tag:blogger.com,1999:blog-5066603456638955842.post5420943264278436173..comments2009-08-18T00:08:53.268+01:00Mark O'Neillnoreply@blogger.comBlogger5125tag:blogger.com,1999:blog-5066603456638955842.post-38525829466445594002009-08-12T13:40:50.791+01:002009-08-12T13:40:50.791+01:00Hi Ari,<br /><br />Can you be more specific. You say &quot;as far as I know this is completely different from both recursions and external entities&quot;. But the first reference on the CERT-FI article relates to recursion (&quot;Avoid recursion when parsing simply nested DTD structures&quot;).<br /><br />The other references in that CERT-FI article mention DTD-based vulnerabilities.<br /><br />DTD&#39;s in general are bad news for security. That is why the SOAP Spec disallows DTD&#39;s ((http://www.w3.org/TR/SOAP/ Section 3), why Microsoft created that &quot;ProhibitDtd&quot; option (http://support.microsoft.com/default.aspx?kbid=826231). I notice that you don&#39;t list .NET&#39;s parser as vulnerable - is that because you had &quot;ProhibitDtd&quot; enabled?<br /><br />If you can provide an example of an XML message which brings down a parser, I&#39;d be happy to test it here to see how the message is blocked. Vordel&#39;s standard XML Threat policy blocks DTD&#39;s, as well as excessive nesting, excessive child attributes or element &quot;width&quot;, amongst other countermeasures like limiting memory usage for parsing.<br /><br />Without an actual example, it&#39;s hard to really be specific though.<br /><br />Your article mentions code execution - were you able to smash the stack of an XML parser and manipulate the execution address to point to arbitrary code? If so, what parser, and can you provide an example?Mark O'Neillhttp://www.blogger.com/profile/03202416986720435011noreply@blogger.comtag:blogger.com,1999:blog-5066603456638955842.post-40637217288276732492009-08-12T10:06:13.893+01:002009-08-12T10:06:13.893+01:00Thanks Mark for the clarification.<br /><br />Unfortunately I cannot discuss the details (and neither probably will anyone else at this point because these parsers are everywhere and almost nobody is patched against these and similar issues) but as far as I know this is completely different from both recursions and external entities. There are hundreds of thousands of ways you can suck at DTD (and other XML element) parsing. ;)Ari Takanenhttp://www.blogger.com/profile/07915912631926433579noreply@blogger.comtag:blogger.com,1999:blog-5066603456638955842.post-29506804808105642922009-08-12T09:31:35.000+01:002009-08-12T09:31:35.000+01:00Hi Ari,<br /><br />The reason why this announcement is associated with DTD-based attacks is that the CERT-FI release about it (http://www.cert.fi/en/reports/2009/vulnerability2009085.html) references a couple of DTD-based advisories like this apache revision posting: <br /><br />&quot;Avoid recursion when parsing simply nested DTD structures. <br />This issue is referenced in the following document: CVE-2009-1885 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1885). <br />Thanks to Jukka Taimisto, Tero Rontti and Rauli Kaksonen from the CROSS project at Codenomicon Ltd. and CERT-FI for bringing this issue to our attention.&quot;<br />http://svn.apache.org/viewvc?view=rev&amp;revision=781488<br /><br />Also the CERT-FI announcement references this Red Hat posting:<br /><br />&quot;libxml is a library for parsing and manipulating XML files. A Document Type<br />Definition (DTD) defines the legal syntax (and also which elements can be<br />used) for certain types of files, such as XML files.<br /><br />A stack overflow flaw was found in the way libxml processes the root XML<br />document element definition in a DTD. A remote attacker could provide a<br />specially-crafted XML file, which once opened by a local, unsuspecting<br />user, would lead to denial of service (application crash). (CVE-2009-2414)&quot;<br />https://rhn.redhat.com/errata/RHSA-2009-1206.html<br /><br />That&#39;s why this announcement is associated with DTD-based attacks.<br /><br />I took a look at your link to the announcement on your corporate site again, but it&#39;s short on specifics (like examples of messages which will bring down particular parsers, names and versions of particular parsers, etc). The only concrete info is the CERT-FI article which references the DTD attacks. It would be helpful to provide some more detail. <br /><br />By the way, I do agree that the XML parsers used in XML-processing applications have vulnerabilities, (e.g. External Entity attacks). I&#39;ve seen these myself - it is frightening how vulnerable many XML apps are to these. It is good to highlight people to this fact.Mark O'Neillhttp://www.blogger.com/profile/03202416986720435011noreply@blogger.comtag:blogger.com,1999:blog-5066603456638955842.post-79308477786191932752009-08-12T06:01:59.736+01:002009-08-12T06:01:59.736+01:00Oh and Hi Mark! <br /><br />If you write a nice new writeup of the 2002 flaw, we are happy to link to it from our <a href="http://www.codenomicon.com/labs/xml/" rel="nofollow">XML resource here</a>. I have seen that several people have already confused this set of problems with the 2002 flaw already.<br /><br />Sorry for the typo in Vordel product name. ;)Ari Takanenhttp://www.blogger.com/profile/07915912631926433579noreply@blogger.comtag:blogger.com,1999:blog-5066603456638955842.post-86167563619059300022009-08-12T05:52:36.883+01:002009-08-12T05:52:36.883+01:00Sorry, this has nothing to do with the 2002 attack. And as far as I know, the Vortel test solution does not catch any of the several flaws in question.Ari Takanenhttp://www.blogger.com/profile/07915912631926433579noreply@blogger.com