo
XXE in JPG
XML Entity
< !DOCTYPE root [
< !ENTITY post "MYSTRING">
]>
DOCX
/word/document.xml
PPTX
/ppt/presentation.xml
XLSX
/xl/workbook.xml
+OXML_XXE
XSS Testing
< !ENTITY post "<script>alert(1)...
< !ENTITY post "< ![CDATA[<script>alert(1)...
LFI
Relationship Id="rId1" Type="...relationships/officeDocument" Target="/word/document.xml"
+OXML Features
hlinkHover
XSLTransform
Embedded "Documents"
SSRF
+Testing Cheatsheet
Classic (X)XE
Canary Testing DTD and XE
XSS XE testing (CDATA/plain/attr)
XE LFI
Embedded (X)XE attacks
SSRF (X)XE
Summary Points
(DEFENSE) The libraries that parse XML on one part of the site (e.g. API) may not be the same ones that parse uploaded files; verify! Check configurations.
(DEFENSE) Patches exist, many are recent
(OFFENSE) Lots of surface area for exploitation
(OFFENSE) Untouched research targets
Thanks!
http://oxmlxxe.github.io