BSidesNoVA 2021 | Clint Kehr & Mark Schmidt | XXE and the Cloud: the sky IS falling

hey everyone how's it going since since we can't do this in person mark decided to stop by so uh we're doing this together um can everyone see our screen awesome you see us hello you can see us can you see our can you see our beautiful b-sides nova uh powerpoint hey jay can everybody see the presentation hacking the cloud are we sharing am i sharing share screen okay okay good thanks thanks just making sure hello everyone and welcome to hacking the cloud xxe and the aws metadata service although we'll talk about some other metadata services today i'm clint care here with mark schmidt and let's get rolling here so if you read the description of this

presentation why are we doing this well xxe is a vulnerability that is important to us as hackers uh when when we think about hacking something we should also be thinking about the environment we're in so why this talk came about is because we've actually seen this in real life and you could stop at xxe but once it hits the cloud you hit a metadata service and we're going to show you all the interesting things you can do with this metadata service so just an overview of the talk we'll explain who we are uh we'll start from the ground up talking about xml we'll talk about xxe we'll talk about what the metadata service is and is not and then we'll talk about

how xxe and metadata service intersect and then we're going to talk about aws instance metadata service version 2 and how that's kind of a safeguard kind of a safeguard against xxe attacks we'll talk about how you fix it although we're hackers so probably you know we'll give our best guess and then we'll open up the questions because we didn't pray to the demo gods today the demos are recorded and we apologize for the volume i have it all the way up i apologize if the videos are not clear we try to do them 1080. it should be up it should be okay we'll see how it goes we'll roll the dice so with that i'll let mark

introduce himself so um i'm currently working on a responsible disclosure program for a financial company i'm a former blue teamer i was in the sock for about four and a half years uh before that i actually was a lead armored vehicle technician for diplomatic security for about 13 and a half years uh traveling the world fixing armored cars and and running a team um so complete career change for me oh passing it back all right clint care uh i am a former special agent with the department of justice so like mark i didn't start out in cyber security i kind of fell into a group in doj that dealt with the dark web and kind of immersed myself uh doing

operations on the dark web which i can't really talk about if you buy me some beer later maybe i can tell you some things we'll see anyway former navy reserve officer i'm also a member of vetsec which i know is part of this conference so if you're a veteran and want to join check out vetsec um i've worked on cyber threat intelligence teams uh and i worked with mark on a responsible disclosure team i'm currently a manager on a pen test team and i make and break home labs it's kind of a hobby of mine in my free time and i have a bunch of uh certifications as you can see uh offensive defensive um etc

so with that here's a disclaimer i'm at best a mediocre hacker i'm not a developer i won't speak for mark but i'm kind of a mediocre hacker so if you have some very interesting questions about uh development and aws infrastructure as you can see out of all my certifications i don't have any aws certifications um but we are not developers so if you want to get into that into the wheats there we can't help you with that so we're going to start uh start off by talking a little bit about xml and and what it does um so xml stands for extensible markup language uh it's designed primarily for the transportation and storage of data

not necessarily the presentation of data like its markup counterpart um html that everybody knows the formatting of xml uses a tree-like structure of tags elements and attributes all in a nested format they do not it does not use pre-defined tags like html if you're familiar with html you have predefined tags like h1 through six for header title body things of that nature with xml it's complete you can name of your choice you can you can label your tags however you'd like um like html though it is not considered a programming language it's considered a markup language and uh with markup languages they're human readable and uh they're more for defining content structure of a document

so we're going to get into the syntax of xml so xml is case sensitive so for example here in the in the bottom picture with my opening tag root it's all lower case i nest in all my all my elements and sub elements um when i go to close that out close that tag out with the same root tag if i were to accidentally put a capital r it would actually break the parsing of that document you probably receive an xml parsing error like mismatched tags or something like that elements must have a it must xml must have a root element so every properly formatted xml document must have one root element there are cases where you can

