SSD Advisory – Oracle Java and Apache Xerces PDF/Docx Server Side DoS

Credit to Author: SSD / Maor Schwartz| Date: Wed, 30 Aug 2017 19:11:43 +0000

Want to get paid for a vulnerability similar to this one?
Contact us at: sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom

Vulnerabilities Summary
The following advisory describes two (2) vulnerabilities found in Oracle Java JDK/JRE (1.8.0.131 and previous versions) packages and Apache Xerces (2.11.0)

The vulnerabilities are:

  • Oracle JDK/JRE Concurrency-Related Denial of Service
  • java.net.URLConnection (with no setConnectTimeout) Concurrency-Related Denial of Service

Credit
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program

Vendor response
Oracle acknowledged receiving the report, and has assigned it a tracking number: S0876966. We have no further information on patch availability or a workaround.

Vulnerabilities Details
These two vulnerabilities can be triggered to cause a Denial of Service against a server, under the following conditions:

  • An attacker can pass an URL parameter that points to a controlled FTP server to the target
  • Target server uses vulnerable component(s) to fetch the resource specified by the attacker
  • Target server does not prevent fetching of FTP URI resources

In both vulnerabilities, the attack sequence is the following:

  1. Attacker forces vulnerable target server to parse an FTP URL which points to an attacker’s controlled FTP server
  2. Target server fetches FTP resource provided by attacker
  3. Attacker’s FTP server abruptly exits, leaving the Java process on target server with two internal threads in an infinite waiting status
  4. If the Java process is single-threaded, then it cannot further process any other client requests, reaching a Denial of Service condition with only one request from the attacker
  5. In case of a multi-threading process, then it is possible to use the same technique and reach a Denial of Service condition of all available threads, by issuing one request for each available thread

The attacker’s controlled FTP server has to “abruptly” exit when the Java client will perform a RETR FTP command. This behavior is not properly handled and causes a thread concurrency Denial of Service.

For example:

When triggered, the DoS will result in a CLOSE_WAIT status on the connection between the target server and the FTP server (192.168.234.134), leaving the Java process thread stuck.

Oracle JDK/JRE Concurrency-Related Denial of Service
The vulnerable functions are:

  • java.io.InputStream
  • java.xml.ws.Service
  • javax.xml.validation.Schema
  • javax.xml.JAXBContext
  • java.net.JarURLConnection – The setConnectionTimeout and setReadTimeout are ignored
  • javax.imageio.ImageIO
  • Javax.swing.ImageIcon
  • javax.swing.text.html.StyleSheet

java.io.InputStream Proof of Concept

javax.xml.ws.Service Proof of Concept

javax.xml.validation.Schema Proof of Concept

javax.xml.JAXBContext Proof of Concept

java.net.JarURLConnection Proof of Concept

javax.imageio.ImageIO Proof of Concept

javax.swing.ImageIcon Proof of Concept

javax.swing.text.html.StyleSheet Proof of Concept

java.net.URLConnection – Concurrency-Related Denial of Service
A Thread Concurrency Denial of Service condition exists when java.net.URLConnection is used to fetch a file from an FTP server without specifying a Connection Timeout value.

The vulnerable functions are:

  • javax.xml.parsers.SAXParser
  • javax.xml.parsers.SAXParserFactory
  • org.dom4j.Document
  • org.dom4j.io.SAXReader
  • javax.xml.parsers.DocumentBuilder
  • javax.xml.parsers.DocumentBuilderFactory

The Root Cause Issue in Apache Xerces is the com.sun.org.apache.xerces.internal.impl.XMLEntityManager.class

In this case, XMLEntityManager.class does not explicitly set Connection Timeout for the connect object, letting Java to set a default value of -1, leading to a Denial of Service condition, as explained below.

Example of code using Apache Xerces library to fetch an XML file from an FTP server:

SAXParser Proof of Concept

DOM4J / SAXReader Proof of Concept

JAVAX XML Parsers Proof of Concept

Print Friendly, PDF & Email

https://blogs.securiteam.com/index.php/feed