Command Injection in XML Digital Signatures
iSEC Partners Security Advisory - 12 Jul 2007
XML Digital Signature Command Injection
http://www.isecpartners.com
--------------------------------------------
XML Digital Signature Command Injection Vulnerability
Vendor: Sun Microsystems, Inc.
Vendor URL: http://sun.com
Versions affected:
JSR 105 Reference Implementation
Java Web Services Developer Pack (JWSDP) version 1.5
Java Web Services Developer Pack (JWSDP) version 2.0
Java Platform, Standard Edition 6.0
Sun Java System Web Server version 7.0
Sun Java System Application Server Platform Edition version 8.2
Sun Java System Application Server Enterprise Edition version 8.2
Sun Java System Application Server Platform Edition version 9.0
Systems Affected:
Solaris SPARC Platform
Solaris x86 Platform
Linux
Windows
HP-UX
Vendor: Institute for Applied Information Processing and Communication (IAIK)
Vencor URL: http://www.iaik.tugraz.at/
Versions affected:
XML Security Toolkit (XSECT) versions < 1.10
XML Signature Library (IXSIL) all versions
Systems Affected: All
Severity: Critical (Unauthenticated Remote Code Execution)
Author: Brad Hill <brad[at]isecpartners[dot]com>
Vendor notified: 15 Jan 2007
Public release: 12 Jul 2007
Patch available:
Sun Microsystems: 10 Jul 2007
IAIK: 23 Mar 2007
Advisory URL: http://www.isecpartners.com/advisories/2007-04-dsig.txt
Summary:
--------
XML Digital Signarure and XML Encryption processing libraries
which support XSLT transformations may be vulnerable to
maliciously crafted stylesheets that can inject arbitrary code
or commands.
Details:
--------
Complete details are available in a white paper at:
http://www.isecpartners.com/files/XMLDSIG_Command_Injection.pdf
The XSLT processors used by XML Signature and Encryption
applications may have extension mechanisms with security-
critical properties. An XSLT stylesheet input to such a
processor may allow an attacker to include script, SQL,
file system operations or arbitrary code which will be executed
with the permissions of the application. Xalan XSLTC,
the default XSLT processor for most Java systems, supports such
extensions by default. XML Signature applications processing
key info, references or utilizing a weak order of operations may
be tricked into executing such content by an anonymous
attacker.
Fix Information:
----------------
No workaround is available. Upgrade affected systems.
Java SE 6.0 update 2 includes a fix for this vulnerability, and
application-specific patches are linked from Sun's advisory at:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102992-1
IAIK XSECT version 1.10 includes a fix for this vulnerability,
and maintenance patches are available for IXSIL from IAIK support
at:
http://jce.iaik.tugraz.at/sic/support
Thanks to:
----------
Sean Mullan, Sun Microsystems
Karl Scheibelhofer, IAIK
About iSEC Partners:
--------------------
iSEC Partners is a full-service security consulting firm that provides
penetration testing, secure systems development, security education
and software design verification.
115 Sansome Street, Suite 1005
San Francisco, CA 94104
Phone: (415) 217-0052