where you can define multiple root elements but that's in the case of using a dtd which we'll get into in a little bit so elements must also have opening and closing tags i kind of mentioned that already but um so when i create my root tag my opening root tag i nest in a child tag every every element that i put in there i must have a closing tag otherwise again it will break the parsing and you will receive a parsing error probably missing closing tag or something similar so xml the top the top line there is the xml declaration so i say this is mostly optional just because if you are using utf-8 encoding or

utf-16 encoding you do not need this line it's not required if you are using any other encoding other than utf-8 or utf-16 this is a required declaration so what is a document type definition or a dtd so this is something that defines the the legal struct the structure and the legal entity are elements allowed within a xml document um this can be passed both inline uh within your xml doc or uh out of band or um through a dtd file uh so i'm gonna go through just some of the pieces of adtd um this isn't necessarily a part of the dtd but again this is where you have to declare your encoding um in version

again if you're not using utf-8 or utf-16 encoding you must have this line in there this is where you would define your entities um so think of entities as sort of an alias name you see here i have name one and name two uh john and tom uh and that's what you would use to re it's think of it like a find and replace within your code so here it's not part of the gtd i just wanted to sort of show an example of how you would use an entity uh within xml so you'll see here i have my customer element and then my sub element name uh then i use my entity there which would ultimately replace name two

would ultimately replace with tom name one with john so what is xxe injection um so xxe stands for xml external entities uh which sort of like the entities you saw in the dtd there so it is a web vulnerability that where attackers can basically fool or or manipulate a an xml parser to do things it wasn't really supposed to do and retrieve data from the system so some of the things you can accomplish with xxe is viewing system files on an application server or file system interacting with a back-end system or external system that the application has access to and then also leveraging ssrf to compromise additional internal services uh you can also use um

use it to leverage ssrf to uh reach out to an attacking your attacker domain where you might host a malicious dtd file so we're going to cover two types of xxc injections um in-band and out-of-band there are additional ones but these are the main two that we are going to cover um so think of this uh when you think of this attack uh think of it sort of like how you would uh go to your browser and type in file uh etsy password or you can do it on your android device as well um through a brow or through a browser you could go to sd card one and then pull back your your system files

there here we are within band we are actually delivering our dtd through the actual code itself within the xml so you'll see here i i specify the doctype hack uh entity the planet and all an entity the planet is basically an alias for a system call to the etsy password file and you'll see below when we're actually calling for the product id we are actually sending it the planet which uh what is the system call for the etsy password file so out of band like i mentioned before out of band is when you are calling an external uh dtd file uh why would you need to do this uh so in this case right here this is an

example of sort of the same thing i did before i attempted it in band passing it the the system um command for file etsy password uh but i received invalid product id um and no data returned so with the with the out of band you are actually able to uh contact an external dtd to try to deliver the data to a listener you have set up which is exactly what i'm about to show you in this demo that we're going to set up so um hopefully you guys can hear this uh the volume sounds low on our laptop but everybody said it sounded fine when we when we did it in practice so in this demo we'll be showing you

blind or out of band xxc injection through the use of ssrf to pull down system files for this demo we're going to be attacking our well-known seaside's 2021 login page that happens to have an xxe vulnerability um we're gonna have to do a couple things first we have to spin up an apache web server we're going to run an ifconfig just to figure out the ip of the attacking machine and then we're going to go ahead and curl the ip just to make sure that our web server is up and running so let's go ahead and start the apache website all right now that we have that started um

now let's go ahead and curl that ip

looks like we're hitting a page which is great it needs our web servers up and running so now we can move on and we're going to go ahead and modify our payload

so a couple things here um within this dtd file that we'll be calling uh you see some parameterized entities uh basically what we're doing is we're forcing the xml parser to grab the contents of the xe etsy passwords file and assign them to the p1 entity um the same with the traffic back to our system uh we're going to give it our attacking ip and port of our choice and what it's going to do is and then also a non-existent uh file path and what it's going to do is append the etsy password file through the p1 entity on the end of it um that's nested within the p2 entity um but it's labeled as e1 and you'll

