BannerPortlet

Blogs

By MinhBQ

Recently, several dangerous vulnerabilities have been found in many xml processing libraries. Among these vulnerabilities, one is in the libxml2, an open source library for Gnome (http://xmlsoft.org/). libxml2 runs on different platforms and is used in a variety of popular softwares and systems.

In fact, I paid attention to libxml2's vulnerabiltity because I sometimes use this library for my applications. I, therefore, tried writing demo exploit code.

From the patch of Gnome and other sources of information, I learned that the bug lies in the following function of parser.c source code: xmlParseElementChildrenContenDecl().

The name of this function reveals that the vulnerability is in the processing of DTD ELEMENT declaration in xml files. Let's examine the code of the patch for libxml2:

-xmlElementContentPtr

-xmlParseElementChildrenContentDecl (xmlParserCtxtPtr ctxt, int inputchk) {

+static xmlElementContentPtr

+xmlParseElementChildrenContentDeclPriv(xmlParserCtxtPtr ctxt, int inputchk,

+ int depth) {

xmlElementContentPtr ret = NULL, cur = NULL, last = NULL, op = NULL;

const xmlChar *elem;

xmlChar type = 0;

+ if (((depth > 128) && ((ctxt->options & XML_PARSE_HUGE) == 0)) ||

+ (depth > 2048)) {

+ xmlFatalErrMsgInt(ctxt, XML_ERR_ELEMCONTENT_NOT_FINISHED,

+"xmlParseElementChildrenContentDecl : depth %d too deep, use XML_PARSE_HUGE\n",

+ depth);

+ return(NULL);

+ }

The fixed function has more a parameter (depth). So, I guested the error is an over-deep ELEMENT declaration and the result is the recursive call will consume all the stack memory, causing the program to completely crash.

Applications using libxml2, when calling xml file load functions (xmlReadFile, xmlParseFile…), can make these functions crash.

Leave a Reply

Name (required)
Mail (hidden) (required)
Website
Text to Identify
Reload-Capcha
CAPTCHA Code *

Popup Date Time Portlet

Blogs Aggregator

Recent Posts

Blog Category Portlet

Categories

Store Portlet

Archives

Vote Baby Portlet