Exploiting XXE via File Upload
Before moving further we must get familiar with XXE. So please check my previous blogs on it.
https://medium.com/@gupta.bless/exploitation-xml-external-entity-xxe-1f5f3e7bc5c4
We have learnt about XXE previously but there is one more thing we need to understand before going ahead, unrestricted file upload vulnerabilities. So you can read my previous blog for that one as well.
https://gupta-bless.medium.com/exploiting-unrestricted-file-upload-vulnerabilities-4831aa839b25
If the application has the image or file upload functionality then there might be possibility that we can upload an SVG file ,
Scalable Vector Graphics/SVG: SVG file actually defines graphics in XML format.
Since it defines graphics in XML format then these files create a lot of attack scenarios like we can actually execute the XSS using the SVG file and can do a lot more. We can also execute XXE using these files which we are going to explore in this blog.
When we upload SVG image from client side, and there is no verification of content/ commands on server side. Therefore, a situation may arise where attacker can execute malicious commands to fetch the internal details. Such as fetching /etc/passwd file and if the server handling the request is using AWS then we can fetch the credentials as well.
Exploitation:
In this application, we can actually post our comments and there is also an option to upload a profile picture or “avatar” of ours.
I uploaded an image called “index.jpg” and intercepted the traffic, the intercepted traffic looks like:
You can also try to modify the content-type and file name in order to bypass file upload restrictions.
Why I modify the extensions of a file ? It is a basic technique to bypass file upload restrictions that I have already mentioned in my blog.
If application supports PNG, JPEG and other extension of file while uploading then there might be possibility that image processing library may support SVG files as they are graphics in format of the XML. Now our aim is to upload a malicious image that uses XML as a format with some of the XXE payload which actually fetches the /etc/hostname file if the file is processed.
<?xml version=”1.0" standalone=”yes”?>
<!DOCTYPE test [ <!ENTITY xxe SYSTEM “file:///etc/hostname” > ]>
<svg width=”128px” height=”128px” xmlns=”http://www.w3.org/2000/svg" xmlns:xlink=”http://www.w3.org/1999/xlink" version=”1.1">
<text font-size=”16" x=”0" y=”16">&xxe;</text>
</svg>
We create image in SVG format that uses XML.
<?xml version=”1.0" standalone=”yes”?>
<!DOCTYPE test [ <!ENTITY xxe SYSTEM “file:///etc/hostname” > ]>
These 2 lines are base of xml. The only thing I changed here is “file:///etc/hostname”. I actually mentioned a system command which upon processing fetches the file from the server.
<svg width=”128px” height=”128px” xmlns=”http://www.w3.org/2000/svg" xmlns:xlink=”http://www.w3.org/1999/xlink" version=”1.1">
<text font-size=”16" x=”0" y=”16">&xxe;</text>
</svg>
In these lines, we just try to set the height, width of the image so that the output of our command gets rendered in a readable format.
Now lets upload the “SVG” image file and intercept the traffic.
As I forwarded the request, I got 302 Redirection. Let’s proceed with the redirection:
Now you can see that the image file has been uploaded successfully now we have to check our avatar if it fetched or rendered any useful information.
Open the image in a new tab and you can actually see that it fetched the hostname of the server so we actually executed XXE by an SVG file on this system.
Remediation:
1. If you are allowing user to upload image file on your server, whitelist the extension and don’t let them upload SVGfile.
2. If SVG files are business requirements then put a restrictions in place so that the command in those files doesn’t get processed.