know you'll notice e1 once we start capturing traffic it'll make a little more sense so let's go ahead and modify this

reporting our choice go ahead and save this file off make sure it looks great off

what we're going to do is go ahead over here and we're going to run the curl one more time but we'll throw the file name on the end of it just to make sure that we can reach our file uh looks like we can see the content which is great i'm gonna go ahead and cap the server logs just to make sure that we're getting traffic uh as you can see here you can see the get to the file name which is great so everything's working as planned we can move on to intercepting uh i'm gonna move over and turn intercept on within burp suite and we're going to go ahead and attempt to log into the application

pretty much put any password you want and log in and now you can see we captured the traffic in our intercept proxy i'm going to go ahead and grab this send it over to repeater and after that i don't really need this web page anymore so i'm going to expand this move over to repeater where we can see our post request um so here i'm you can see the post request with the username and password we don't need any of this we're going to go ahead and put our own xml

and our ip address for our tech machine

here's where we're going to enter that e1 entity ampersand e1 with semicolon never forget the semicolons

so essentially what's happening here is we are using this to call back to our dtd file and then that e1 entity that you saw within our payload is being used to call that um to use that attack traffic to send it back to our listener that we're going to set up whoops sorry i forgot you need to change this to xml so it knows how to read it so we're going to go ahead uh we're ready to send it so we're going to go ahead and set up a netcat listener um in our specified port so now that we have that set up we should be ready to go we as soon as i hit go you should see the

traffic come back with the etsy password file appended and there you have it

oh there we go we're back we're back all right so mark did the hard stuff he did the out of band xxe attack which looks really cool but requires a whole lot of infrastructure setup so now if we're hackers or pen testers or attackers um what we need to be thinking about is what our environment is and how we can leverage this vulnerability if it's in uh in the cloud so if we're talking specifically about aws and ec2 instances or their vms if you will they have this metadata service which is a rest api running on one six nine two five four one six nine two five four and if you call this uh instance metadata service say that

times five times fast i've tried it doesn't work out very well you can pull information like the instance name the ami storage information figure configuration information which is all well and good but as attackers we should be thinking about keys and tokens because in aws if we can access keys and tokens and throw that in the aws cli command line interface we can try to hit other services maybe other ec2 instances maybe s3 maybe lambda maybe mess with the account itself so essentially break out of the ec2 instance which is why this makes this vulnerability much worse when it's in the cloud

now it's not just aws gcp and azure azure azure i always say it wrong also have instance metadata services in them as well so you'll see that gcp has this metadata google internal metadata service and you have to add a header to that which is to mitigate ssrf attacks you have to add metadata flavor google at one point you could hit instead of v1 you could hit v1 beta 1 without using uh that header and people got paid uh lots of money and bug bounty programs for that but unfortunately now uh it doesn't work anymore so that's sad for us now on the microsoft side they too use one six nine two five four one six nine

two five four and you have to add a header for this of metadata true i will note that if you encounter issues with waffs you can always uh which which we'll look for are block uh 1 6 9 2 5 4 1 6 9 2 5 4. um you can always maybe register your own domain with that ip address i'm just going to throw that out there and how does this work or does this happen in real life that this talk is based off something that mark and i saw in real life but as you see here um it's something that does happen and this is kind of a potpourri if you will uh of different vulnerabilities that

have been found um as you can see critical a critical vulnerability that was found leveraging um xxc with ssrf hitting a metadata service uh these two top two are on hacker one the other one was a medium but he still got paid ten thousand dollars which is is pretty nice and then you can see in in gcp itself they've had issues with their own metadata service so this affects many large companies and is something to be aware of all right so we talked about uh meshing these two services or this attack the xxe attack with hitting the metadata service itself and we can see here that we're enumerating keys which is for ultimate pwnage which is what we'll

