Thursday, February 16, 2012

Security Issue with services that accept XML documents through DOCTYPE Entity…

Hi Guys,

We identified a service attack and devised a solution that shouldn’t require full-double parsing/reading of the request data through an interceptor, which was the initial recommendation from RedHat.

An attacker using an DOCTYPE Entity can access the local file system and export sensitive data (see example request/response below).

The main challenge was that we use RestEasy and the implementation wasn't written to allow the addition of security attributes to the parser.

We have a proposed temporary fix to the org.jboss.resteasy.plugins.providers.jaxb.JAXBXmlTypeProvider:readFrom method which uses a custom EntityResolver, the code is as follows:

JAXBContext jaxb = findJAXBContext(type, annotations, mediaType, true);
Unmarshaller unmarshaller = jaxb.createUnmarshaller();

DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setNamespaceAware(true);
dbf.setExpandEntityReferences(false);
DocumentBuilder db = dbf.newDocumentBuilder();
// set entity resolver to throw exception when enternalEntity Exists...
db.setEntityResolver(new NoDocTypeHandler());
Document doc = db.parse(entityStream);


Object obj = unmarshaller.unmarshal(doc);


// InnerClass to throw an error if externalEntities exist
class NoDocTypeHandler extends DefaultHandler {
NoDocTypeHandler() {
super();
}
public InputSource resolveEntity(String publicId, String systemId) throws SAXException {
throw new SAXNotSupportedException("External Entity Declarations are not Supported!");
}
}


We found that just setting the ExpandEntityReferences to false didn't address all our use cases. It seemed to addressed accessing a directory structure, but when accessing a specific file with a few lines, the contents was still expanded.

We have run initials tests and the results show that it is working as expected.

We have supplied the bug and the fix to RestEasy and they are working on a long-term solution and should provide a patch soon https://issues.jboss.org/browse/RESTEASY-647.

This issue isn’t specific to RestEasy or even Java, other parser/frameworks are vulnerable.

Please let me know if you have any questions…

Hope this helps - Thanks – Mark :-)


Example Attack:

REQUEST:
POST http://host/searchService HTTP/1.1
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><!DOCTYPE root [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<search><user>&xxe;</user></search>

RESPONSE:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><ErrorMessage>Invalid Search Criteria for user:
LocalService:*:19:544:U-NT AUTHORITY\LocalService,S-1-5-19::
NetworkService:*:20:544:U-NT AUTHORITY\NetworkService,S-1-5-20::
Administrators:*:544:544:,S-1-5-32-544::

</ErrorMessage>