iSEC Partners Security Advisory - 12 Jul 2007 XML Digital Signature Command Injection http://www.isecpartners.com
XML Digital Signature Command Injection Vulnerability
Vendor: Sun Microsystems, Inc. Vendor URL: http://sun.com Versions affected: JSR 105 Reference Implementation Java Web Services Developer Pack (JWSDP) version 1.5 Java Web Services Developer Pack (JWSDP) version 2.0 Java Platform, Standard Edition 6.0 Sun Java System Web Server version 7.0 Sun Java System Application Server Platform Edition version 8.2 Sun Java System Application Server Enterprise Edition version 8.2 Sun Java System Application Server Platform Edition version 9.0 Systems Affected: Solaris SPARC Platform Solaris x86 Platform Linux Windows HP-UX Vendor: Institute for Applied Information Processing and Communication (IAIK) Vencor URL: http://www.iaik.tugraz.at/ Versions affected: XML Security Toolkit (XSECT) versions < 1.10 XML Signature Library (IXSIL) all versions Systems Affected: All Severity: Critical (Unauthenticated Remote Code Execution) Author: Brad Hill <brad[at]isecpartners[dot]com> Vendor notified: 15 Jan 2007 Public release: 12 Jul 2007 Patch available: Sun Microsystems: 10 Jul 2007 IAIK: 23 Mar 2007 Advisory URL: http://www.isecpartners.com/advisories/2007-04-dsig.txt
XML Digital Signarure and XML Encryption processing libraries which support XSLT transformations may be vulnerable to maliciously crafted stylesheets that can inject arbitrary code or commands.
Complete details are available in a white paper at:
The XSLT processors used by XML Signature and Encryption applications may have extension mechanisms with security- critical properties. An XSLT stylesheet input to such a processor may allow an attacker to include script, SQL, file system operations or arbitrary code which will be executed with the permissions of the application. Xalan XSLTC, the default XSLT processor for most Java systems, supports such extensions by default. XML Signature applications processing key info, references or utilizing a weak order of operations may be tricked into executing such content by an anonymous attacker.
No workaround is available. Upgrade affected systems.
Java SE 6.0 update 2 includes a fix for this vulnerability, and application-specific patches are linked from Sun's advisory at:
IAIK XSECT version 1.10 includes a fix for this vulnerability, and maintenance patches are available for IXSIL from IAIK support at:
Sean Mullan, Sun Microsystems Karl Scheibelhofer, IAIK
iSEC Partners is a full-service security consulting firm that provides penetration testing, secure systems development, security education and software design verification.
115 Sansome Street, Suite 1005 San Francisco, CA 94104 Phone: (415) 217-0052