Slashdot Mirror

← Back to Stories (view on slashdot.org)

XML Library Flaw — Sun, Apache, GNOME Affected

Posted by Soulskill on from the finding-fast-fixes-for-flaws dept.

bednarz writes with this excerpt from Network World: "Vulnerabilities discovered in XML libraries from Sun, the Apache Software Foundation, the Python Software Foundation and the GNOME Project could result in successful denial-of-service attacks on applications built with them, according to Codenomicon. The security vendor found flaws in XML parsers that made it fairly easy to cause a DoS attack, corruption of data, and delivery of a malicious payload using XML-based content. Codenomicon has shared its findings with industry and the open source groups, and a number of recommendations and patches for the XML-related vulnerabilities are expected to be made available Wednesday. In addition, a general security advisory is expected to be published by the Computer Emergency Response Team in Finland (CERT-FI)."

30 of 140 comments (clear)

  1. ASCII Delimited Security Issues by Algorithmn · · Score: 2, Insightful

    Seems to me that ASCII delimited protocols always have these types of issues. Its quite easy to write fuzzers for human readable protocols compared to binary encoded protocols. Too bad these developers don't know how to write good unit tests... This could have been avoided..

    1. Re:ASCII Delimited Security Issues by sys.stdout.write · · Score: 4, Insightful

      Too bad these developers don't know how to write good unit tests... This could have been avoided..

      That's unfair. I'm all about unit tests and they do help find bugs, but a unit test isn't going to find a precisely-crafted piece of malicious input.

    2. Re:ASCII Delimited Security Issues by Z00L00K · · Score: 3, Informative

      XML in itself is sometimes a denial of service with strange side-effects.

      As soon as you insert XML that isn't well-formed into a XML parser it will barf in one way or another. And then you will have to dedicate hours to figure out which tag/data in a 200kB XML request that was the culprit. If you are lucky you get a parsing exception, if not you get a Null pointer exception or an infinite loop in the parser.

      --
      If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
    3. Re:ASCII Delimited Security Issues by morgan_greywolf · · Score: 2, Insightful

      It's just as easy to fuzz a binary-encoded protocol, it just doesn't require specialized tools. Ever heard of TCP/IP-based DoS attacks?

      --
      My blog
    4. Re:ASCII Delimited Security Issues by jopsen · · Score: 4, Funny

      A properly written unit test might have a chance of finding it if you take the approach of writing your unit tests by looking at how the function can fail.

      I prefer not to find my bugs...

    5. Re:ASCII Delimited Security Issues by $1uck · · Score: 2, Insightful

      Just be happy you don't have to play with SGML.

    6. Re:ASCII Delimited Security Issues by Algorithmn · · Score: 2, Insightful

      I hope your not a developer... http://en.wikipedia.org/wiki/Unit_testing

    7. Re:ASCII Delimited Security Issues by shutdown+-p+now · · Score: 2, Interesting

      Refusing to handle invalid input isn't denial of service. Also, I haven't seen any XML parser that would give you a null pointer/reference exception on invalid input. In fact, all that I've used will give the exact line/column number at which error happened.

  2. Re:Open source by gila_monster · · Score: 2, Interesting

    You'll probably getted tagged 'troll' for that, but I'll bite.

    It's not that open source is not susceptible to these things (all software is). But with open source, these things are usually found more quickly, and are generally patched/fixed more quickly. I don't have statistics to support a statement that critical errors like this happen less often with open source, but I would have no trouble believing that.

    Open source is usually more transparent about the problem, too. Many closed source vendors hide these things, so you never know you're vulnerable and thus can't adjust for it.

    --
    Ad luna, Alicia! Ad luna!
  3. Article?? by funkatron · · Score: 4, Insightful

    There doesn't seem to be much of an article behind this summary. Just some fluff about malicious input and the fact that XML is widely used. Would be interesting to see examples of the malicious XML and an explanation of how the vulnerabilities work.

    --
    "Welcome to our world. We are the wasted youth. And we are the future too." Yes, I know these are stupid lyrics.
    1. Re:Article?? by Anonymous Coward · · Score: 2, Informative

      I think they infact did it in very responsible way. If you read the CERT advisory and everything, it seems they have worked good part of the year with the industry and CERTs to make sure these problems are actually fixed before letting ppl know!

    2. Re:Article?? by Odin's+Raven · · Score: 2, Funny

      Would be interesting to see examples of the malicious XML and an explanation of how the vulnerabilities work.

      I've included a simple demonstration below - if your browser doesn't contain the flaw then you'll just see the literal XML exploit code (all 200+ lines of it), but if it's vulnerable then you'll only see the initial trigger element on either side of Cmdr Taco's favorite topic.

      <\0pwned>OMGPonies!!11one!<\0pwn3d/>

      --
      A marriage is always made up of two people who are prepared to swear that only the other one snores.
  4. Re:Open source by jpmorgan · · Score: 4, Informative

    Someone will undoubtedly say that the bug being found was part of the process, since it's open source and that means the source is auditable by anybody. Reality: it was discovered by the maker of a fuzzing tool. Fuzzing is the process of sending garbage into software to see if it breaks... it works quite well and generally doesn't require the source code.

