Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20140508215536.GH2733@sentinelchicken.org>
Date: Thu, 8 May 2014 14:55:36 -0700
From: "Timoth D. Morgan" <tim-security@...tinelchicken.org>
To: oss-security@...ts.openwall.com
Cc: nicolas.gregoire@...rri.fr
Subject: Re: CVE-2014-0191 libxml2: external parameter entity
 loaded when entity substitution is disabled


In my testing, this same issue is true for Java.

That is, if you use DocumentBuilderFactory's setExpandEntityReferences
method and supply "false", then it has a very similar behavior.  I'm
about to release a comprehensive XXE paper, and here's a preview of
what I have written about it:

"Java developers who use the default parser (or a newer version of
Xerces-J) need to change one or more settings to make Xerces
reasonably safe when processing untrusted XML.  One behavior to be
aware of is the fact that the DocumentBuilderFactory's
setExpandEntityReferences method does not provide protection as one
might expect.  Calling this method with a "false" argument causes the
parser to omit external entity data in the document when referenced,
but it does not prevent definitions of external entities.  This means
the parser will still fetch external URLs, which could obviously be
used for blind SSRF attacks (even if the content isn't used later in
the document).   Worse still, this setting does not prevent full use
of external parameter entities, which would likely allow an attacker
to conduct all of the same attacks that are possible with regular
external entities."

Should we assign a CVE for this as well?  I believe I tested versions
1.6.0_18 and 1.7.0_51, though I'd want someone to verify this, since
it has been some time since I observed the behavior.

tim




On Tue, May 06, 2014 at 08:55:58PM +0200, Tomas Hoger wrote:
> On Tue, 06 May 2014 20:21:28 +0200 Nicolas Grégoire wrote:
> 
> > > libxml2 [...] incorrectly performs entity substituton in the doctype
> > > prolog, even if the application using libxml2 disabled any entity
> > > substitution. 
> > 
> > I'm not sure that I understand this bug. Do you have a PoC?
> 
> The new issue is very similar to the one fixed by:
> 
> https://git.gnome.org/browse/libxml2/commit/?id=4629ee02ac649c27f9c0cf98ba017c6b5526070f
> 
> which is linked to the infamous CVE-2013-0339.  4629ee0 fixed the issue
> for general entities, while the 9cd1c3c fixes the same type of problem
> for parameter entities.  Even when parsing without NOENT, external
> parameter entities are fetched.
> 
> -- 
> Tomas Hoger / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.