The world’s first single-file exploit, CVE-2023-4357 Chrome XXE vulnerability EXP, allows attackers to obtain the local files of visitors. Chrome XXE vulnerability EXP, allowing attackers to obtain local files of visitors.
Single file vulnerability exploitation idea: self-contained. The first entity declaration referencing external entities was intercepted, so I thought of self-containing itself as an external XML document and then making a second entity declaration referencing external entities, and the formats of the two references were required to be compatible with each other. Report an error to bypass interception and read local files.
The root cause of the vulnerability lies in libxslt. By default, Chromium will strictly verify whether the external entity URL referenced by the entity declaration of the XML document is cross-domain. However, if Chromium first parses it into an XSL style sheet and then calls document() to include the external XML document, then at this time, Chromium does not perform cross-domain verification on this external XML document URL, causing the visitor’s local files to be leaked.
What do you think?
It is nice to know your opinion. Leave a comment.