Exploiting Privilege Escalation to Disclose Secrets Through XXE
A series of blogs having interesting cyber security vulnerabilities. Follow Along!
Privilege Escalation → Username Enumeration → XXE → Directory Traversal → Configuration File Exposure
As the name suggests, privilege escalation occurs when a user is able to access information / functionality which he is not supposed to access by default. This generally occurs due to a misconfiguration in the workflow of the application (application, web application, website, all are synonymous). The impact of privilege escalation differ from application to application depending on the information or functionality that is exposed.
This vulnerability could expose information or functionality of a different user having the same level of access to the application, this is called horizontal privilege escalation. For example, a social media platform may allow a user (attacker) to delete the posts of a different user (victim). In this case both the users have the same level of access but an attacker can elevate his privileges to access functionality of a different user.
Similar thing could be achieved to gain access to information or functionality of a user who is at a higher level of privileges like an admin user. For example, a social media group only allows the administrators to post in it, but an attacker (not an administrator) may find a misconfiguration which allows him to post in the group. This is called a vertical privilege escalation in which an attacker gains access to the functionality of a higher privileged user.
It is a simple misconfiguration which allows an attacker to enumerate the presence of a user in the application. This could be done through username or email addresses.
XML External Entity Injection (XXE)
This is an inherent flaw in XML based APIs. Often when the application uses XML format to transfer data from the client to the server, they may allow custom DTDs to be referenced. This is where the problem arise.
A DTD (Document Type Definition) is a file which defines the structure of an XML document. It could be present inside the parent XML file itself, but its not fun at all. So, sleepy developers allow referencing custom DTDs.
An attacker can reference sensitive files from the machine itself to achieve directory traversal. A remote file can also be accessed to achieve Server Side Request Forgery (DM me to my Instagram / LinkedIn if you want me to create fun blog on SSRF).
The vulnerable application which is used for demonstration below can be found here.
Walkthrough of the issue
The application allows us to login to the application as a standard user. In the dashboard there is an admin area listed.
Trying to access the admin area, the application reverts us back to the dashboard, possibly because we do not have an admin privilege.
Let’s check how is the application is checking the privileges of the current user. I used Burp Suite to check the originating requests when we click the Admin Area button.
The application sends a request to an endpoint named /api/v2/users/checkadmin
The response of this request consists of an error message and the name of the user.
Lets simply try removing the error message from the response.
We now have access to the /admin.html page which was supposed to be restricted to the admin user.
The admin area allows us to enumerate the usernames of the users that are present in the application.
Lets check my own username.
On checking the originating request for this username enumeration functionality, I observed that the application is communicating with the backend in the form of XML.
This request could be vulnerable to XXE. So, we now test for XXE. For testing this I added a reference to an external entity and printing the reference on the application.
On testing for XXE I got a huge error back from the application. This error message discloses the full path of the application’s root folder (/home/dvws-node/). The error took place because I forgot to add a semicolon while referencing the external entity, meh!!
Now, since we have directory traversal through the XXE payload and we know the home directory of the web application, we can use it to disclose the configuration file of the server.
Wildly guessing the name of the config file be config.xml
The config file exposes the credentials of the MySQL instance running on the server.
The issue originated because the client side controls trusted the application’s response which was susceptible to tampers. Thus, all the security and access controls should be implemented in the server side. Further, the XXE attack could have been prevented by disabling the reference to external entities and disabling support for XIncludes.
In conclusion, privilege escalation attacks can be devastating for any organization, and this incident highlights the importance of implementing strong security measures to prevent such attacks. The attacker in this case was able to gain access to sensitive information through a combination of username enumeration, XXE, and credential exposure through a configuration file.