<<< Date Index >>>     <<< Thread Index >>>

Re: Multiple Vendor SOAP server (XML parser) attribute blowup DoS




Hi Marc,

I presume Sun refers to http://www.securityfocus.com/archive/1/303509. In this case, the only commonality between the two issues is that they both result from a problem in the underlying XML parser, but the problems in the XML parser are fundamentally different.

Thanks,
-Amit

   Hi,

   this seems to be somehow related (at least the Java DoSes) to

   "Large number of entity expansions cause 100 % CPU resulting in DoS
   condition."

   (http://developer.java.sun.com/developer/bugParade/bugs/4791146.html)

   This bug is public since 12/2002, and fixed in JDK 1.4.1_03 according
   to Sun.

   Marc


   On Tue, 9 Dec 2003, Amit Klein wrote:

    > Date: Tue, 09 Dec 2003 18:48:48 +0200
    > From: Amit Klein <Amit.Klein@xxxxxxxxxxxxxx>
    > To: bugtraq@xxxxxxxxxxxxxxxxx, news@xxxxxxxxxxxxxx
    > Subject: Multiple Vendor SOAP server (XML parser) attribute
   blowup DoS
    >
    >
   
///////////////////////////////////////////////////////////////////////////////
    > //==========================>> Security Advisory
    > <<==========================//
    >
   
///////////////////////////////////////////////////////////////////////////////
    >
    >
   
--------------------------------------------------------------------------------
    > -----[ Multiple Vendor SOAP server (XML parser) attribute blowup DoS
    >
   
--------------------------------------------------------------------------------
    >
    > --[ Author: Amit Klein, Sanctum inc. http://www.SanctumInc.com
    >
    > --[ Vendors alerted: August 28th, 2003
    >
    > --[ Release Date: December 9th, 2003
    >
    > --[ Products:
    >
    > IBM WebSphere 5.0.0, 5.0.1, 5.0.2, 5.0.2.1
    >
    > Microsoft ASP.NET Web Services (.NET framework 1.0, .NET
   framework 1.1)
    >
    > Macromedia ColdFusion MX 6.0, 6.1
    >
    > Macromedia JRun 4
    >
    > ... And probably other products which use XML parsers
    >
    > --[ Severity: High
    >
    > --[ CVE: N/A
    >
    > --[ Description
    >
    > An attacker can craft a malicious SOAP request, which uses XML
    > attributes in a way that
    > inflicts a denial of service condition on the target machine
   (SOAP server).
    > The result of this attack is that the XML parser consumes all the CPU
    > resources
    > for a long period of time (from seconds to minutes, depending on the
    > size of the payload).
    > In our experiments, we were able to send attacks (of few hunderd KBs)
    > that caused the target
    > machines to consume 100% CPU for several minutes.
    >
    > --[ Solution
    >
    > IBM WebSphere - Download and apply IBM patch PQ81278 from the
   following URL:
    >
   
http://www-1.ibm.com/support/docview.wss?rs=180&context=SSEQTP&q=PQ81278&uid=swg24005943
    >
    > Microsoft ASP.NET Web Services - Microsoft is aware of the issue, and
    > has documented
    > recommended practices for what customers should consider when
   exposing
    > Web service endpoints
    > in Knowledge Base Article 832878
    > (http://support.microsoft.com/default.aspx?kbid=832878)
    >
    > Macromedia - please follow the instructions of MPSB03-07, in the
    > following URL:
    >
   http://www.macromedia.com/devnet/security/security_zone/mpsb03-07.html
    >
    >
    >
    >

   --

   Never be afraid to try something new. Remember, amateurs built the
   ark; professionals built the Titanic. -- Anonymous

   Marc Sch?nefeld Dipl. Wirtsch.-Inf. / Software Developer