Lucene search

JupenurH1:1104077

HistoryFeb 16, 2021 - 8:10 a.m.

Ruby: Round-trip instability in REXML

2021-02-1608:10:08

jupenur

hackerone.com

$500

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

0.001 Low

EPSS

Percentile

28.1%

JSON

Submitted previously via email to [email protected] due to REXML not being listed under in-scope assets here. Explicitly requested by @hsbt to re-submit through HackerOne.

CVSS rating calculated based on confirmed downstream impact.

Hi Ruby Security Team,

I’m reaching out to you to report a vulnerability in REXML that renders downstream use-cases susceptible to varying degrees of tampering.

Conceptually the vulnerability is similar to Go encoding/xml bugs publicly disclosed in December. For context, high-level descriptions of those vulnerabilities can be found in the blog post at https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/ and in the advisories it references.

In the case of REXML, the specific vulnerability is best explained using a code example:

require 'rexml/document'

doc = REXML::Document.new &lt;&lt;XML
&lt;!DOCTYPE x [ &lt;!NOTATION x SYSTEM 'x"&gt;]&gt;&lt;X&gt;&lt;Z/&gt;
&lt;/X&gt;
XML

puts "First child in original doc: " + doc.root.elements[1].name
doc = REXML::Document.new doc.to_s
puts "First child after round-trip: " + doc.root.elements[1].name

This program prints two lines of text:

First child in original doc: Y
First child after round-trip: Z

The output demonstrates how the structure of an XML document can change when parsed and serialized using REXML. The expected output from a well-behaving parser would be such where both lines end with “Y”.

Regards,

Juho Nurminen
Staff Product Security Engineer, Mattermost, Inc.

Impact

The impact of XML round-trip issues can vary significantly depending on context. SAML implementations affected by such issues can allow authentication bypasses and privilege escalation. SOAP endpoints can allow circumventing business logic or access controls. And in general XML processing loses integrity guarantees.

We are aware of a major SAML implementation affected by this vulnerability, resulting in critical impact in all applications that rely on it. The vulnerability has not been reported to the downstream maintainers since it is an issue in REXML.