Whitepaper: Command Injection in XML Digital Signatures and Encryption

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Whitepaper: Command Injection in XML Digital Signatures and Encryption
From: brad@xxxxxxxxxxxxxxxx
Date: 12 Jul 2007 20:34:40 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

iSEC Partners and Brad Hill are pleased to announce the availability of a new 
whitepaper describing design flaws and new attacks against the XML Digital 
Signature and XML Encryption standards.  It accompanies recent advisories and 
provides detailed guidance for auditors and implementers of these products.

Full Paper Available at:
------------------------

http://www.isecpartners.com/files/XMLDSIG_Command_Injection.pdf

Abstract: 
---------

The XML Digital Signature (XMLDSIG) and XML Encryption (XMLENC) standards are 
complex protocols for securing XML and other content. Among its complexities, 
the XMLDSIG standard specifies various ?Transform? algorithms to identify, 
manipulate and canonicalize signed content and key material. Unfortunately, the 
defined transforms have not been rigorously constrained to prevent their use as 
attack vectors, and denial of service or even arbitrary code execution are 
probable in implementations that have not specifically guarded against such 
risks. 

Attacks against the processing application can be embedded in the KeyInfo 
portion of a signature, making them inherently unauthenticated, or in the 
SignedInfo block. Although tampering with the SignedInfo should be detectable, 
a defective implied order of operations in the specification may still allow 
unauthenticated attacks here. 

The ability to execute arbitrary code and perform file system operations with a 
malicious, invalid signature has been confirmed by the researcher in at least 
two independent XMLDSIG implementations, and other implementations may be 
similarly vulnerable. This paper describes the vulnerabilities in detail and 
offers advice for remediation. The most damaging attack is also likely to apply 
in other contexts where XSLT is accepted as input, and should be considered by 
all implementers of complex XML processing systems.

About iSEC Partners:
--------------------
iSEC Partners is a full-service security consulting firm that provides
penetration testing, secure systems development, security education
and software design verification.

115 Sansome Street, Suite 1005
San Francisco, CA 94104
Phone: (415) 217-0052

Prev by Date: Command Injection in XML Digital Signatures
Next by Date: [ MDKSA-2007:146 ] - Updated perl-Net-DNS packages fix multiple vulnerabilities
Previous by thread: Command Injection in XML Digital Signatures
Next by thread: [ MDKSA-2007:146 ] - Updated perl-Net-DNS packages fix multiple vulnerabilities
Index(es):
- Date
- Thread