see later in the demos and speaking of demos i think we have one coming up and we do all right so we're doing our pen test and we've come across this login screen so what i can do is just try entering test data test and test and we can send that forward and it says you've logged in as user test now if we look at this using burp suite we can see what happened is we made a post request here send us to repeater we made a post request to this xml injection php endpoint and it has you have logged in as user test now we want to test this to see test if we can inject our entity into this

so the thing about xxe vulnerabilities is i don't naming isn't important here if the vulnerability is going to be here so i can actually change this and what i'm going to do here is and you don't need encoding utf-8 as well so what i'll do here is uh entity test and you can see i have tests down here and what should happen is this should say you you were logged in as xxe so if i send this we see that we're able to inject this entity here of xxe now of course we can look for files like etsy password which you've already seen but i want to do something a little bit more interesting i want to see

what the mac address is of this instance and how i can do that is as you can see i'm back to having root here of course you don't need that is procnet arp and i see that i have an ip address and i also have my mac address now if i research this i see i'm in a docker which is a pen tester if we're in a docker it introduces some possible issues there because we're not actually on the host we're in this docker and we're going to try to break out of this docker so we're stuck in a docker the other thing i can do is i can try to enumerate php now php is a server-side language

so i can't read it by default you know if i look at if i look at the xml injection

endpoint and i view the source of the page i just see you of login as user which doesn't really tell us what is in the inside of the php so what i can do is i can write use a filter here so you might you might have seen this in local file inclusion vulnerabilities and things like that but i have this php filter convert base64 in code and now i'm trying to look at this resources xml injection php page so if i send this i can see i have a long string and if we know anything about base64 encoding this looks like possibly base64 encoding so what i can do is take this and throw it in decoder

decode as base64 and you can see that now i see the php of the page i can see it's looking for user and password credentials and here it echoes back you have logged in as user whatever this user is entered as and i have some clues possibly as to why this is vulnerable to xxe which we'll talk about later now if we go back we figured out xx is possible but let's figure out further what our environment is so i'm on cyberninja.com what is cyberninja.com so let's go to our trustee terminator terminal here i'm going to host cyberninja and i can see i have an ip address of two three two three four nine one and i can run a who it is

of two three two three four nine one and we can see that we're dealing with an amazon ec2 and the region that we're in so now we should start thinking about the metadata service if we can reach this end point so what i'm going to do is i'm going to go back to burp suite and we're going to try to see if we can hit the metadata service so all that requires us to do is know the ip address which is the same in every ec2 instance that's 169 two five four one six nine two five two five four and you can see i've hit the metadata end point here so you might see a whole bunch of things

here we're looking for latest aws in their documentation says they have all of this information because of previous versions of the metadata service and if you're running a script from a particular point in time you can still use these versions of the metadata service but i'm going to use

latest and as you can see here i have metadata well i have dynamic metadata and user data dynamic if i go here this gives me a whole lot of juicy information about this ec2 instance if i go to document

here's all this great information here about this ec2 you can see account id architecture availability zone all this really really good information that might be useful to us later we can also see other things like our ssh public key well you know the private key would be a whole lot better if we had the key pair but in the ec2 instance you can see latest instead of dynamic now i'm at metadata which is the metadata service public key 0 open ssh key

space it might not like that and here we see this as public ssh key there's some other things we can see too we can see the internal hostname right here which gives us the internal ip address your private ip address now you're probably going clinton okay this is all good and great but what about getting the the secret key um which is really what we want to use to further attack this this box um so to do that what you want to do is when we're in metadata here you want to look for iam if you don't have iam um you can still enumerate keys for them for the ec2 instance itself the issue though is and we'll talk about

this later is that you can get this you know you can you can use this in aws cli but the problem is it doesn't really do anything so you're kind of at a dead end because it's just the ec2 instance itself now if you have iam here you can go to security credentials

and now we see there is called service role it may be different for you when you're doing this and now i have the access key id the secret access key and the token and i can use this in the aws cli to do further enumeration and also exploitation as well which is the fun stuff so we'll talk about that a little bit

