This repository has been archived by the owner on Jan 14, 2024. It is now read-only.
[CVE-2019-1000007] xso: fix parser error handling #268
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
guard() was incorrectly counting the depth when either of the
following was true:
- the error occured inside the first "start" event on which guard()
is used: in that case, guard() would fail to swallow the
corresponding "end" event.
- after an error, further elements appear in the stream before the
guard()-ed element is over. in that case, guard() would fail to
account for the "start" events caused by those events, and thus
let its depth counter go entirely out-of-sync with the XML tree
If this flaw is combined with the use of a supressing
xso_error_handler, it is possible to make elements appear higher
up in the XML stream tree than they actually are; this implies
that it is possible to inject elements in the XML stream.
It requires very specific circumstances for an application to be
vulnerable. Example of a vulnerable XSO definition is:
class Baz(aioxmpp.xso.XSO):
TAG = ("https://xmlns.zombofant.net/aioxmpp/test", "baz")
class Bar(aioxmpp.xso.XSO):
TAG = ("https://xmlns.zombofant.net/aioxmpp/test", "bar")
validated = aioxmpp.xso.Attr(
"foo",
type_=aioxmpp.xso.JID()
)
children = aioxmpp.xso.ChildList([Baz])
@aioxmpp.IQ.as_payload_class
class Foo(aioxmpp.xso.XSO):
TAG = ("https://xmlns.zombofant.net/aioxmpp/test", "foo")
child = aioxmpp.xso.Child([Bar])
def xso_error_handler(self, descriptor, ev_args, exc_info):
return True
If an attacker sends:
<iq ... type='result'><foo xmlns='https://xmlns.zombofant.net/aioxmpp/test'><bar foo='"@bar'><baz/><baz/><baz/></bar></foo></iq>
to an application, it will see the "end" event of the </iq> *on the
stream level*, breaking the XML stream (because it expects a
"start" event instead of an "end" event).
More sophisticated attacks could be used to make an element appear
on the stream level instead, which would open the possibility of
injecting, for example, <message> stanzas remotely into the stream
of a vulnerable aioxmpp client, with arbitrary sender.
horazont
added
the
bug
|
Backport prepared as f151f92. |
|
Backport released in v0.10.3. |
|
This has been assigned CVE-2019-1000007. |
horazont
changed the title
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Needs backport to 0.10!
guard() was incorrectly counting the depth when either of the following was true:
the error occured inside the first "start" event on which guard() is used: in that case, guard() would fail to swallow the corresponding "end" event.
after an error, further elements appear in the stream before the guard()-ed element is over. in that case, guard() would fail to account for the "start" events caused by those events, and thus let its depth counter go entirely out-of-sync with the XML tree
If this flaw is combined with the use of a supressing
xso_error_handler, it is possible to make elements appear higher up in the XML stream tree than they actually are; this implies that it is possible to inject elements in the XML stream.It requires very specific circumstances for an application to be vulnerable. Example of a vulnerable XSO definition is:
If an attacker sends (formatted for readability):
to an application which has the above XSO definition loaded, it will see the "end" event of the
</iq>on the stream level, breaking the XML stream (because it expects a "start" event instead of an "end" event).More sophisticated attacks could be used to make an element appear on the stream level instead, which would open the possibility of injecting, for example,
<message>stanzas remotely into the stream of a vulnerable aioxmpp client, with arbitrary sender.