XSECT 2.15

On July 12th 2007 Bradly Hill from iSEC Partners (http://isecpartners.com/ ) published a command injection attack in the context of XML Signature and Encryption:

http://www.isecpartners.com/files/XMLDSIG_Command_Injection.pdf

Brad Hill made a draft of his paper available to SIC/IAIK end of February 2007 (thanks to Brad), so that SIC/IAIK was able to develop countermeasures against this attack and release a patch version of its XML Security Toolkit XSECT end of March 2007. Immediately after this release IAIK informed all customers concerned. Now – after Brad Hill has officially published his paper – we can make our customer notification available to the public audience:

We have been informed about a critical attack regarding XLST processing. We examined the Xalan stylesheet processor in its default configuration and found that applications based on this library may be vulnerable to this attack, which may allow execution of arbitrary code. Versions 1.10 and higher of our XSECT library contain countermeasures to block this kind of attack in the context of XML Signature and Encryption. Please note that the problem is NOT located in the XSECT library. Any application that uses Xalan for stylesheet transformations may be affected. Besides the upgrade of XSECT, we highly recommend a review of any Xalan-based application.

On request, customers of the older IXSIL library can also get a maintenance release that contains similar countermeasures.

It is advisable to fix vulnerable applications as soon as possible. Inside stylesheet transformations, Apache Xalan supports certain non-standard extensions of the stylesheet language. The support for these extensions is enabled by default. Applications that use stylesheets from unknown sources may be vulnerable to this attack. An attacker who can trick an application to process a chosen stylesheet can execute arbitrary code with the rights of the application containing Xalan. Applications that create or verify XML signatures with stylesheet transformations in their references, e.g. to transform XML data into HTML text, can be susceptible. An attacker may send an XML signature to a service that automatically verifies the signature. During verification it may execute any included stylesheets. This stylesheet, however, can include arbitrary code that Apache Xalan will execute. Newer versions of Apache Xalan allow disabling these extension features as a countermeasure. XSECT version 1.10 disables these extensions in newer versions of Xalan and includes additional countermeasures for older versions of Xalan.

The following demo is to show the use of the ECDSA in XMLDSIG and was created in reply to a newsgroup posting.

The following demo is to show the use of the URIDereferencer, and how to work without a URI inside and was created in reply to a newsgroup posting.

You will have to download the evaluation versions of IAIK’s JCE and XSECT and copy the following jar files into the same directory as the demo jar file.

• xalan-2_5_1.jar
• xercesImpl-2_5_0.jar
• xml-apis.jar
• iaik_jce.jar
• iaik_xsect.jar

Then run java -jar XSECT-Demo-NG20060713.jar , to get debug output you can also create a debug.flag file in the same directory by typing ‘echo “”
> debug.flag’ on your command line and then run the demo again.