xml-dev - Re: [xml-dev] Seen on BugTraq: XXE (Xml eXternal Entity) attack

Re: [xml-dev] Seen on BugTraq: XXE (Xml eXternal Entity) attack

[ Lists Home | Date Index | Thread Index ]

To: "Miles Sabin" <miles@milessabin.com>, <xml-dev@lists.xml.org>
Subject: Re: [xml-dev] Seen on BugTraq: XXE (Xml eXternal Entity) attack
From: "Rick Jelliffe" <ricko@allette.com.au>
Date: Wed, 30 Oct 2002 21:03:32 +1100
References: <200210300905.44376.miles@milessabin.com>

It strikes me that this puts the cart before the horse.  The answer is not to ban 
external entities, it is to allow access control lists as part of entity managers
or URL resolvers.

> * DoS on the parsing system by making it open, e.g.
>   file:///dev/random | file:///dev/urandom | file://c:/con/con

ACL can address this.

> * TCP scans using HTTP external entities (including behind firewalls
>   since application servers often have world view different
>   from that of the attacker)

ACL can fix this

> * Unauthorized access to data stored as XML files on the parsing
>   system file system (of course the attacker still needs a way to
>   get these data back)

Err, yes: this is a bit too vague to be credible isn't it. But an ACL system
would fix that.

>  * DoS on other systems (if parsing system is allowed to establish
>   TCP connections to other systems)

ACL would reduce this.  

> * NTLM authentication material theft by initiating UNC file access to
>   systems under attacker control (far fetched?)

?

> * Doomsday scenario: A widely deployed and highly connected application
>   vulnerable to this attack may be used for DDoS.

ACL can reduce this. 

An interesting point is that XInclude and other inbody links which are automatically
fetched, parsed and embedded are susceptible to some kind of DoS where 
a resource fetched from a system under attacker control generates a never 
terminating series of XInclude references, each included document including
more documents.  At least the prolog fixes the number of entities possible.

Cheers
Rick Jelliffe


----- Original Message ----- 
From: "Miles Sabin" <miles@milessabin.com>
To: <xml-dev@lists.xml.org>
Sent: Wednesday, October 30, 2002 8:05 PM
Subject: [xml-dev] Seen on BugTraq: XXE (Xml eXternal Entity) attack


> No surprises for us given that we've discussed this and related issues 
> here several times over the last few years, but nice to see it getting 
> a wider circulation. And unlike the theoretical discussions we've had, 
> this guy has gone out and tested existing software ...
> 
> http://online.securityfocus.com/archive/1/297714/2002-10-27/2002-11-02/0
> 
> Gregory Steuck security advisory #1, 2002
> 
> Overview:
>   XXE (Xml eXternal Entity) attack is an attack on an application that
>   parses XML input from untrusted sources using incorrectly configured
>   XML parser. The application may be coerced to open arbitrary files
>   and/or TCP connections.
> 
> Cheers,
> 
> 
> Miles
> 
> -----------------------------------------------------------------
> The xml-dev list is sponsored by XML.org <http://www.xml.org>, an
> initiative of OASIS <http://www.oasis-open.org>
> 
> The list archives are at http://lists.xml.org/archives/xml-dev/
> 
> To subscribe or unsubscribe from this list use the subscription
> manager: <http://lists.xml.org/ob/adm.pl>
> 
>

Follow-Ups:
- Re: [xml-dev] Seen on BugTraq: XXE (Xml eXternal Entity) attack
  - From: Miles Sabin <miles@milessabin.com>
- Re: [xml-dev] Seen on BugTraq: XXE (Xml eXternal Entity) attack
  - From: Miles Sabin <miles@milessabin.com>

References:
- Seen on BugTraq: XXE (Xml eXternal Entity) attack
  - From: Miles Sabin <miles@milessabin.com>

Prev by Date: Re: [xml-dev] Note from the Troll
Next by Date: Re: [xml-dev] XML Object Serialization
Previous by thread: Seen on BugTraq: XXE (Xml eXternal Entity) attack
Next by thread: Re: [xml-dev] Seen on BugTraq: XXE (Xml eXternal Entity) attack
Index(es):
- Date
- Thread