later all right so we're doing our pen test okay all right now you can see me again so i talked about this in the in the demo if you don't see an i am roll attached to the ec2 instance what can you do well our friend rhino raider who is a much better hacker than i am um and space raccoon did some research on this i recommend that you go to his blog here and read what he was able to do at some point in time he was able to cause a denial of service against the ec2 instance but had issues with that um and ultimately his conclusion at the end is more research is

is needed but there's really not much you can do solely with uh the ec2 credentials themselves as you can see here i'm running uh aws sts get caller identity which is like a who am i um i was able to do that and and something with dynamodb but that was really all i could do with this ec2 instance when i was trying to um when i import these keys and try to hack it now once you get keys to the i am role and you want to figure out what permissions you have or what rights you have doing it manually is going to be very very very difficult so i don't recommend that so there's tools like this uh paku paku

paku however you want to say it uh the latest version of cali lennox that just came out i think last week has this in it um which is great and just shows that uh aws is is a service that's being looked at more by by hackers and there's also this github page here um for enumerate iam i've used this python script before it makes a whole bunch of api calls and kind of hangs i've never had it get through everything before so it's good as an initial pointer of what permissions you have but again i've never really had it successfully carry out a full enumeration thanks chris for putting that uh that domain in there

so now it's time for another demo now that we've done some enumeration through the aws metadata service we're gonna really rely on luck from this point out we're going to hope that these keys or this role allows us to read s3 buckets um and we're also going to hope that we can connect to the instance itself and one of the ways we can connect the instance is through this aws ec2 instance connect send ssh public key command which is going to push a public key on our hacker or cali box onto this instance so you can see here that i have an instance id which i can pull from the metadata right here from this end point here i can see also

that we see a user ubuntu and we're hoping that that's correct because we know that it the box itself is running on go to and that's a username and we're also hoping the availability zone which there are a number of on the east is u.s east one echo now if you mess up or if you don't get it right it will you know it will be verbose and tell you that that isn't right so it's a little bit of guesswork some of the time and here we're setting our ssh public key which is in our uh root directory our ssh our hacker public key so if we issue this command we see that success is true which is

great and now we're going to try to connect via ssh to the box obviously um depending on security groups you may not be able to do that but in this case we'll keep our fingers crossed we're specifying our hacker private key file um on our local machine and the ubuntu user at that ip address so as you can see we've been successful we're able to ssh into the box itself and now let's see what we can do so i always like to do sudo l to see what permissions i have you can see the user ubuntu basically has full access to the box so that's sudo su so now we're going to be root and let's see if there's a flag

well done so we can see that we've successfully grabbed the flag i know this will capture the flaggish but um that's the importance of knowing um how to escalate privileges on a box like this or how to figure that out so now we've successfully rooted the box uh spoiler alert we do get caught in the end but um ultimately we've achieved our objective of leveraging the xxe vulnerability into enumerating the aws metadata service and ultimately getting onto the box itself and not on the docker onto the box itself and getting the flag now that we've done some new i'm repeating myself all right so i want to talk about security groups briefly so if you

actually try to go to cyberninja717.com on port 444 hopefully you can't get on that um and and when i made these vms um that's an important thing as well and something to talk about is in security groups you can specify um ip addresses or a range of ip addresses that can reach that particular port and it's ec2 specific so um if you can hit cyberninja717.com um on port four four four four four four let me know because i'll need to change that but what's guard duty so guard duty for aws will alert you if if it thinks something malicious is going on so in the case of me trying to hack or use these these aws credentials is

one it saw that i was using it from cali lennox and the other thing it saw was that i was using um the credentials outside of and you can see my ip address there um you outside of that ec2 instance so as attackers what we should be thinking about is one maybe not using cali lennox when we get this metadata service or we get these keys um so not using kali linux and perhaps using an ec2 instance because maybe aws doesn't know if you're using an ec2 instance it will not fire this alert off in guard duty all right so we saw how easy it was to hack uh imsd v1 now we get to imsd

