XXE in PwDatabaseV4

[prodigysml]

The Issue

An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.

Where the Issue Occurred:

KeePassDX/app/src/main/java/com/kunzisoft/keepass/database/PwDatabaseV4.java

Lines 444 to 446 in ff6b0ee

	DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
	DocumentBuilder db = dbf.newDocumentBuilder();
	Document doc = db.parse(keyInputStream);

Remediation

https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet

[J-Jamet]

Thank you for this security reply. I will look at the solutions to make a patch. Do you have an example of a kdbx file with a link that will defeat the XML parser?

[nightbritenitelite]

Throwaway account, but wanted to put some info out there.

Overview

KeePassDX (as of now) does not have the required permissions for internet access (not sure about localhost - that is potentially another attack vector if KeePassDX does open itself up in any way over localhost of course).

This doesn't mean that KeePassDX isn't vulnerable to XXE attacks (it is), but when it comes to stealing passwords with this attack via sending payloads to an external server, the way in which an attack like this is conducted is severely limited.

On the other hand, MANY other attacks that utilize XXE-processing exploits are still possible, and aren't affected by the lack of internet access!

As a Side Note:
I don't have the time right now to create a test KDBX file, but I do know that with the way KeePassDX is handling XML via the DBF (Document Builder Factory), it is in-fact vulnerable to XXE (XML External Entity) processing attacks.

Hypothetical DOS Attack Example

One such attack would be a Denial of Service attack where the app would crash upon attempting to parse a KDBX file. The attack would assume that:

• The attacker has exploited a security whole within the attack vector, which not only includes KeePassDX but everything involving the KDBX file's device storage, device-to-device transferring, all types of access, etc.)
• Using this security whole, the attacker modifies the KDBX file to include something like the following:

...
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///dev/block/loop0">]><foo>&xxe;</foo>
...

By referencing a device (/dev/*) that is inaccessible to non-root apps, a security exception will be thrown in KeePassDX, causing the app to crash (if unhandled).

This is just one of many potential attacks and attack vectors that XXE processing allows for.

Patching the Exploit:

The Android Developer documentation for the XMLConstants class only exposes one feature that we can turn off to prevent this attack (FEATURE_SECURE_PROCESSING). However, let it be noted that I have not tested to see if this feature was implemented correctly in the Android SDK. It is possible that the DocumentBuilderFactory's XML parser is not implemented correctly, and that it will still be vulnerable to an XXE-processing exploit, but while possible, it's improbable for this to be the case as it has been implemented since SDK Level 1.

Saying this, I highly suggest that this is checked (or further researched to see if this has been checked) before fully accepting the following solution. I also suggest researching more about this before you implement a fix for it and accept the fix as a fully-secure solution.

Nevertheless, here is the solution to be implemented for ALL database versions and their respective classes. The code may need to be refactored and an additional class added to handle this without needing to think about it when supporting future database versions, but this decision is left up to the community.

The Solution:
You should use DocumentBuilderFactory's setFeature(...) to disable XXE processing features like such:

DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();

// Disable certain unsecure XML-Parsing DocumentBuilderFactory features
try {
    dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
} catch (ParserConfigurationException) { } // Do something!

// The rest is used like normal...
DocumentBuilder db = dbf.newDocumentBuilder(); 
Document doc = db.parse(keyInputStream); 

Websites to look at:
Android Developer's Reference: DocumentBuilderFactory
OWASP XXE General Info
OWASP XXE Prevention Cheat Sheet
"XXE defence(les)s in JDK XML parsers"

[J-Jamet]

FEATURE_SECURE_PROCESSING points to unavailable file http://javax.xml.XMLConstants/feature/secure-processing

Can the file be recovered somewhere else?

[J-Jamet]

The suggested fix was added a long time ago. There is no reason for the XML to point to an external entity and even if it does (because added by another application, so already had access to the encrypted content before) there is no way to access it from the app that doesn't have permissions.