Legitimate uses for external entities exist, but they are more often used in exploits which read sensitive files from a server, or even execute arbitrary commands under certain conditions. For example, the XML document below reads a file located at “ ”: ]> &jmeyer Similarly, XML documents may contain entities that reference files using protocols such as HTTP or FTP, allowing XML documents to contain entities that reference files located on any network accessible server. In this example, the entity “hostName” reads the value of “/etc/hostname” and includes it in the body of the XML file.
For example, if we wanted to create an XML document that contains the “hostname” of a server we could use the following XML file: ]> &hostName Commonly, external entities use files on a local filesystem.
XML entities can also be “external”, meaning that the value substituted in comes from outside of the document that is being parsed.Įxternal entities were created so that one XML document could reference a value from another document, or so that an XML document could be dynamically created based upon the value of some entity foreign to the document itself. Entities are similar to macros in other languages, as they can store a value that will be substituted in when the document is parsed. These attacks rely on a feature of eXtensible Markup Language (XML) called “entities”. The security vulnerability lies in an XML parsing library common to Android development tools and is an example of an XML External Entity (XXE) attack. The vulnerability was initially disclosed to Google and the other tool vendors in May of 2017 by Check Point, and it was recently disclosed to the public. These tools are available on all the major platforms - Windows, macOS, and Linux - and all are equally vulnerable.
Android app developers and reverse engineers are the target of a newly documented vulnerability called ParseDroid, which affects development tools including Android Studio, IntelliJ, Eclipse, APKTool, and others.
0 kommentar(er)
