Exploiting XXE Vulnerabilities in OXML Documents - Part 1

OXML is a common document format; think docx (Microsoft Word Document), pptx (Microsoft Powerpoint), xlsx (Excel Spreadsheet), etc.

An OXML document is a zip file containing XML files and any media files. When the document is rendered, the rendering library unzips the document and then parses the containing XML files. The order the XML files are parsed and which files maintain precedence over the others is dependent on the type of document. The following link is from Microsoft on the XML structure in Office 2007 files: File format structure

I have had success in the past embedding XML External Entities into the XML files of a docx, the XXE is exploited when the document is parsed. An easy example of this would be in file upload functionality that allows docx, pptx, or xlsx. Facebook was found vulnerable to this exact scenario in December 2014; XXE Bug Patched in Facebook.

If you review the Microsoft link posted earlier you will see that each XML file plays a different role. I have found varying levels of success in which XML file I embed the XXE exploit into. To help out with this testing process I wrote a tool:

https://github.com/BuffaloWill/oxml_xxe

Keeping with 300 words or less I will stop here and pick up with oxml_xxe usage in the next blog post.