tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 43671] New: - Unclear Contract between Entity expansion and DOM parser validation cause OWASP A2 in WebDAV Servlet
Date Mon, 22 Oct 2007 09:24:10 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=43671>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=43671

           Summary: Unclear Contract between Entity expansion and DOM parser
                    validation cause OWASP A2 in WebDAV  Servlet
           Product: Tomcat 5
           Version: 5.5.24
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: major
          Priority: P2
         Component: Servlets:WebDAV
        AssignedTo: tomcat-dev@jakarta.apache.org
        ReportedBy: mschoene@redhat.com


DESCRIPTION:

Tomcat allows unauthorized users reading arbitrary files
from the host file system by misusing the entity expansion
feature of the DOM parser. 

It seems that

documentBuilderFactory.setExpandEntityReferences(false);

has no atomic effect, instead it depends on other (undocumented) settings.
There are also (although antique) references on the web
supporting this assumption. They say XML validation overrides
disabling of entity expansion.

(Quote: http://www.cafeconleche.org/books/xmljava/chapters/ch09s06.html)

"""Expand Entity References

The following two methods determine whether the parsers produced by this factory
expand entity references.
public boolean isExpandEntityReferences();
public void setExpandEntityReferences(boolean expandEntityReferences);

The default is true. If a parser is validating, then this it will expand entity
references, even if this feature is set to false. That is, the validation
feature overrides the expand entity references feature."""
(/Quote)


http://mail-archives.apache.org/mod_mbox/xerces-j-users/200410.mbox/%3C20041010174829.58568.qmail@web40911.mail.yahoo.com%3E

The JDK I used was also not overaged:

java version "1.5.0_13"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_13-b05)
Java HotSpot(TM) Server VM (build 1.5.0_13-b05, mixed mode)

EFFECT:

Unauthenticated users get file contents presented when webdav write access is
enabled, even when 
documentBuilderFactory.setExpandEntityReferences(false);
is set. 

[mschoene@mschoene 20071014webdavexp]$ perl cve-2007-5461-exploit.pl 127.0.0.1
/webdav /etc/passwd
Apache Tomcat Remote File Disclosure Zeroday Xploit
kcdarookie aka eliteb0y / 2007
Launching Remote Exploit...
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/xml;charset=UTF-8
Content-Length: 2163
Date: Fri, 19 Oct 2007 09:47:28 GMT

<?xml version="1.0" encoding="utf-8" ?>
<prop xmlns="DAV:"><lockdiscovery><activelock><locktype><write/></locktype>
<lockscope><exclusive/></lockscope>
<depth>Infinity</depth>
<owner>
<href>&#10;<REMOTE>&#10;<RemoteX>root:x:0:0:root:/root:/bin/bash&#10;bin:x:1:1:bin:/bin:/sbin/nologin&#10;daemon:x:2:2:daemon:/sbin:/sbi


PATCH PROPOSAL:

The abstract DocumentBuilder offers a method

public abstract void setEntityResolver(EntityResolver er)

You can override this with a custom resolver such as:

  documentBuilder = documentBuilderFactory.newDocumentBuilder();
  documentBuilder.setEntityResolver(new MyResolver());


The following PoC implementation shows the protection effect below:

 private class MyResolver implements EntityResolver {
   public InputSource resolveEntity (String publicId, String systemId)
   {
    System.err.println("pub:"+publicId);
    System.err.println("sys:"+systemId);
    if (systemId.startsWith("file:")) {
        System.err.println("attack");
        return new InputSource("<!--hubbabubba-->");
    }   
    return null;
   }

This will catch file references to be expanded, and should be
extended to http:// and other external stuff for production purpose.
And there may be other side cases that are needed to observe.
The return value 'hubbabubba' may also need some nicer value :)

Result:

Oct 19, 2007 1:01:15 PM org.apache.catalina.core.ApplicationContext log
pub:null
sys:file:///etc/passwd
attack
Oct 19, 2007 1:01:15 PM org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Servlet.service() for servlet webdav threw exception
java.lang.NullPointerException
        at org.apache.catalina.servlets.WebdavServlet.doLock(WebdavServlet.java:966)

SUMMARY: 
It has been observed, that the unclear Contract between Entity expansion and DOM
parser validation affects the security of the WebDAV servlet when write access
is enabled. A PoC patch has been appended to show a potential way to mitigate  
the issue by blocking unwanted external entities which creates a Injection Flaw
vulnerability (OWASP A2) .

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message