    Also, fuzzing discovers DoSes. But many DoS attacks turn into vulnerabilities in the hands of a skilled hacker, and it's generally not safe to assume that a DoS is unexploitable without extensive code analysis.

  5. Re:And they said XML was easy to parse by ShadowRangerRIT · · Score: 3, Insightful

    Except CSV isn't a standard. While the general idea is similar, the details differ greatly from parser to parser. Do you need a trailing comma on the line? Do you allow leading or trailing space on an entry? Since most generators use slightly different conventions, parsers need to be significantly more complex. And CSV is far more limited in scope. I think of CSV as the scripting language to XML's high level OO VM language. Neither is a particularly efficient format, but they're both easier to work with than the alternative (binary coded data), and they're each good for different things. CSV works well for simple data structures, just like scripting languages are appropriate for small utility programs, while XML is good for complex, rigidly defined structures, just like a high level OO language is more appropriate to large projects where maintainability is a concern.

    --
    $_ = "wftedskaebjgdpjgidbsmnjgcdwatb"; tr/a-z/oh, turtleneck Phrase Jar!/; print
  6. Re:Open source by ChienAndalu · · Score: 3, Informative

    Think "
    I wonder if these vulnerabilites could have been found earlier if the code was open source."

  7. Why is Python excluded from Title? by neonprimetime · · Score: 4, Insightful

    Title = XML Library Flaw -- Sun, Apache, GNOME Affected
    1st Line of Summary = Sun, the Apache Software Foundation, the Python Software Foundation and the GNOME Project

    1. Re:Why is Python excluded from Title? by recoiledsnake · · Score: 5, Funny

      Because pythons are long and big and will not fit the title.

      --
      This space for rent.
    2. Re:Why is Python excluded from Title? by kill-1 · · Score: 2, Interesting

      Also, the linked article and the news on the Codenomicon website don't mention GNOME.

    3. Re:Why is Python excluded from Title? by jDeepbeep · · Score: 2, Insightful

      Because pythons are long and big and will not fit the title.

      You should get the extra mod point on top of the current 4, just for the fact that your /. name has the word 'snake' in it.

      --
      Reply to That ||
  8. Solution by vainvanevein · · Score: 2, Insightful

    The solution is clear to me. I would stop using XML.

  9. Re:Open source by bberens · · Score: 2, Insightful

    Since MS is closed source, it wouldn't be fixed for months on end like open source is. That's the only difference. See? It works both ways, neither is really helpful.

    --
    Check out my lame java blog at www.javachopshop.com
  10. Re:And they said XML was easy to parse by Desler · · Score: 3, Informative

    Except CSV isn't a standard.

    The IETF might disagree with you.

  11. Re:Open source by heffrey · · Score: 2, Funny

    You think I've come to the right place?

  12. Re:And they said XML was easy to parse by Timothy+Brownawell · · Score: 2, Informative

    Except CSV isn't a standard.

    The IETF might disagree with you.

    "This memo provides information for the Internet community. It does not specify an Internet standard of any kind. "

  13. Re:And they said XML was easy to parse by ShadowRangerRIT · · Score: 2, Insightful

    Interesting. Of course, it was only published in 2005. If they'd written this up 20 years ago, it might have been more helpful. As is, the various CSV writers have been around so long that a lot of non-conformant CSV is out there. So the parsers remain fairly complex, to account for the previously undefined behaviors. And of course, that standard is for a MIME type; non-web focused CSV generators will still ignore parts of it.

    --
    $_ = "wftedskaebjgdpjgidbsmnjgcdwatb"; tr/a-z/oh, turtleneck Phrase Jar!/; print
  14. Which XML libraries? by wowbagger · · Score: 3, Insightful

    Which libraries? libxml2, expat, or some other library?

    The last I'd checked, Python could use several XML libraries, and Sun distributed several libraries.

    It would be nice if TFA had told us which libraries, or had a link to the actual report listing them.

    --
    www.eFax.com are spammers
  15. Re:Unit Tests by trwww · · Score: 2, Insightful

    Exactly. Unit tests do not prove the absence of bugs. They prove the existence of bugs.

  16. Re:XML... by owlstead · · Score: 2, Interesting

    I would if the slashdot UI would have a link or button on the page to view the signature of individual messages.

  17. Someone just rediscovered XML Entity Attacks by Rich · · Score: 3, Interesting

    It's difficult to say from the information provided, but it sounds like someone just rediscovered XML entity attacks (as I did a few years ago). Assuming it is the same thing, here are some references from 2002 and 2006 with more details:
    http://www.securiteam.com/securitynews/6D0100A5PU.html
    http://www.sift.com.au/assets/downloads/SIFT-XML-Port-Scanning-v1-00.pdf

    I've used these attacks in real-world tests and they are still surprisingly effective - just not new.

  18. Advisories released by Anonymous Coward · · Score: 2, Informative

    CERT-FI advisory: https://www.cert.fi/en/reports/2009/vulnerability2009085.html

    Sun advisory: http://sunsolve.sun.com/search/document.do?assetkey=1-66-263489-1

    CERT-FI advisory had a link to Codenomicon web page with some more details: http://www.codenomicon.com/labs/xml/