0dd - The Zero (0) Day Division

The Zero (0) Day Division is a group of security professionals working towards a common goal; securing open-source projects.


The Issue

An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.

Where the Issue Occurred

The code below creates an XML parser which parses an XML (or uxf) file that opens and parses the data within:

SAXParser parser = SAXParserFactory.newInstance().newSAXParser();
FileInputStream input = new FileInputStream(file);
InputHandler xmlhandler = new InputHandler(handler);
parser.parse(input, xmlhandler);

This parsing is done in an insecure manner and does not prohibit the usage of XML external entities. This allows attackers to do the above-mentioned attacks on a targeted user.

Attack Scenario

An attacker could be sharing a UML diagram made within the UMLet software and exported as a uxf file. An example could be sharing a class diagram with a peer and exploiting that trusted relationship to perform unauthorised actions within their system (or even just downloading a class diagram online).

PoC File

File named test.uxf

<?xml version="1.0" ?>
<!ENTITY sp SYSTEM "http://0dd.zone">

Disclosure Timeline

  • Issue Reported: 4th April 2018
  • Issue Resolved: 6th April 2018
  • Blog Post Published: 23rd April 2018
  • CVE Received: 24th June 2018