Multiple vendor SOAP server (XML parser) denial of service (DTD parameter entities)

From: Amit Klein (Amit.Klein_at_SanctumInc.com)
Date: 12/11/03

  • Next message: http-equiv_at_excite.com: "Secunia Advisory: URL Spoofing"
    Date: Thu, 11 Dec 2003 19:58:17 +0200
    To: BugTraq@SecurityFocus.com, news@securiteam.com
    
    

    ///////////////////////////////////////////////////////////////////////////////
    //==========================>> Security Advisory
    <<==========================//
    ///////////////////////////////////////////////////////////////////////////////

    --------------------------------------------------------------------------------
    -----[ Multiple vendor SOAP server (XML parser) denial of service
                           (DTD parameter entities)
    --------------------------------------------------------------------------------

    --[ Author: Amit Klein, Sanctum inc. http://www.SanctumInc.com

    --[ Vendors alerted: August 28th, 2003

    --[ Release Date: December 11th, 2003

    --[ Product:
     
    IBM WebSphere 5.0.0 (even when patched with "old" PQ70921)

    Microsoft ASP.NET Web Services (.NET framework 1.0, .NET framework 1.1)

    ... And probably other products which use XML parsers
     
    --[ Severity: High

    --[ CVE: N/A

    --[ Description

    The DTD part of the XML document enables the document to define parameter
    entities, which are used (only) inside the DTD as a shortname for repeating
    DTD definitions. An attacker can send a specially crafted SOAP request,
    which
    makes use of parameter entities to inflict a denial of service condition on
    the server. In some cases, the parser returns an out of memory error
    after a long while.
    In some other cases, the CPU load remains stable at 100% for as long as
    the process
    keeps running. Another effect is that memory (hundreds of megabytes) was
    not freed
    even when the CPU load dropped and a response was issued.

    --[ Solution

    IBM WebSPhere 5.0.0 - IBM has released a new version of PQ70921 Which
    can be found in
    http://www-1.ibm.com/support/docview.wss?rs=180&context=SSEQTP&q=PQ70921&uid=swg24005582
    Apply the new patch PQ70921 (even if it was applied earlier).

    Microsoft ASP.NET Web Services - Microsoft has released an update to the
    .NET Framework.
    It is documented in Knowledge Base article 826231, at the following URL:
    http://support.microsoft.com/default.aspx?kbid=826231

     


  • Next message: http-equiv_at_excite.com: "Secunia Advisory: URL Spoofing"