oss-sec mailing list archives

Re: CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled

From: "Timoth D. Morgan" <tim-security () sentinelchicken org>
Date: Thu, 8 May 2014 14:55:36 -0700


In my testing, this same issue is true for Java.

That is, if you use DocumentBuilderFactory's setExpandEntityReferences
method and supply "false", then it has a very similar behavior.  I'm
about to release a comprehensive XXE paper, and here's a preview of
what I have written about it:

"Java developers who use the default parser (or a newer version of
Xerces-J) need to change one or more settings to make Xerces
reasonably safe when processing untrusted XML.  One behavior to be
aware of is the fact that the DocumentBuilderFactory's
setExpandEntityReferences method does not provide protection as one
might expect.  Calling this method with a "false" argument causes the
parser to omit external entity data in the document when referenced,
but it does not prevent definitions of external entities.  This means
the parser will still fetch external URLs, which could obviously be
used for blind SSRF attacks (even if the content isn't used later in
the document).   Worse still, this setting does not prevent full use
of external parameter entities, which would likely allow an attacker
to conduct all of the same attacks that are possible with regular
external entities."

Should we assign a CVE for this as well?  I believe I tested versions
1.6.0_18 and 1.7.0_51, though I'd want someone to verify this, since
it has been some time since I observed the behavior.

tim




On Tue, May 06, 2014 at 08:55:58PM +0200, Tomas Hoger wrote:

On Tue, 06 May 2014 20:21:28 +0200 Nicolas Grégoire wrote:

libxml2 [...] incorrectly performs entity substituton in the doctype
prolog, even if the application using libxml2 disabled any entity
substitution.


I'm not sure that I understand this bug. Do you have a PoC?


The new issue is very similar to the one fixed by:

https://git.gnome.org/browse/libxml2/commit/?id=4629ee02ac649c27f9c0cf98ba017c6b5526070f

which is linked to the infamous CVE-2013-0339.  4629ee0 fixed the issue
for general entities, while the 9cd1c3c fixes the same type of problem
for parameter entities.  Even when parsing without NOENT, external
parameter entities are fetched.

-- 
Tomas Hoger / Red Hat Security Response Team

Current thread:

CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled Stefan Cornelius (May 06)
- Re: CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled Nicolas Grégoire (May 06)
  - Re: CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled Tomas Hoger (May 06)
    - Re: CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled Nicolas Grégoire (May 06)
    - Re: CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled Timoth D. Morgan (May 08)
    - Re: CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled Tomas Hoger (May 12)
    - Re: CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled David Jorm (Jun 02)
    - Re: CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled Tim (Jun 03)
    - Re: CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled David Jorm (Jun 06)
    - Re: CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled Tim (Jun 03)
    - Re: CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled Tomas Hoger (Jun 09)
    - Re: CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled Tim (Jun 09)