DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=43671>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=43671 Summary: Unclear Contract between Entity expansion and DOM parser validation cause OWASP A2 in WebDAV Servlet Product: Tomcat 5 Version: 5.5.24 Platform: All OS/Version: All Status: NEW Severity: major Priority: P2 Component: Servlets:WebDAV AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] DESCRIPTION: Tomcat allows unauthorized users reading arbitrary files from the host file system by misusing the entity expansion feature of the DOM parser. It seems that documentBuilderFactory.setExpandEntityReferences(false); has no atomic effect, instead it depends on other (undocumented) settings. There are also (although antique) references on the web supporting this assumption. They say XML validation overrides disabling of entity expansion. (Quote: http://www.cafeconleche.org/books/xmljava/chapters/ch09s06.html) """Expand Entity References The following two methods determine whether the parsers produced by this factory expand entity references. public boolean isExpandEntityReferences(); public void setExpandEntityReferences(boolean expandEntityReferences); The default is true. If a parser is validating, then this it will expand entity references, even if this feature is set to false. That is, the validation feature overrides the expand entity references feature.""" (/Quote) http://mail-archives.apache.org/mod_mbox/xerces-j-users/200410.mbox/[EMAIL PROTECTED] The JDK I used was also not overaged: java version "1.5.0_13" Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_13-b05) Java HotSpot(TM) Server VM (build 1.5.0_13-b05, mixed mode) EFFECT: Unauthenticated users get file contents presented when webdav write access is enabled, even when documentBuilderFactory.setExpandEntityReferences(false); is set. [EMAIL PROTECTED] 20071014webdavexp]$ perl cve-2007-5461-exploit.pl 127.0.0.1 /webdav /etc/passwd Apache Tomcat Remote File Disclosure Zeroday Xploit kcdarookie aka eliteb0y / 2007 Launching Remote Exploit... HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Type: text/xml;charset=UTF-8 Content-Length: 2163 Date: Fri, 19 Oct 2007 09:47:28 GMT <?xml version="1.0" encoding="utf-8" ?> <prop xmlns="DAV:"><lockdiscovery><activelock><locktype><write/></locktype> <lockscope><exclusive/></lockscope> <depth>Infinity</depth> <owner> <href> <REMOTE> <RemoteX>root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbi PATCH PROPOSAL: The abstract DocumentBuilder offers a method public abstract void setEntityResolver(EntityResolver er) You can override this with a custom resolver such as: documentBuilder = documentBuilderFactory.newDocumentBuilder(); documentBuilder.setEntityResolver(new MyResolver()); The following PoC implementation shows the protection effect below: private class MyResolver implements EntityResolver { public InputSource resolveEntity (String publicId, String systemId) { System.err.println("pub:"+publicId); System.err.println("sys:"+systemId); if (systemId.startsWith("file:")) { System.err.println("attack"); return new InputSource("<!--hubbabubba-->"); } return null; } This will catch file references to be expanded, and should be extended to http:// and other external stuff for production purpose. And there may be other side cases that are needed to observe. The return value 'hubbabubba' may also need some nicer value :) Result: Oct 19, 2007 1:01:15 PM org.apache.catalina.core.ApplicationContext log pub:null sys:file:///etc/passwd attack Oct 19, 2007 1:01:15 PM org.apache.catalina.core.StandardWrapperValve invoke SEVERE: Servlet.service() for servlet webdav threw exception java.lang.NullPointerException at org.apache.catalina.servlets.WebdavServlet.doLock(WebdavServlet.java:966) SUMMARY: It has been observed, that the unclear Contract between Entity expansion and DOM parser validation affects the security of the WebDAV servlet when write access is enabled. A PoC patch has been appended to show a potential way to mitigate the issue by blocking unwanted external entities which creates a Injection Flaw vulnerability (OWASP A2) . -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
