Even simpler to demonstrate, I've simply patched the "jaxb" example from the
jersey-samples project with a new test case that demonstrates the
vulnerability. I'm attaching the diff so you can patch the sample project
and see the result for yourself.
Apply the patch, run "mvn install" on the jaxb example project, and examine
the test failure in
target/surefire-reports/com.sun.jersey.samples.jaxb.MainTest.txt. You'll
see something like this (on a Unix system):
Tests run: 9, Failures: 1, Errors: 0, Skipped: 0, Time elapsed: 9.058 sec
<<< FAILURE!
testXXEVulnerability(com.sun.jersey.samples.jaxb.MainTest) Time elapsed:
0.598 sec <<< FAILURE!
java.lang.AssertionError: XXE Attack succeeded: <?xml version="1.0"
encoding="UTF-8"
standalone="yes"?><jaxbXmlRootElement><value>root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
...
On Mon, Jul 6, 2009 at 1:25 PM, Tim McCune <tim_at_mccune.name> wrote:
> @Path("/")
> public class MovieResource
> ...
> @POST
> @Path("user/{id}/favoriteMovies")
> @Consumes({"application/xml", "application/json"})
> public FavoriteMovie addFavoriteMovie(@PathParam("id") Long id,
> FavoriteMovie movie) {
> return movie;
> }
> }
>
> @XmlRootElement
> public class FavoriteMovie {
> private String _title;
> public String getTitle() {
> return _title;
> }
> public void setTitle(String title) {
> _title = title;
> }
> }
>
> If I POST the following XML:
> <!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
> <favoriteMovie><title>&xxe;</title></favoriteMovie>
>
> I get back:
> <favoriteMovie>
> <title>root:x:0:0:root:/root:/bin/bash
> daemon:x:1:1:daemon:/usr/sbin:/bin/sh
> ...
> </title>
> </favoriteMovie>
>
> Adding a
> System.setProperty("entityExpansionLimit", "0");
> fixes the problem, and causes this exception instead:
> org.xml.sax.SAXParseException: The parser has encountered more than "0"
> entity expansions in this document; this is the limit imposed by the
> application.
>
>
> On Mon, Jul 6, 2009 at 1:01 PM, Guba, Nicolai <nguba_at_bioware.com> wrote:
>
>> I could not reproduce it. The JAXB serializer (correctly) identified
>> this as an invalid request.
>>
>>
>>
>> Maybe it works with resources that are processing form parameters? It may
>> be helpful to see the code snipped of the resource you are accessing.
>>
>>
>>
>>
>>
>> --
>>
>> =NPG=
>>
>> *From:* ksuwildcat_at_gmail.com [mailto:ksuwildcat_at_gmail.com] *On Behalf Of
>> *Tim McCune
>> *Sent:* Monday, July 06, 2009 1:04 PM
>> *To:* users_at_jersey.dev.java.net
>> *Subject:* [Jersey] Jersey vulnerable to XXE attack?
>>
>>
>>
>> http://www.securiteam.com/securitynews/6D0100A5PU.html
>>
>> Just tried this attack against a simple web service built on top of
>> Jersey, and it seems to have succeeded.
>>
>> <!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
>> <foo><bar>&xxe;</bar></foo>
>>
>> If I POST that to a web service built on Jersey, and have my resource just
>> return the parameter that was passed into it, I can see the contents of
>> /etc/passwd.
>>
>> Can anyone confirm that this vulnerability exists, and if so, advise on
>> the best way to protect against it?
>>
>
>
- application/octet-stream attachment: patch