v2 so we're upping our game here this is a little bit well it is it is a protection against server side request forgery attacks or xxe attacks because it enters a put request or you need to use a put request now um so what's going to happen is because it's ssrf um you can't do a put request so you'll see here if you are using instamedia service version one um oh thanks josh um you can generate a token for up to six hours and your subsequent calls you need to use that token to call the mediated service all right so um again i don't have a certification in in aws yet as jamie mentioned but

uh instance manager service version 1 and version 2 are both available in ec2 by default and good news for us hackers is there's no plan to disable uh instance media service version one so we can keep using ssrf but what you can do is enforce version two and all your instance on all your ec2 instances going forward and that's what i did for this next setup is i disabled instance metadata service version 1 and only allowed the only allowed using instance metadata service version 2. so now another demo so we're testing another web application here seaside's nova 2021 registration form we can see we have burp suite up uh i'm gonna turn intercept on and we'll fill in our name

our phone number and our email and our password and you can see here it sends a post request to this process.php endpoint with all of our information here what i'm going to do because where i have burp pro is i'm going to do an active scan on this so i'll open this up and let's see our issue activity as you can see here i have xml entity expansion so i don't think we talked about this before but with xxc you're able to do this entity expansion which causes a basically a ddos attack so that's another thing that you can do using xxe of course ddos is something we want to clear with people before we try this

i've not tried it before so um but this is just demonstrating that it could cause a denial of service attack also you can see our xxe attack here we have a request for etsy password our response and also another request here as you can see this is our ssrf here reaching out to this burp collaborator client and you can see there's dns interaction with the collaborator client as well as http interaction with the collaborator client now what burp doesn't check for in this active scan are one whether it can hit the metadata service endpoint and the other thing is if expect is enabled with php so we can see that we get etsy password but let's see if we can also do remote

code execution would expect now don't expect or expect to be there by default in php it's not it's something i had to install separately but you can see here i can do id i'm going to erase this so it looks a little cleaner and you can see that we are dub dub dub data now of course it all depends on the permissions of www data but i'm going to hope that i can hit the web route and upload a web shell now just to see if we can access the instance metadata service let's give that a try 169.254.169.254 and we can see that nothing comes back so i know from my enumeration uh before i made the video that this is

an ec2 instance of course because i made it so something's up here either metadata service is disabled or they're using instance metadata service version 2. now because instance metadata service version two uses a put request it's a way to mitigate mitigate this ssrf type attack because i can't do put i can try put with expect i can tell you the interesting thing with expect is it is incredibly difficult to make things work uh because you need to have an interesting naming convention or syntax when you use it so normally if i'm on a box i do you name a a linux box that is as you can see this doesn't work what i have to do with expect

is dollar sign ifs as a space and play around single quotes and see if you name a works which now it does so in order i i tried this with um the media service version two i'm able to get a token but i'm not able to um follow up hitting the mediated service probably because some characters are sanitized with expect so what i'm going to do now is i'm going to curl because i've compromised that cyberninja site what i'm going to do now is curl a web shell that i have onto this box and hope that it works so you can see here again the naming the syntax is interesting curl ifs oh so we're just big o so we're just

downloading the uh this file and it's going to download webshell.txt i need to add a single quote and i should have uploaded it it looks like it was successful if i want to verify that i can go back here and do ls and i do say i have webshell.txt so what i have to do is i have to move that and make it a php file so again ifs with the dollar sign we're going to move webshell.txt again we know the dollar sign ifs to web shell dot php send that says no such file directory let's let's take a look at that you can see it's web shell.php so let's go to our let's hope that that

this works now as you can see uh hackerat hacks.net was already registered unfortunately but we'll do webshell dot php and let's see if we uh can get rce and we see we can so now here is we're gonna i'm gonna check where i can do that put request with the metadata service so what i need to do first is i need to generate a token and see if instance metadata service version 2 is enabled so i'm going to set it for 21 600 seconds and i get my token here all right so now that i have my token i am going to do a curl request using that token to the i at the iam rule hoping that

