Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

XML eXternal Entity (XXE) injection is a vulnerability in XML parsing that allows for the adding of entities for file reads, SSRF and other issues. Most of the time, XXE bugs are fairly simple but this one was a weird URL parsing issue.

Microsoft.SharePoint.WebControls.BaseXmlDataSource is a class in Microsoft Sharepoint for loading data source objects on a Sharepoint page. The DataSource URL can be controlled as an arbitrary URL. While reading the code with claimed XXE protections, they tried to include a DTD and it surprisingly worked! According to the author, code that properly blocks DTD inclusion in .NET is pretty rare.

So, what was going on? The resolver will try to handle the entities THEN will perform a prohibit check. So, an exception ends up being thrown but NOT before the request is actually made. When doing the check for DTD inclusion within XmlSecureResolver, it does a check to URL check to prevent arbitrary domains from being used. In particular, the domain being pulled from MUST be the same as the data being requested.

The end goal was to get a XmlSecureResolver policy that allows for the reading of local files and allows for HTTP requests. The goal is to trick the policy writer to give us an unrestricted policy yet still be able to request data. This is a classic situation where URL parsing differences really matter.

After tinkering around for a few hours, they came to file://localhost\c$/sites/mysite/test.xml. Since this is a file URI, it gets ignored. Next, it looks for the ending of the file path, which is a local file system path, which we can freely write to anyway.

With this, the XXE bug becomes exploitable. Here are the steps:

1. Upload the malicious XML file to sharepoint as part of a website. This requires a low privileged user to do.
2. Next, create a page with the datasource being the malformed URL above.
3. Step 2 will retrieve the malicious XML.
4. The XmlSecureResolver creates a policy based upon the URL without any restrictions.
5. The malicious XML trigger the XXE bug.

Even though an error is triggered on the XXE bug with a DTD exception, it is too late in the processing. The requests to retrieve arbitrary files, such as win.ini, are already done. I found the error being triggered after the processing so fun. It's a good reminder to always look for side effects on a request that are not directly returned in the response.

Overall, a really good write up! I enjoyed the images throughout, as it was a difficult bug to think about.