Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 12 May 2014 18:58:58 +0200
From: Tomas Hoger <thoger@...hat.com>
To: oss-security@...ts.openwall.com
Cc: tim-security@...tinelchicken.org, nicolas.gregoire@...rri.fr
Subject: Re: CVE-2014-0191 libxml2: external parameter entity
 loaded when entity substitution is disabled

Hi!

I can hardly call myself familiar with Java XML parsers, but here's my
2c form a quick search around this that may be wrong.  Please correct
my mistakes.

On Thu, 8 May 2014 14:55:36 -0700 Timoth D. Morgan wrote:

> That is, if you use DocumentBuilderFactory's setExpandEntityReferences
> method and supply "false", then it has a very similar behavior.  I'm
> about to release a comprehensive XXE paper, and here's a preview of
> what I have written about it:

As far as I can see setExpandEntityReferences() controls what value is
set for the create-entity-ref-nodes DOM parser feature:

http://hg.openjdk.java.net/jdk7u/jdk7u/jaxp/file/cae04d181428/src/com/sun/org/apache/xerces/internal/jaxp/DocumentBuilderImpl.java#l158
http://hg.openjdk.java.net/jdk7u/jdk7u/jaxp/file/cae04d181428/src/com/sun/org/apache/xerces/internal/jaxp/DocumentBuilderImpl.java#l74
http://hg.openjdk.java.net/jdk7u/jdk7u/jaxp/file/cae04d181428/src/com/sun/org/apache/xerces/internal/impl/Constants.java#l427

The description in Java API docs is rather brief, xerces docs have more
details:

http://xerces.apache.org/xerces-j/features.html#create-entity-ref-nodes
http://xerces.apache.org/xerces2-j/features.html#dom.create-entity-ref-nodes

AFAICS, the feature does not aim to control if entity references are
expanded, but only how exactly they appear in the resulting DOM tree.

> "Java developers who use the default parser (or a newer version of
> Xerces-J) need to change one or more settings to make Xerces
> reasonably safe when processing untrusted XML.  One behavior to be
> aware of is the fact that the DocumentBuilderFactory's
> setExpandEntityReferences method does not provide protection as one
> might expect.  Calling this method with a "false" argument causes the
> parser to omit external entity data in the document when referenced,
> but it does not prevent definitions of external entities.  This means
> the parser will still fetch external URLs, which could obviously be
> used for blind SSRF attacks (even if the content isn't used later in
> the document).   Worse still, this setting does not prevent full use
> of external parameter entities, which would likely allow an attacker
> to conduct all of the same attacks that are possible with regular
> external entities."

Maybe your paper should rather mention parser features as
external-general-entities and external-parameter-entities:

http://docs.oracle.com/javase/7/docs/api/org/xml/sax/package-summary.html#package_description

OWASP XXE document covers some of this, but actually mentions only one
of the two features...

https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing#Java

-- 
Tomas Hoger / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.