A Team of researchers discovered a critical XML External Entity (XXE) vulnerability on Google server that allows an attacker to access any internal file.
A group of researchers has discovered a critical vulnerability Google search engine that could allow an attacker to access the internal files of the production Google server. I desire to describe this case to remind you that there isn’t a platform totally secure and that the approach to security must be done through continuous review of our systems.
Curious that the researchers used Google dorking to search for vulnerabilities within unpopular applications managed by Google, The Google Toolbar button gallery was the application that most of all attracted their attention.
The researchers have uncovered a serious flaw in the Toolbar Button Gallery noting that Google’s feature allows users to customize their toolbars with new buttons by uploading XML files containing layout properties.
“Not two minutes later we noticed that the gallery provides users with the ability to customize their toolbar with new buttons. If you’re a developer, you’re also able to create your own buttons by uploading XML files containing various meta data (styling and such)”
Injecting specially crafted XML the attacker could force Google server, in particular the XML parser, to interpret the malicious XML code to load and include functionalities that could compromise the overall security of the server.
This kind of vulnerability is known as XML External Entity (XXE), as explained by OWASP, processing of an external entity containing tainted data may lead to disclosure of confidential information and other system impacts.
“ There exists a specific type of entity, an external general parsed entity often shortened to an external entity, that can access local or remote content via a declared system identifier. The system identifier is assumed to be a URI that can be dereferenced (accessed) by the XML processor when processing the entity. The XML processor then replaces occurrences of the named external entity with the contents dereferenced by the system identifier. If the system identifier contains tainted data and the XML processordereferences this tainted data, the XML processor may disclose confidential information normally not accessible by the application.” is reported in the blog post published by OSWAP.
The researcher succeeded to upload their malicious XML code, using the API specifications the researchers crafted their own button containing fishy XML entities to conduct the XXE attack.
The researchers were able to access to the /etc/passwd and the /etc/hosts of one of the Google server used in production and provided the images to prove the impact of their attack.
“The root cause of XXE vulnerabilities is naive XML parsers that blindly interpret the DTD of the user supplied XML documents. By doing so, you risk having your parser doing a bunch of nasty things. Some issues include: local file access, SSRF and remote file includes, Denial of Service and possible remote code execution. If you want to know how to patch these issues, check out the OWASP page on how to secure XML parsers in various languages and platforms,” the researchers wrote on a blog post.
An attacker exploiting the vulnerability discovered by the researchers could have access any other file on any Google server, or worse could gain access to internal systems through the SSRF exploitation.
There is also a happy ending, after contacted Google the researchers were rewarded with $10,000 bounty for identifying an XML External Entity (XXE) vulnerability in one of the search engine’s features.