Security misconfiguration - XXE detailed
The “XML eXternal Entities” (XXE) vulnerability class is a Security Misconfiguration involving XML parsers.
The XML standard includes ways of referencing “entities”, such as files and URLs. It’s often the default for parsers to fully resolve external entities which means that XML documents can lead to the disclosure of files and other sensitive information to potential attackers.
A simple example
Let's look a bit an example of a XML document which makes use of external entities:
xml
<?xml version="1.0" ?>
<!DOCTYPE outerElement [
<!ENTITY externalEntity SYSTEM "file:///etc/passwd" > ]>
<outerElement>&externalEntity;</outerElement>
First, we declare a new ‘doctype’ which defines the structure/element types that can exist within the document and be handled by the parser.
Within it, we specify a SYSTEM-type entity called ‘externalEntity’. This entity points at the file ‘/etc/passwd’.
Following the ‘doctype’ definition, we have our actual XML data. We define an ‘outerElement’ and then we add a reference (denoted by the ‘&’) to the ‘externalEntity’ entity.
At this point, the interpreter will look up the entity definition and resolve the URL defined and put in place of the ‘&externalEntity;’.
At the end of the parsing process, we end up with a document that looks like this:
xml
<?xml version="1.0" ?>
<outerElement>
root:x:0:0:root:/root:/usr/bin/zsh
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
....
</outerElement>
Mitigation
The need and the specifics of how to fully protect against XXE is heavily dependent on the language, framework, and version there-of.
Each combination will often allow for disabling some aspects of the parser that may prevent the resolution of files, but not HTTP paths. Or it may still allow for the expansion of entities, which by itself can lead to a Denial of Service vulnerability.
.NET
If you’re running .NET 4.5.1 or below, following classes are vulnerable by default:
- XmlDocument (Disable with ‘xmlDocument.XmlResolver = null;’)
- XmlTextReader (Disable with ‘xmlTextReader.ProhibitDtd = true;’)
- XPathNavigator