addis_a
November 6, 2014, 12:14am
1
I’m doing security research and I’m trying to create a Ruby script
vulnerable to XXE
I’ve got the following XML which should replace &xxe with the contents
of the passwd file if the script is vulnerable
xml_data = '<?xml version="1.0"?>
<!DOCTYPE demo [
]>
&xxe;
'
From what I’ve read it is the libxml2 options that are protecting the
script so with Nokogiri I’ve tried forcing the options down to just
RECOVER but that doesn’t work, I can’t even get basic entity
replacement working.
doc = Nokogiri::XML.parse(xml_data, nil, nil,
Nokogiri::XML::ParseOptions::
RECOVER)
puts doc.inspect
puts doc.xpath(“/a/inject”)
I’ve also tried with REXML, here the basic entity replacement works
but I can’t find how to set the parse options.
doc = REXML::Document.new(xml_data)
doc.elements.each(‘a/inject’) do |ele|
puts ele.text
end
Finally I’ve tried setting up a vulnerable environment with the
versions and code from this example but this returns nothing
opened 09:34AM - 06 Jun 12 UTC
closed 06:39AM - 31 Dec 14 UTC
topic/security
topic/entities
Using external xml entities you can specify URLs (e.g. HTTP) to be contacted wh… en attacker-supplied XML is parsed. This can be used to trigger URLs on the internal network of a XML parsing service and potentially leak their responses.
External xml entities should be completely (file, http, etc.) disabled.
```
$ cat test.rb
require 'nokogiri'
d=Nokogiri::XML.parse("<!DOCTYPE doc [ <!ENTITY ent SYSTEM \"file:///tmp/marker\"><!ENTITY ent2 SYSTEM \"http://www.google.com/marker\"> ]>\n<root>\n<element>&ent;</element>\n<element>&ent2;</element>\n</root>")
d.each do |node| puts node.content end
$ strace -e connect ruby test.rb
# many connects, to www.google.com
$ ruby --version
ruby 1.8.7 (2010-01-10 patchlevel 249) [x86_64-linux]
$ apt-cache show libnokogiri-ruby1.8 | grep Version
Version: 1.4.0-3
$ apt-cache show libxml2 | grep Version
Version: 2.7.6.dfsg-1ubuntu1.5
Version: 2.7.6.dfsg-1ubuntu1
$ apt-cache show libxml-ruby | grep Version
Version: 1.1.3-2
```
What am I doing wrong? If there is a better way to do this then feel
free to suggest it, I’m not tied to any either of these ways just need
a way to practice exploitation of this vulnerability.
robintw
November 9, 2014, 10:28pm
2
On 9 November 2014 08:27, Kouhei S. [email protected] wrote:
<!DOCTYPE demo [
doc.elements.each('a/inject') do |ele|
puts ele.text
end
REXML doesn’t support expanding SYSTEM entity. So REXML
doesn’t have vulnerability related external content.
Thats useful to know, thanks
Robin
Hi,
In [email protected]
“making REXML or Nokogiri vulnerable to XXE” on Wed, 5 Nov 2014
23:13:32 +0000,
Robin W. [email protected] wrote:
I’ve got the following XML which should replace &xxe with the contents
of the passwd file if the script is vulnerable
xml_data = '<?xml version="1.0"?>
<!DOCTYPE demo [
]>
&xxe;
'
…
I’ve also tried with REXML, here the basic entity replacement works
but I can’t find how to set the parse options.
doc = REXML::Document.new(xml_data)
doc.elements.each(‘a/inject’) do |ele|
puts ele.text
end
REXML doesn’t support expanding SYSTEM entity. So REXML
doesn’t have vulnerability related external content.
Thanks,