Another year, another Hacktivity. In late January, early February I started thinking about what to present at this year’s conference. I’ve had a few promising research topics, including hacking multiplayer games, researching, fuzzing and finding vulns in Microsoft’s Event Log subsystem, and hacking smart houses. As I poked around these topics, one particular thing kept popping up: XML. Yep, games use XML for network communication and data storage, the obIx protocol used for communication between smart house components is basically XML, and the EventLog format is based on Microsoft’s own binary XML format.
So, I thought why not present about XML. Yeah-yeah, there are a lot of research material and presentations about attacks abusing some-or-other feature of the XML standard, but: – I thought these types of attackes still don’t get the attention they need. – Most of the existing papers on this topic talks about web applications. So the course was set, I decided that my Hacktivity 2014 presentation will be about XML External Entity attack against non-web applications. Started researching, poking around software that deals with some kind of XML-derivative formats, and it felt like the movie Tremors: there were nasty bugs everywhere I stepped. Shortly after, one of my collegues, Akos joined me in this investigation, and we’ve decided we’ll do the presentation together. We’ve checked a lot of XML-based formats and tools, and in the last two weeks we’ve also managed to find some impressive vulnerabilities – some of which we demoed at Hacktivity. In our presentation we’ve not only talked about these bugs, but we’ve shown some hopefully interesting ways to exploit XXE using inter-protocol explaitation techniques. If you’ve missed it at the conference, here is our slide deck:
There are still a lot of research potential in this topic, so of course our journey to XML-land did not come to a stop on the day of the conference. Expect to see some more exciting stuff from us, along with some CVEs 🙂