10. OpenCRX Authentication Bypass and Remote Code Execution

R3zk0n Β· October 2, 2025

API   Evasion   Security
Contents

    =====================================================================

    Extensible Markup Language (XML)

    • XML is designed to encode data in a way that’s easier for humans and machines to read.
    • An application that relies on data stored in the XML format will inevitably make use of an XML parser or processor.
    • The application calls this component when XML data needs to be processed. The parser is responsible for the analysis of the markup code.
    • Once the parser finishes processing the XML data, it passes the resulting information back to the application.

    Issues with XML Parsing

    • XML processors can suffer from different types of vulnerabilities originating from malformed or malicious input data. Potential issues include:
      • Information Disclosure
      • Server-Side Request Forgery
      • Denial of Service
      • Remote Command Injection
      • Remote Code Execution

    **What are Document Type Definitions (DTDs) and XML Entities?

    • Document Type Definitions (DTDs) are an interesting feature of XML.
    • DTDs can be used to declare XML entities within an XML document.
    • XML entity is a data structure typically containing valid XML code that will be referenced multiple times in a document.
    • This is similar to variables in a programming language.

    Types of XML Entities

    • Internal Entities
      • Internal entities are locally defined within the DTD.
      • <!ENTITY name "entity_value">
      • Example: <!ENTITY test "<entity-value>test value</entity-value>">
    • External Entities
      • External entities are used when referencing data that is not defined locally.
      • As such, a critical component of the external entity definition is the URI from which the external data will be retrieved.
      • External entities can be split into two groups, namely private and public.
      • Private External Entity:
        • <!ENTITY name SYSTEM "URI">
        • Example: <!ENTITY offsecinfo SYSTEM "http://www.offsec.com/company.xml">
        • The SYSTEM keyword indicates that a private external entity for use by a single user or perhaps a group of users.
      • Public External Entity:
        • Public external entities are intended for a much wider audience.
        • <!ENTITY name PUBLIC "public_id" "URI">
        • Example: <!ENTITY offsecinfo PUBLIC "-//W3C//TEXT companyinfo//EN" "http://www.offsec.com/companyinfo.xml">
    • Parameter Entities
      • Parameter entities exist solely within a DTD, but are otherwise very similar to any other entity. They use the % prefix.
      • <!ENTITY % name SYSTEM "URI">
      • Example: <!ENTITY % course 'AWAE'><!ENTITY Title 'Offensive Security presents %course;' >

    Attributes of XML Entities

    • An XML entity does not have to contain valid XML code.
    • In those instances, we have to prevent the XML parser from processing the referenced data by using the NDATA declaration.
    • <!ENTITY name SYSTEM "URI" NDATA TYPE>
    • <!ENTITY name PUBLIC "public_id" "URI" NDATA TYPE>

    Twitter, Facebook