XML External Entity (XXE) Injection Vulnerability in Apache Batik (Java SVG Toolkit) ==================================================================================== Researcher: Kevin Schaller Description =========== Batik is a Java-based toolkit for applications or applets that want to use images in the Scalable Vector Graphics (SVG) format for various purposes, such as display, generation or manipulation. [1] Batik offers several classes for svg to png/jpg conversion, which suffer from a XML External Entity Injection due to the evaluation of external entities within the given svg file. If an application offers the possibility to upload a svg file an attacker can put in a malicious formed file and retrieve sensitive information such as the content of files of the respective server. The type of file that can be retrieved depends on the user context in which the application is running. Further information about the vulnerability can be seen here [2] and here [3]. Exploitation Technique: ======================= Remote Severity Level: =============== Medium CVSS Base Score =============== 6.4 (AV:N / AC:L / Au:N / C:P / I:N / A:P) CVE-ID ====== CVE-2015-0250 Impact ====== Files lying on the filesystem of the server which uses batik can be revealed to arbitrary users who send maliciously formed svg files. The file types that can be shown depend on the user context in which the exploitable application is running. If the user is 'root' a full compromise of the server--including confidential or sensitive files--would be possible. XXE can also be used to attack the availability of the server via denial of service as the references within a xml document can trivially trigger an amplification attack. Proof of Concept ================ A fully documented proof of concept can be downloaded here: [4] Mitigation ========== Upgrade to Batik 1.8+ Affected Versions ================= All versions 1.0 - 1.7 (current) Timeline ======== 2015-01-22: Apache informed via email - no response 2015-02-08: Remainder sent via email 2015-02-10: Vulnerability confirmed and fix has been tested and confirmed to work 2015-03-17: Release of a fixed version and public dislocure Credits ======= Timo Schmid References ========== [1] http://xmlgraphics.apache.org/batik/ [2] http://www.insinuator.net/2015/03/xxe-injection-in-apache-batik-library-cve-2015-0250/ [3] https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing [4] https://www.ernw.de/download/xxe_batik.tar.xz Disclaimer ========== The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/ distributor be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information. -- Kevin Schaller ERNW GmbH - Carl-Bosch-Str. 4 - 69115 Heidelberg - www.ernw.de Tel. +49 6221 480390 (Zentrale) - Fax +49 6221 419008 - Cell +49 151 16227194 Handelsregister Mannheim: HRB 337135 Geschaeftsfuehrer: Enno Rey ============================================================== || Blog: www.insinuator.net | | Conference: www.troopers.de || ==============================================================