CWE-776 DTD中递归实体索引的不恰当限制(XML实体扩展)
Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
结构: Simple
Abstraction: Base
状态: Draft
被利用可能性: Medium
基本描述
The software uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.
扩展描述
If the DTD contains a large number of nested or recursive entities, this can lead to explosive growth of data when parsed, causing a denial of service.
相关缺陷
-
cwe_Nature: ChildOf cwe_CWE_ID: 674 cwe_View_ID: 1000 cwe_Ordinal: Primary
-
cwe_Nature: ChildOf cwe_CWE_ID: 674 cwe_View_ID: 1003 cwe_Ordinal: Primary
-
cwe_Nature: ChildOf cwe_CWE_ID: 674 cwe_View_ID: 699 cwe_Ordinal: Primary
-
cwe_Nature: ChildOf cwe_CWE_ID: 409 cwe_View_ID: 1000
-
cwe_Nature: ChildOf cwe_CWE_ID: 409 cwe_View_ID: 699
适用平台
Language: {'cwe_Name': 'XML', 'cwe_Prevalence': 'Undetermined'}
Paradigm: {'cwe_Name': 'Web Based', 'cwe_Prevalence': 'Undetermined'}
常见的影响
| 范围 | 影响 | 注释 |
|---|---|---|
| Availability | DoS: Resource Consumption (Other) | If parsed, recursive entity references allow the attacker to expand data exponentially, quickly consuming all system resources. |
可能的缓解方案
Operation
策略:
If possible, prohibit the use of DTDs or use an XML parser that limits the expansion of recursive DTD entities.
Implementation
策略:
Before parsing XML files with associated DTDs, scan for recursive entity declarations and do not continue parsing potentially explosive content.
示例代码
例
The DTD and the very brief XML below illustrate what is meant by an XML bomb. The ZERO entity contains one character, the letter A. The choice of entity name ZERO is being used to indicate length equivalent to that exponent on two, that is, the length of ZERO is 2^0. Similarly, ONE refers to ZERO twice, therefore the XML parser will expand ONE to a length of 2, or 2^1. Ultimately, we reach entity THIRTYTWO, which will expand to 2^32 characters in length, or 4 GB, probably consuming far more data than expected.
attack XML
<!DOCTYPE MaliciousDTD [
<!ENTITY ZERO "A">
<!ENTITY ONE "&ZERO;&ZERO;">
<!ENTITY TWO "&ONE;&ONE;">
...
<!ENTITY THIRTYTWO "&THIRTYONE;&THIRTYONE;">
]>
<data>&THIRTYTWO;</data>
分析过的案例
| 标识 | 说明 | 链接 |
|---|---|---|
| CVE-2008-3281 | XEE in XML-parsing library. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3281 |
| CVE-2011-3288 | XML bomb / XEE in enterprise communication product. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3288 |
| CVE-2011-1755 | "Billion laughs" attack in XMPP server daemon. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1755 |
| CVE-2009-1955 | XML bomb in web server module | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1955 |
| CVE-2003-1564 | Parsing library allows XML bomb | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1564 |
分类映射
| 映射的分类名 | ImNode ID | Fit | Mapped Node Name |
|---|---|---|---|
| WASC | 44 | XML Entity Expansion |