One Article Review
| Source |  Code White |
|---|---|
| Identifiant | 351856 |
| Date de publication | 2015-08-24 13:25:17 (vue: 2015-08-24 13:25:17) |
| Titre | CVE-2015-3269: Apache Flex BlazeDS XXE Vulnerabilty |
| Texte | In a recent Product Security Review, Code White Researchers discovered a XXE vulnerability in Apache Flex BlazeDS/Adobe (see ASF Advisory). The vulnerable code can be found in the BlazeDS Remoting/AMF protocol implementation. All versions before 4.7.1 are vulnerable. Software products providing BlazeDS Remoting destinations might be also affected by the vulnerability (e.g. Adobe LiveCycle Data Services, see APSB15-20). Vulnerability DetailsAn AMF message has a header and a body. To parse the body, the method readBody() of AmfMessageDeserializer is called. In this method, the targetURI, responseURI and the length of the body are read. Afterwards, the method readObject() is called which eventually calls the method readObject() of an ActionMessageInput instance (either Amf0Input or Amf3Input). In case of an Amf0Input instance, the type of the object is read from the next byte. If type has the value 15, the following bytes of the body are parsed in method readXml() as a UTF string. The xml string gets passed to method stringToDocument of class XMLUtil where the Document is created using the DocumentBuilder. When a DocumentBuilder is created through the DocumentBuilderFactory, external entities are allowed by default. The developer needs to configure the parser to prevent XXE. ExploitationExploitation is easy, just send the XXE vector of your choice.  |
| Envoyé | Oui |
| Condensat | 2015 3269: actionmessageinput adobe advisory affected afterwards all allowed also amf amf0input amf3input amfmessagedeserializer apache apsb15 are asf before blazeds blazeds/adobe body byte bytes called calls can case choice class code configure created cve data default destinations detailsan developer discovered document documentbuilder documentbuilderfactory easy either entities eventually exploitationexploitation external flex following found from gets has header implementation instance just length livecycle message method might needs next object parse parsed parser passed prevent product products protocol providing read readbody readobject readxml recent remoting remoting/amf researchers responseuri review security see send services software string stringtodocument targeturi through type using utf value vector versions vulnerability vulnerabilty vulnerable when where which white xml xmlutil xxe your |
| Tags | |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.