You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2007/10/22 11:24:10 UTC
DO NOT REPLY [Bug 43671] New: - Unclear Contract between Entity expansion and DOM parser validation cause OWASP A2 in WebDAV Servlet
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=43671>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=43671
Summary: Unclear Contract between Entity expansion and DOM parser
validation cause OWASP A2 in WebDAV Servlet
Product: Tomcat 5
Version: 5.5.24
Platform: All
OS/Version: All
Status: NEW
Severity: major
Priority: P2
Component: Servlets:WebDAV
AssignedTo: tomcat-dev@jakarta.apache.org
ReportedBy: mschoene@redhat.com
DESCRIPTION:
Tomcat allows unauthorized users reading arbitrary files
from the host file system by misusing the entity expansion
feature of the DOM parser.
It seems that
documentBuilderFactory.setExpandEntityReferences(false);
has no atomic effect, instead it depends on other (undocumented) settings.
There are also (although antique) references on the web
supporting this assumption. They say XML validation overrides
disabling of entity expansion.
(Quote: http://www.cafeconleche.org/books/xmljava/chapters/ch09s06.html)
"""Expand Entity References
The following two methods determine whether the parsers produced by this factory
expand entity references.
public boolean isExpandEntityReferences();
public void setExpandEntityReferences(boolean expandEntityReferences);
The default is true. If a parser is validating, then this it will expand entity
references, even if this feature is set to false. That is, the validation
feature overrides the expand entity references feature."""
(/Quote)
http://mail-archives.apache.org/mod_mbox/xerces-j-users/200410.mbox/%3C20041010174829.58568.qmail@web40911.mail.yahoo.com%3E
The JDK I used was also not overaged:
java version "1.5.0_13"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_13-b05)
Java HotSpot(TM) Server VM (build 1.5.0_13-b05, mixed mode)
EFFECT:
Unauthenticated users get file contents presented when webdav write access is
enabled, even when
documentBuilderFactory.setExpandEntityReferences(false);
is set.
[mschoene@mschoene 20071014webdavexp]$ perl cve-2007-5461-exploit.pl 127.0.0.1
/webdav /etc/passwd
Apache Tomcat Remote File Disclosure Zeroday Xploit
kcdarookie aka eliteb0y / 2007
Launching Remote Exploit...
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/xml;charset=UTF-8
Content-Length: 2163
Date: Fri, 19 Oct 2007 09:47:28 GMT
<?xml version="1.0" encoding="utf-8" ?>
<prop xmlns="DAV:"><lockdiscovery><activelock><locktype><write/></locktype>
<lockscope><exclusive/></lockscope>
<depth>Infinity</depth>
<owner>
<href> <REMOTE> <RemoteX>root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbi
PATCH PROPOSAL:
The abstract DocumentBuilder offers a method
public abstract void setEntityResolver(EntityResolver er)
You can override this with a custom resolver such as:
documentBuilder = documentBuilderFactory.newDocumentBuilder();
documentBuilder.setEntityResolver(new MyResolver());
The following PoC implementation shows the protection effect below:
private class MyResolver implements EntityResolver {
public InputSource resolveEntity (String publicId, String systemId)
{
System.err.println("pub:"+publicId);
System.err.println("sys:"+systemId);
if (systemId.startsWith("file:")) {
System.err.println("attack");
return new InputSource("<!--hubbabubba-->");
}
return null;
}
This will catch file references to be expanded, and should be
extended to http:// and other external stuff for production purpose.
And there may be other side cases that are needed to observe.
The return value 'hubbabubba' may also need some nicer value :)
Result:
Oct 19, 2007 1:01:15 PM org.apache.catalina.core.ApplicationContext log
pub:null
sys:file:///etc/passwd
attack
Oct 19, 2007 1:01:15 PM org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Servlet.service() for servlet webdav threw exception
java.lang.NullPointerException
at org.apache.catalina.servlets.WebdavServlet.doLock(WebdavServlet.java:966)
SUMMARY:
It has been observed, that the unclear Contract between Entity expansion and DOM
parser validation affects the security of the WebDAV servlet when write access
is enabled. A PoC patch has been appended to show a potential way to mitigate
the issue by blocking unwanted external entities which creates a Injection Flaw
vulnerability (OWASP A2) .
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 43671] - Unclear Contract between Entity expansion and DOM parser validation cause OWASP A2 in WebDAV Servlet
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=43671>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=43671
------- Additional Comments From john@sourcelabs.com 2007-10-22 11:25 -------
I've tested pre-patch and post-patch and Mark's new patch seems to do what it is
supposed to do.
Re: logging.
I personally prefer to put the onus on the user to manage their logs.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 43671] - Unclear Contract between Entity expansion and DOM parser validation cause OWASP A2 in WebDAV Servlet
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=43671>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=43671
------- Additional Comments From mschoene@redhat.com 2007-10-22 03:16 -------
Created an attachment (id=21019)
--> (http://issues.apache.org/bugzilla/attachment.cgi?id=21019&action=view)
Code fragment showing how to intercept injected entities
The attached (ugly) code fragment shows how to intercept the process of
entity expansion by detecting the injected strings.
As an example it intercepts entities with a
"file:" prefix and posts it to stderr.
As the comitter is not really an expert
of the WEBDAV semantics this patch draft may need some
brush up to be production ready.
When used with Webdav write access enabled and the
perl script with
perl cve-2007-5461-exploit.pl 127.0.0.1 /webdav /etc/passwd
the entity expansion and injection attack is detected an the following output
is posted to stderr:
Oct 19, 2007 1:01:15 PM org.apache.catalina.core.ApplicationContext log
pub:null
sys:file:///etc/passwd
attack
Oct 19, 2007 1:01:15 PM org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Servlet.service() for servlet webdav threw exception
java.lang.NullPointerException
at
org.apache.catalina.servlets.WebdavServlet.doLock(WebdavServlet.java:966)
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 43671] - Unclear Contract between Entity expansion and DOM parser validation cause OWASP A2 in WebDAV Servlet
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=43671>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=43671
------- Additional Comments From markt@apache.org 2007-10-22 05:25 -------
(In reply to comment #0)
> If a parser is validating, then this it will expand entity
> references, even if this feature is set to false. That is, the validation
> feature overrides the expand entity references feature.
This doesn't appear to be related to the validation setting which defaults to
false and isn't changed from the default in this case. It appears to be that the
settings in documentBuilderFactory are not passed through to the underlying parser.
The proposed patch for this, based on your suggestion, is here:
http://people.apache.org/~markt/patches/2007-10-20-webdav.patch
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 43671] - Unclear Contract between Entity expansion and DOM parser validation cause OWASP A2 in WebDAV Servlet
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=43671>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=43671
------- Additional Comments From mschoene@redhat.com 2007-10-22 02:59 -------
Created an attachment (id=21018)
--> (http://issues.apache.org/bugzilla/attachment.cgi?id=21018&action=view)
Testcase taken from full-disclosure mailing list
Try with the following command line:
perl cve-2007-5461-exploit.pl 127.0.0.1 /webdav /etc/passwd
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 43671] - Unclear Contract between Entity expansion and DOM parser validation cause OWASP A2 in WebDAV Servlet
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=43671>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=43671
markt@apache.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |FIXED
------- Additional Comments From markt@apache.org 2007-10-22 17:55 -------
A work around exists in TC6. The root cause appears to be a JDK issue.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org