XXE (Xml eXternal Entity) attack

[Gregory Steuck <greg-xxe () nest cx>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This is an abbreviated variant of my post to bugtraq. I hope webappsec
subscribers will find this useful too. I excluded the section discussing
particular products since it didn't fit the list charter. Legalese is
also gone to improve content/fluff ratio.

Overview:
 XXE (Xml eXternal Entity) attack is an attack on an application that parses
 XML input from untrusted sources using incorrectly configured XML parser.
 The application may be coerced to open arbitrary files and/or TCP connections.

Details:
 External entity references allow embedding data outside the main file into
 an XML document. In the DTD, one declares the external reference with the
 following syntax:
  <!ENTITY name SYSTEM "URI">

 XML processor behavior as specified is
 [http://www.w3.org/TR/REC-xml#include-if-valid]:

  "When an XML processor recognizes a reference to a parsed entity, in
  order to validate the document, the processor must include its
  replacement text. If the entity is external, and the processor is not
  attempting to validate the XML document, the processor may, but need
  not, include the entity's replacement text..."

 Now assume that the XML processor parses data originating from a source under
 attacker control. Most of the time the processor will not be validating,
 but it MAY include the replacement text thus initiating an unexpected
 file open operation, or HTTP transfer, or whatever system ids the XML
 processor knows how to access.

Suspect systems:
 The buzz on the street is "web services". They accept XML encoded
 data over the network, sometimes from untrusted clients. So, the
 prime targets are SOAP and XMLRPC implementations. Yet, there are
 many more XML based protocols and vulnerability does not necessary
 lie with the servers. Pick any "XML based network protocol" and
 try to apply the attack methodology.

Suggested fix:
 Most XML parsers allow their user to explicitly specify external
 entity handler. In case of untrusted XML input it is best to prohibit
 all external general entities.

Successful exploitation may yield:
 * DoS on the parsing system by making it open, e.g.
   file:///dev/random | file:///dev/urandom | file://c:/con/con
 * TCP scans using HTTP external entities (including behind firewalls
   since application servers often have world view different
   from that of the attacker)
 * Unauthorized access to data stored as XML files on the parsing
   system file system (of course the attacker still needs a way to
   get these data back)
 * DoS on other systems (if parsing system is allowed to establish
   TCP connections to other systems)
 * NTLM authentication material theft by initiating UNC file access to
   systems under attacker control (far fetched?)
 * Doomsday scenario: A widely deployed and highly connected application
   vulnerable to this attack may be used for DDoS.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (OpenBSD)
Comment: Processed by Mailcrypt 3.5.6 and Gnu Privacy Guard <http://www.gnupg.org/>

iEYEARECAAYFAj2/J/QACgkQCxVCvY31obBK8wCffqAzS+GIlpT63xwsCVli1K62
YJMAn1HVWmkfbte0nSR7QHQ6JBR2+DLh
=xQ3s
-----END PGP SIGNATURE-----