this box has one and try to download info so i can put it into the aws cli you can use tools like pacu um and i am a new to see what what uh permissions we have but let's not get too far ahead of ourselves so we see we have a uh this i am role of s three maybe different for you so again we're going to curl and i'm going to go all the way to the end to s3 execute that and you can see that we have the access key id the secret access key and the token so in my cool terminator shell i need to export this information so i'm going to export my access key id

um here we go i'm going to export my secret access key got all the z shell that remembers everything unfortunately it's not the same information we have here and our token which of course this means that these are temporary

credentials all right so it actually gives you an expiration with zumu time here i'm going to copy this now again once i once i have this i can do some enumeration with the new python script i am a new or i can use pacu i'm just going to try to see if i can enumerate s3 buckets

so you can see here that i can see a bunch of s3 buckets of course the most interesting one here being seaside nova so if i want to do this again s3 let's see what's inside this bucket we see we have one file secret info so let's grab that so i'm going to copy that to my local directory here you can see it was downloaded and i can cap this and we can see super secret info just to show you that this isn't accessible to anybody on the internet i'm going to paste this in here you can see c size nova that's our s3 bucket secret info and you can see i have access to nine so

that's the show i can pivot from uh this xxe vulnerability that has instance metadata instance metadata surface version two installed in it and i can get onto the aws cli and access other services in this case s3 and the other demo we saw we could upload an ssh key um but that's all to show that uh that we can do a whole lot more with an xxe

attack all right so a couple things i wanted to mention uh because i did that that was a nine minute demo i to record and i made some mistakes one i wanted to thank aws for having an example of xml uh with that access denied page the other thing is it's not a ddos attack of course um it's just a denial of service attack we're not using a botnet army um and if you notice at the end i catted secret info or i had a secret file and i downloaded the secret info i guess i just downloaded so many secret files i couldn't keep track but i can assure you [Music] that that it basically says the same

thing and also the fact that the role name gave us clues right so um the s3 of course you could probably guess allowed us to enumerate s3 so david had a question is the value for the session token specified by the attacker no i i believe you can specify that um in your uh instances um panel i think the default that the the default length that a token can last is 12 hours i from what i read i think 12 hours but you can set it from the cli or or um or in in the console

yeah uh so can you downgrade to version one so that's a good point um is if you have access to uh the aws cli within the ec2 instance can you issue a command to downgrade to version one um i can tell you for that for that ec2 instance i didn't have aws installed of course you could you could install it right living off the land so so that's a possibility right if we have pseudo permissions and we can uh snap install the awcli maybe you can configure it from within the ec2 instance um that's that's possible um i've not tried it but definitely something worth exploring is is a downgraded attack so mark back to you we'll just wrap this

up so how do you fix this within php um you can see here uh disable entity loader it's set as false mark it is true um you would disable the entity loader within php and that would basically mitigate this vulnerability um for xxe uh with any other code um it's not working with other languages uh so as of uh version two point our lib lib xml2 version 2.9 um for c and c plus plus uh i believe xc is disabled by default according to gnome.org but like other languages like java uh as far as i know that they are still they are still enabled by default so you would have to manually go and disable external entities uh which is

the main way to mitigate this vulnerability but uh we thank you guys for uh joining our presentation if you have any questions feel free to put it in the chat

oh stephen another thing i want to say is it was because the server was running his www data the docker was running his route which you know you're in a docker which makes it you can issue any command but you're stuck in a docker and the other one it was dub dub dub data and i actually had to um chamod the uh the web root directory to allow file upload because it wasn't there but you couldn't do it by default so i kind of uh cheated if you will um to allow to allow uploads to that directory i mean you could you could chain it together because you could go to the temp directory and upload

something there and hope that you have lfi um but that's just another possibility there

any other questions before pizza and beer you guys have all been eating hopefully two dudes sitting here just two five minutes i know thank you guys appreciate it thank you for all the um good compliments all right well have a good rest of your lunch and uh we will talk to you later