XML External Entity (XXE) Injection Vulnerability in Apache Batik (Java
SVG Toolkit)
====================================================================================
Researcher: Kevin Schaller <kschaller () ernw de>
Description
===========
Batik is a Java-based toolkit for applications or applets that want to use images in the Scalable Vector Graphics (SVG) format for various purposes, such as display, generation or manipulation. [1]
Batik offers several classes for svg to png/jpg conversion, which suffer from a XML External Entity Injection due to the evaluation of external entities within the given svg file. If an application offers the possibility to upload a svg file an attacker can put in a malicious formed file and retrieve sensitive information such as the content of files of the respective server. The type of file that can be retrieved depends on the user context in which the application is running.
Further information about the vulnerability can be seen here [2] and here [3].
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
CVSS Base Score
===============
6.4 (AV:N / AC:L / Au:N / C:P / I:N / A:P)
CVE-ID
======
CVE-2015-0250
Impact
======
Files lying on the filesystem of the server which uses batik can
be revealed to arbitrary users who send maliciously formed svg
files. The file types that can be shown depend on the user context
in which the exploitable application is running. If the user is 'root'
a full compromise of the server--including confidential or sensitive
files--would be possible.
XXE can also be used to attack the availability of the server
via denial of service as the references within a xml document
can trivially trigger an amplification attack.
Proof of Concept
================
A fully documented proof of concept can be downloaded here: [4]
Mitigation
==========
Upgrade to Batik 1.8+
Affected Versions
=================
All versions
1.0 - 1.7 (current)
Timeline
========
2015-01-22: Apache informed via email - no response
2015-02-08: Remainder sent via email
2015-02-10: Vulnerability confirmed and fix has been tested and confirmed to work
2015-03-17: Release of a fixed version and public dislocure
Credits
=======
Timo Schmid <tschmid () ernw de>
References
==========
[1] http://xmlgraphics.apache.org/batik/
[2] http://www.insinuator.net/2015/03/xxe-injection-in-apache-batik-library-cve-2015-0250/
[3] https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing
[4] https://www.ernw.de/download/xxe_batik.tar.xz
Disclaimer
==========
The information herein contained may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are NO
warranties, implied or otherwise, with regard to this information or its use.
Any use of this information is at the user's risk. In no event shall the
author/
distributor be held liable for any damages whatsoever arising out of or in
connection with the use or spread of this information.
--
Kevin Schaller
ERNW GmbH - Carl-Bosch-Str. 4 - 69115 Heidelberg - www.ernw.de
Tel. +49 6221 480390 (Zentrale) - Fax +49 6221 419008 - Cell +49 151 16227194
Handelsregister Mannheim: HRB 337135
Geschaeftsfuehrer: Enno Rey
==============================================================
|| Blog: www.insinuator.net | | Conference: www.troopers.de ||
==============================================================