Multiple vendor SOAP server (XML parser) denial of service (DTD parameter entities)

To: BugTraq@xxxxxxxxxxxxxxxxx, news@xxxxxxxxxxxxxx
Subject: Multiple vendor SOAP server (XML parser) denial of service (DTD parameter entities)
From: Amit Klein <Amit.Klein@xxxxxxxxxxxxxx>
Date: Thu, 11 Dec 2003 19:58:17 +0200
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5) Gecko/20031007

///////////////////////////////////////////////////////////////////////////////

//==========================>> Security Advisory<<==========================//

///////////////////////////////////////////////////////////////////////////////

--------------------------------------------------------------------------------
-----[ Multiple vendor SOAP server (XML parser) denial of service
                      (DTD parameter entities)
--------------------------------------------------------------------------------

--[ Author: Amit Klein, Sanctum inc. http://www.SanctumInc.com

--[ Vendors alerted: August 28th, 2003

--[ Release Date: December 11th, 2003

--[ Product:

IBM WebSphere 5.0.0 (even when patched with "old" PQ70921)

Microsoft ASP.NET Web Services (.NET framework 1.0, .NET framework 1.1)

... And probably other products which use XML parsers

--[ Severity: High

--[ CVE: N/A

--[ Description

The DTD part of the XML document enables the document to define parameter
entities, which are used (only) inside the DTD as a shortname for repeating

DTD definitions. An attacker can send a specially crafted SOAP request,which

makes use of parameter entities to inflict a denial of service condition on

the server. In some cases, the parser returns an out of memory errorafter a long while.In some other cases, the CPU load remains stable at 100% for as long asthe processkeeps running. Another effect is that memory (hundreds of megabytes) wasnot freed

even when the CPU load dropped and a response was issued.

--[ Solution

IBM WebSPhere 5.0.0 - IBM has released a new version of PQ70921 Whichcan be found in

http://www-1.ibm.com/support/docview.wss?rs=180&context=SSEQTP&q=PQ70921&uid=swg24005582
Apply the new patch PQ70921 (even if it was applied earlier).

Microsoft ASP.NET Web Services - Microsoft has released an update to the.NET Framework.

It is documented in Knowledge Base article 826231, at the following URL:
http://support.microsoft.com/default.aspx?kbid=826231

Prev by Date: RE: A new TCP/IP blind data injection technique?
Next by Date: Finjan Software Discovers a New Critical Vulnerability In Yahoo E-mail Service
Previous by thread: irssi - potential remote crash
Next by thread: Finjan Software Discovers a New Critical Vulnerability In Yahoo E-mail Service
Index(es):
- Date
- Thread