<<< Date Index >>>     <<< Thread Index >>>

Command Injection in XML Digital Signatures



iSEC Partners Security Advisory - 12 Jul 2007
XML Digital Signature Command Injection
http://www.isecpartners.com
--------------------------------------------

XML Digital Signature Command Injection Vulnerability

Vendor: Sun Microsystems, Inc.
Vendor URL: http://sun.com
Versions affected: 
        JSR 105 Reference Implementation
        Java Web Services Developer Pack (JWSDP) version 1.5
        Java Web Services Developer Pack (JWSDP) version 2.0
        Java Platform, Standard Edition 6.0
        Sun Java System Web Server version 7.0
        Sun Java System Application Server Platform Edition version 8.2
        Sun Java System Application Server Enterprise Edition version 8.2
        Sun Java System Application Server Platform Edition version 9.0
Systems Affected: 
        Solaris SPARC Platform
        Solaris x86 Platform
        Linux
        Windows
        HP-UX
Vendor: Institute for Applied Information Processing and Communication (IAIK)
Vencor URL: http://www.iaik.tugraz.at/
Versions affected:
        XML Security Toolkit (XSECT) versions < 1.10
        XML Signature Library (IXSIL) all versions
Systems Affected: All
Severity: Critical (Unauthenticated Remote Code Execution)
Author: Brad Hill <brad[at]isecpartners[dot]com>
Vendor notified: 15 Jan 2007
Public release: 12 Jul 2007
Patch available:
        Sun Microsystems: 10 Jul 2007
        IAIK:             23 Mar 2007
Advisory URL: http://www.isecpartners.com/advisories/2007-04-dsig.txt

Summary:
--------
XML Digital Signarure and XML Encryption processing libraries 
which support XSLT transformations may be vulnerable to 
maliciously crafted stylesheets that can inject arbitrary code 
or commands.

Details:
--------
Complete details are available in a white paper at:

http://www.isecpartners.com/files/XMLDSIG_Command_Injection.pdf

The XSLT processors used by XML Signature and Encryption 
applications may have extension mechanisms with security-
critical properties.  An XSLT stylesheet input to such a 
processor may allow an attacker to include script, SQL, 
file system operations or arbitrary code which will be executed
with the permissions of the application.  Xalan XSLTC,
the default XSLT processor for most Java systems, supports such
extensions by default.  XML Signature applications processing
key info, references or utilizing a weak order of operations may
be tricked into executing such content by an anonymous 
attacker.

Fix Information:
----------------
No workaround is available.  Upgrade affected systems.

Java SE 6.0 update 2 includes a fix for this vulnerability, and 
application-specific patches are linked from Sun's advisory at:

http://sunsolve.sun.com/search/document.do?assetkey=1-26-102992-1

IAIK XSECT version 1.10 includes a fix for this vulnerability,
and maintenance patches are available for IXSIL from IAIK support
at: 

http://jce.iaik.tugraz.at/sic/support

Thanks to:
----------
Sean Mullan, Sun Microsystems
Karl Scheibelhofer, IAIK

About iSEC Partners:
--------------------
iSEC Partners is a full-service security consulting firm that provides
penetration testing, secure systems development, security education
and software design verification.

115 Sansome Street, Suite 1005
San Francisco, CA 94104
Phone: (415) 217-0052