AOH :: HP Unsorted C :: TB11606.HTM

XML Digital Signatures Command Injection



Command Injection in XML Digital Signatures
Command Injection in XML Digital Signatures



iSEC Partners Security Advisory - 12 Jul 2007
XML Digital Signature Command Injection
http://www.isecpartners.com 
--------------------------------------------

XML Digital Signature Command Injection Vulnerability

Vendor: Sun Microsystems, Inc.
Vendor URL: http://sun.com 
Versions affected: 
	JSR 105 Reference Implementation
	Java Web Services Developer Pack (JWSDP) version 1.5
	Java Web Services Developer Pack (JWSDP) version 2.0
	Java Platform, Standard Edition 6.0
	Sun Java System Web Server version 7.0
	Sun Java System Application Server Platform Edition version 8.2
	Sun Java System Application Server Enterprise Edition version 8.2
	Sun Java System Application Server Platform Edition version 9.0
Systems Affected: 
	Solaris SPARC Platform
	Solaris x86 Platform
	Linux
	Windows
	HP-UX
Vendor: Institute for Applied Information Processing and Communication (IAIK)
Vencor URL: http://www.iaik.tugraz.at/ 
Versions affected:
	XML Security Toolkit (XSECT) versions < 1.10
	XML Signature Library (IXSIL) all versions
Systems Affected: All
Severity: Critical (Unauthenticated Remote Code Execution)
Author: Brad Hill 
Vendor notified: 15 Jan 2007
Public release: 12 Jul 2007
Patch available:
	Sun Microsystems: 10 Jul 2007
	IAIK: 		  23 Mar 2007
Advisory URL: http://www.isecpartners.com/advisories/2007-04-dsig.txt 

Summary:
--------
XML Digital Signarure and XML Encryption processing libraries 
which support XSLT transformations may be vulnerable to 
maliciously crafted stylesheets that can inject arbitrary code 
or commands.

Details:
--------
Complete details are available in a white paper at:

http://www.isecpartners.com/files/XMLDSIG_Command_Injection.pdf 

The XSLT processors used by XML Signature and Encryption 
applications may have extension mechanisms with security-
critical properties.  An XSLT stylesheet input to such a 
processor may allow an attacker to include script, SQL, 
file system operations or arbitrary code which will be executed
with the permissions of the application.  Xalan XSLTC,
the default XSLT processor for most Java systems, supports such
extensions by default.  XML Signature applications processing
key info, references or utilizing a weak order of operations may
be tricked into executing such content by an anonymous 
attacker.

Fix Information:
----------------
No workaround is available.  Upgrade affected systems.

Java SE 6.0 update 2 includes a fix for this vulnerability, and 
application-specific patches are linked from Sun's advisory at:

http://sunsolve.sun.com/search/document.do?assetkey=1-26-102992-1 

IAIK XSECT version 1.10 includes a fix for this vulnerability,
and maintenance patches are available for IXSIL from IAIK support
at: 

http://jce.iaik.tugraz.at/sic/support 

Thanks to:
----------
Sean Mullan, Sun Microsystems
Karl Scheibelhofer, IAIK

About iSEC Partners:
--------------------
iSEC Partners is a full-service security consulting firm that provides
penetration testing, secure systems development, security education
and software design verification.

115 Sansome Street, Suite 1005
San Francisco, CA 94104
Phone: (415) 217-0052

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.