A group of researchers has discovered a critical vulnerability Google search engine that could allow an attacker to access the internal files of the production Google server. I desire to describe this case to remind you that there isn’t a platform totally secure and that the approach to security must be done through continuous review of our systems.
Curious that the researchers used Google dorking to search for vulnerabilities within unpopular applications managed by Google, The Google Toolbar button gallery was the application that most of all attracted their attention.
The researchers have uncovered a serious flaw in the Toolbar Button Gallery noting that Google’s feature allows users to customize their toolbars with new buttons by uploading XML files containing layout properties.
“Not two minutes later we noticed that the gallery provides users with the ability to customize their toolbar with new buttons. If you’re a developer, you’re also able to create your own buttons by uploading XML files containing various meta data (styling and such)”
Injecting specially crafted XML the attacker could force Google server, in particular the XML parser, to interpret the malicious XML code to load and include functionalities that could compromise the overall security of the server.
This kind of vulnerability is known as XML External Entity (XXE), as explained by OWASP, processing of an external entity containing tainted data may lead to disclosure of confidential information and other system impacts.
” There exists a specific type of entity, an external general parsed entity often shortened to an external entity, that can access local or remote content via a declared system identifier. The system identifier is assumed to be a URI that can be dereferenced (accessed) by the XML processor when processing the entity. The XML processor then replaces occurrences of the named external entity with the contents dereferenced by the system identifier. If the system identifier contains tainted data and the XML processor dereferences this tainted data, the XML processor may disclose confidential information normally not accessible by the application.” is reported in the blog post published by OSWAP.
The researcher succeeded to upload their malicious XML code, using the API specifications the researchers crafted their own button containing fishy XML entities to conduct the XXE attack.
The researchers were able to access to the /etc/passwd and the /etc/hosts of one of the Google server used in production and provided the images to prove the impact of their attack.
“The root cause of XXE vulnerabilities is naive XML parsers that blindly interpret the DTD of the user supplied XML documents. By doing so, you risk having your parser doing a bunch of nasty things. Some issues include: local file access, SSRF and remote file includes, Denial of Service and possible remote code execution. If you want to know how to patch these issues, check out the OWASP page on how to secure XML parsers in various languages and platforms,” the researchers wrote on a blog post.
An attacker exploiting the vulnerability discovered by the researchers could have access any other file on any Google server, or worse could gain access to internal systems through the SSRF exploitation.
There is also a happy ending, after contacted Google the researchers were rewarded with $10,000 bounty for identifying an XML External Entity (XXE) vulnerability in one of the search engine’s features.
(Security Affairs – Google server, hacking)
Google addressed a Chrome's Password Manager bug that caused user credentials to disappear temporarily for…
The Internet Systems Consortium (ISC) released BIND security updates that fixed several remotely exploitable DoS…
Terrorist groups are increasingly using cyberspace and digital communication channels to plan and execute attacks.…
Progress Software addressed a critical remote code execution vulnerability, tracked as CVE-2024-6327, in the Telerik Report…
A critical flaw in some versions of Docker Engine can be exploited to bypass authorization…
The CVE-2024-21412 flaw in the Microsoft Defender SmartScreen has been exploited to deliver information stealers…
This website uses cookies.