Command Injection in XML Digital Signatures

2007-07-13T00:00:00
ID SECURITYVULNS:DOC:17503
Type securityvulns
Reporter Securityvulns
Modified 2007-07-13T00:00:00

Description

iSEC Partners Security Advisory - 12 Jul 2007 XML Digital Signature Command Injection http://www.isecpartners.com


XML Digital Signature Command Injection Vulnerability

Vendor: Sun Microsystems, Inc. Vendor URL: http://sun.com Versions affected: JSR 105 Reference Implementation Java Web Services Developer Pack (JWSDP) version 1.5 Java Web Services Developer Pack (JWSDP) version 2.0 Java Platform, Standard Edition 6.0 Sun Java System Web Server version 7.0 Sun Java System Application Server Platform Edition version 8.2 Sun Java System Application Server Enterprise Edition version 8.2 Sun Java System Application Server Platform Edition version 9.0 Systems Affected: Solaris SPARC Platform Solaris x86 Platform Linux Windows HP-UX Vendor: Institute for Applied Information Processing and Communication (IAIK) Vencor URL: http://www.iaik.tugraz.at/ Versions affected: XML Security Toolkit (XSECT) versions < 1.10 XML Signature Library (IXSIL) all versions Systems Affected: All Severity: Critical (Unauthenticated Remote Code Execution) Author: Brad Hill <brad[at]isecpartners[dot]com> Vendor notified: 15 Jan 2007 Public release: 12 Jul 2007 Patch available: Sun Microsystems: 10 Jul 2007 IAIK: 23 Mar 2007 Advisory URL: http://www.isecpartners.com/advisories/2007-04-dsig.txt

Summary:

XML Digital Signarure and XML Encryption processing libraries which support XSLT transformations may be vulnerable to maliciously crafted stylesheets that can inject arbitrary code or commands.

Details:

Complete details are available in a white paper at:

http://www.isecpartners.com/files/XMLDSIG_Command_Injection.pdf

The XSLT processors used by XML Signature and Encryption applications may have extension mechanisms with security- critical properties. An XSLT stylesheet input to such a processor may allow an attacker to include script, SQL, file system operations or arbitrary code which will be executed with the permissions of the application. Xalan XSLTC, the default XSLT processor for most Java systems, supports such extensions by default. XML Signature applications processing key info, references or utilizing a weak order of operations may be tricked into executing such content by an anonymous attacker.

Fix Information:

No workaround is available. Upgrade affected systems.

Java SE 6.0 update 2 includes a fix for this vulnerability, and application-specific patches are linked from Sun's advisory at:

http://sunsolve.sun.com/search/document.do?assetkey=1-26-102992-1

IAIK XSECT version 1.10 includes a fix for this vulnerability, and maintenance patches are available for IXSIL from IAIK support at:

http://jce.iaik.tugraz.at/sic/support

Thanks to:

Sean Mullan, Sun Microsystems Karl Scheibelhofer, IAIK

About iSEC Partners:

iSEC Partners is a full-service security consulting firm that provides penetration testing, secure systems development, security education and software design verification.

115 Sansome Street, Suite 1005 San Francisco, CA 94104 Phone: (415) 217-0052