Re: CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled

[Tomas Hoger <thoger () redhat com>]

Hi!

I can hardly call myself familiar with Java XML parsers, but here's my
2c form a quick search around this that may be wrong.  Please correct
my mistakes.

On Thu, 8 May 2014 14:55:36 -0700 Timoth D. Morgan wrote:

> That is, if you use DocumentBuilderFactory's setExpandEntityReferences
> method and supply "false", then it has a very similar behavior.  I'm
> about to release a comprehensive XXE paper, and here's a preview of
> what I have written about it:

As far as I can see setExpandEntityReferences() controls what value is
set for the create-entity-ref-nodes DOM parser feature:

http://hg.openjdk.java.net/jdk7u/jdk7u/jaxp/file/cae04d181428/src/com/sun/org/apache/xerces/internal/jaxp/DocumentBuilderImpl.java#l158
http://hg.openjdk.java.net/jdk7u/jdk7u/jaxp/file/cae04d181428/src/com/sun/org/apache/xerces/internal/jaxp/DocumentBuilderImpl.java#l74
http://hg.openjdk.java.net/jdk7u/jdk7u/jaxp/file/cae04d181428/src/com/sun/org/apache/xerces/internal/impl/Constants.java#l427

The description in Java API docs is rather brief, xerces docs have more
details:

http://xerces.apache.org/xerces-j/features.html#create-entity-ref-nodes
http://xerces.apache.org/xerces2-j/features.html#dom.create-entity-ref-nodes

AFAICS, the feature does not aim to control if entity references are
expanded, but only how exactly they appear in the resulting DOM tree.

> "Java developers who use the default parser (or a newer version of
> Xerces-J) need to change one or more settings to make Xerces
> reasonably safe when processing untrusted XML.  One behavior to be
> aware of is the fact that the DocumentBuilderFactory's
> setExpandEntityReferences method does not provide protection as one
> might expect.  Calling this method with a "false" argument causes the
> parser to omit external entity data in the document when referenced,
> but it does not prevent definitions of external entities.  This means
> the parser will still fetch external URLs, which could obviously be
> used for blind SSRF attacks (even if the content isn't used later in
> the document).   Worse still, this setting does not prevent full use
> of external parameter entities, which would likely allow an attacker
> to conduct all of the same attacks that are possible with regular
> external entities."

Maybe your paper should rather mention parser features as
external-general-entities and external-parameter-entities:

http://docs.oracle.com/javase/7/docs/api/org/xml/sax/package-summary.html#package_description

OWASP XXE document covers some of this, but actually mentions only one
of the two features...

https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing#Java

-- 
Tomas Hoger / Red Hat Security Response Team