Date: Tue, 03 Jun 2014 16:38:14 +1000 From: David Jorm <djorm@...hat.com> To: oss-security@...ts.openwall.com CC: tim-security@...tinelchicken.org, nicolas.gregoire@...rri.fr Subject: Re: CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled On 05/13/2014 02:58 AM, Tomas Hoger wrote: > Hi! > > I can hardly call myself familiar with Java XML parsers, but here's my > 2c form a quick search around this that may be wrong. Please correct > my mistakes. > > On Thu, 8 May 2014 14:55:36 -0700 Timoth D. Morgan wrote: > >> That is, if you use DocumentBuilderFactory's setExpandEntityReferences >> method and supply "false", then it has a very similar behavior. I'm >> about to release a comprehensive XXE paper, and here's a preview of >> what I have written about it: > As far as I can see setExpandEntityReferences() controls what value is > set for the create-entity-ref-nodes DOM parser feature: > > http://hg.openjdk.java.net/jdk7u/jdk7u/jaxp/file/cae04d181428/src/com/sun/org/apache/xerces/internal/jaxp/DocumentBuilderImpl.java#l158 > http://hg.openjdk.java.net/jdk7u/jdk7u/jaxp/file/cae04d181428/src/com/sun/org/apache/xerces/internal/jaxp/DocumentBuilderImpl.java#l74 > http://hg.openjdk.java.net/jdk7u/jdk7u/jaxp/file/cae04d181428/src/com/sun/org/apache/xerces/internal/impl/Constants.java#l427 > > The description in Java API docs is rather brief, xerces docs have more > details: > > http://xerces.apache.org/xerces-j/features.html#create-entity-ref-nodes > http://xerces.apache.org/xerces2-j/features.html#dom.create-entity-ref-nodes > > AFAICS, the feature does not aim to control if entity references are > expanded, but only how exactly they appear in the resulting DOM tree. > >> "Java developers who use the default parser (or a newer version of >> Xerces-J) need to change one or more settings to make Xerces >> reasonably safe when processing untrusted XML. One behavior to be >> aware of is the fact that the DocumentBuilderFactory's >> setExpandEntityReferences method does not provide protection as one >> might expect. Calling this method with a "false" argument causes the >> parser to omit external entity data in the document when referenced, >> but it does not prevent definitions of external entities. This means >> the parser will still fetch external URLs, which could obviously be >> used for blind SSRF attacks (even if the content isn't used later in >> the document). Worse still, this setting does not prevent full use >> of external parameter entities, which would likely allow an attacker >> to conduct all of the same attacks that are possible with regular >> external entities." > Maybe your paper should rather mention parser features as > external-general-entities and external-parameter-entities: > > http://docs.oracle.com/javase/7/docs/api/org/xml/sax/package-summary.html#package_description > > OWASP XXE document covers some of this, but actually mentions only one > of the two features... > > https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing#Java > Sorry for the absurdly late reply to this thread. I finally found time to do some testing on OpenJDK 1.7.0_45. I can confirm Tomas' assessment that setExpandEntityReferences() and setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true) have no bearing on whether or not entity references are expanded, nor do they purport to. Applications that process attacker-supplied XML using Xerces are vulnerable to SSRF attacks unless they use both setFeature("http://xml.org/sax/features/external-parameter-entities", false) and setFeature("http://xml.org/sax/features/external-general-entities", false). The OWASP XXE document should be updated to mention external-parameter-entities. I will do this as soon as my OWASP wiki account is approved. Thanks David
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.