One of the paradoxes of information security is that despite all of the publicity about known vulnerabilities, organizations often do not patch their systems to block the most well-publicized attacks. Years after the hoopla about SQL Slammer, Nimda and Code Red, systems continued to be vulnerable to these attacks, even to this day. If you study how botnets propagate, they mostly use older well-known vulnerabilities which most people would assume were patched on everybody's computers years ago. The failure to patch can be down to laziness, disorganization, ignorance, or complacency.
In the XML world, there was a famous vulnerability discovered by Amit Klein back in 2002 which used recursion in DTD's (Document Type Definitions) in order to create a Denial-of-Service attack on an XML parser. The attack involved a cleverly crafted DTD which was designed to expand greatly in memory when parsed, using recursion, earning it the name "XML Bomb". The XML Bomb vulnerability is described here in this December 2002 SecurityFocus article. Following Amit Klein's discovery of this vulnerability, a number of vendors issued advisories and patches - including initially Macromedia and Sybase. Back then, I included a description of the XML Bomb in a book chapter I wrote on "Hardening Web Services" in the "Hardening Network Security" book (and you can download that book chapter from the Vordel website for free).
In December 2003, the vulnerability resurfaced in products from IBM and Microsoft. IBM and Microsoft then issued patches for it. Of all those patches, only Microsoft's patch is still available online - here: http://support.microsoft.com/default.aspx?kbid=826231. For Sharepoint, Microsoft rolled the "XML Bomb" patch into the similarly evocatively-named ".NET Framework 1.1 Temporary File Explosion on Sharepoint Servers - Windows Server 2003" patch.
So the "XML Bomb" vulnerability is all patched now, right? Wrong. Proving the vulnerabilities never really die, it cropped up again last week - almost seven years since Amit Klein first discovered it. Joe McKendrick reported that a Finnish startup, Codenomicon, had announced that "Vulnerabilities discovered in XML libraries from Sun, Apache Software Foundation, Python Software Foundation and the GNOME Project could result in successful denial-of-service attacks on applications built with them." The press release itself was vague, but some digging found that the vulnerability was ye olde XML Bomb - http://svn.apache.org/viewvc?view=rev&revision=781488 . Like SOA, the XML Bomb is not dead, but survives to fight another day. Some XML libraries are still naively consuming DTDs and falling victim to recursion attacks.
The good news is that Vordel's products have blocked DTD-based attacks (including recursion attacks, but also External Entity attacks and other DTD-based jiggery-pokery) since back in 2002. Our free SOAPbox Web Services Testing tool can also be used to probe for these vulnerabilities (using its attack vectors functionality).
Here is an excerpt from our Taxonomy of XML Threats White Paper (which you can grab from this page on the Vordel Website):
--------------
Blocking DTD-based attacks.
DTD implementations can be vulnerable to recursion attacks. The SOAP specification states “A SOAP message MUST NOT contain a Document Type Declaration” (http://www.w3.org/TR/SOAP/ Section 3). However, some XML applications process DTDs, and therefore products which protect XML applications must block DTDs.
The following DTD contains a recursively defined entity “&x100;” that would be expanded into the huge amount (2^100) repetitions of the string “hello” by any XML 1.0 standard compliant parser. This would cause excessive memory usage and/or excessive CPU usage:
<!DOCTYPE foobar [
<!ENTITY x0 “hello”>
<!ENTITY x1 “&x0;&x0;”>
<!ENTITY x2 “&x1;&x1;”>
<!ENTITY x3 “&x2;&x2;”>
<!ENTITY x4 “&x3;&x3;”>
...
<!ENTITY x98 “&x97;&x97;”>
<!ENTITY x99 “&x98;&x98;”>
<!ENTITY x100 “&x99;&x99;”>
]>
<foobar>&x100;</foobar>
This vulnerability was discovered in December 2002, and a number of vendors issued advisories and patches - including Macromedia and Sybase.
In December 2003, the vulnerability resurfaced in products from IBM and Microsoft.
Vordel’s products have blocked this attack since December 2002, when it was first discovered, and has alerted companies to its existence at training seminars.
Monday, August 10, 2009
Subscribe to:
Post Comments (Atom)
5 comments:
Sorry, this has nothing to do with the 2002 attack. And as far as I know, the Vortel test solution does not catch any of the several flaws in question.
Oh and Hi Mark!
If you write a nice new writeup of the 2002 flaw, we are happy to link to it from our XML resource here. I have seen that several people have already confused this set of problems with the 2002 flaw already.
Sorry for the typo in Vordel product name. ;)
Hi Ari,
The reason why this announcement is associated with DTD-based attacks is that the CERT-FI release about it (http://www.cert.fi/en/reports/2009/vulnerability2009085.html) references a couple of DTD-based advisories like this apache revision posting:
"Avoid recursion when parsing simply nested DTD structures.
This issue is referenced in the following document: CVE-2009-1885 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1885).
Thanks to Jukka Taimisto, Tero Rontti and Rauli Kaksonen from the CROSS project at Codenomicon Ltd. and CERT-FI for bringing this issue to our attention."
http://svn.apache.org/viewvc?view=rev&revision=781488
Also the CERT-FI announcement references this Red Hat posting:
"libxml is a library for parsing and manipulating XML files. A Document Type
Definition (DTD) defines the legal syntax (and also which elements can be
used) for certain types of files, such as XML files.
A stack overflow flaw was found in the way libxml processes the root XML
document element definition in a DTD. A remote attacker could provide a
specially-crafted XML file, which once opened by a local, unsuspecting
user, would lead to denial of service (application crash). (CVE-2009-2414)"
https://rhn.redhat.com/errata/RHSA-2009-1206.html
That's why this announcement is associated with DTD-based attacks.
I took a look at your link to the announcement on your corporate site again, but it's short on specifics (like examples of messages which will bring down particular parsers, names and versions of particular parsers, etc). The only concrete info is the CERT-FI article which references the DTD attacks. It would be helpful to provide some more detail.
By the way, I do agree that the XML parsers used in XML-processing applications have vulnerabilities, (e.g. External Entity attacks). I've seen these myself - it is frightening how vulnerable many XML apps are to these. It is good to highlight people to this fact.
Thanks Mark for the clarification.
Unfortunately I cannot discuss the details (and neither probably will anyone else at this point because these parsers are everywhere and almost nobody is patched against these and similar issues) but as far as I know this is completely different from both recursions and external entities. There are hundreds of thousands of ways you can suck at DTD (and other XML element) parsing. ;)
Hi Ari,
Can you be more specific. You say "as far as I know this is completely different from both recursions and external entities". But the first reference on the CERT-FI article relates to recursion ("Avoid recursion when parsing simply nested DTD structures").
The other references in that CERT-FI article mention DTD-based vulnerabilities.
DTD's in general are bad news for security. That is why the SOAP Spec disallows DTD's ((http://www.w3.org/TR/SOAP/ Section 3), why Microsoft created that "ProhibitDtd" option (http://support.microsoft.com/default.aspx?kbid=826231). I notice that you don't list .NET's parser as vulnerable - is that because you had "ProhibitDtd" enabled?
If you can provide an example of an XML message which brings down a parser, I'd be happy to test it here to see how the message is blocked. Vordel's standard XML Threat policy blocks DTD's, as well as excessive nesting, excessive child attributes or element "width", amongst other countermeasures like limiting memory usage for parsing.
Without an actual example, it's hard to really be specific though.
Your article mentions code execution - were you able to smash the stack of an XML parser and manipulate the execution address to point to arbitrary code? If so, what parser, and can you provide an example?
Post a Comment