Jdeveloper 11.1.1.4
We had an security audit on our ADF application and one of the vulnerabilities found was a XML recursive Entity Expansion vulnerability from the login button. AKA Billion laughs DoS attack.
The parser used is
weblogic.xml.jaxp.RegistryDocumentBuilder
Weblogic jvm is configured with these paramters
org.xml.sax.driver=weblogic.xml.jaxp.RegistryXMLReader
org.xml.sax.parser=weblogic.xml.jaxp.RegistryParser
Is there a weblogic configuration parameter that can be set to limit entity expansion?
weblogic.xml.jaxp.RegistryDocumentBuilder parse method is called from DefaultMarshalingService
Which expands this DOCTYPE entity to 300,000 characters
<!DOCTYPE foo [<!ENTITY lol "lol"><!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"><!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;"><!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;"><!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;"><!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">]><m xmlns="http://oracle.com/richClient/comm"><k v="type"><s>&lol5;</s></k></m>
Details of the vulnerabiltiy
1 Unrestricted XML
Entity Expansion
CVSS: 7.1
Risk: High
The XML parser used by the application to process input fields allows user-supplied
document type declarations (DTDs). Consequently, an attacker can abuse this feature
to cause a denial service condition on the web server through the use of XML entity
expansion attacks.
An example modified request with the exploit inserted in red.
=&org.apache.myfaces.trinidad.faces.FORM=loginForm&javax.faces.ViewState=!4
i0dvg2x&oracle.adf.view.rich.DELTAS={d1%3a%3amsgDlg%3d{titleIcon
Source%3dhttps%3a//11.254.250.200/app/afr/error.png,title%3dEr
ror}}&event=loginBtn&event.loginBtn=<!DOCTYPE+foo+[<!ENTITY+lol+
"lol"><!ENTITY+lol1+"%26lol%3b%26lol%3b%26lol%3b%26lol%3b%26lol%
3b%26lol%3b%26lol%3b%26lol%3b%26lol%3b%26lol%3b"><!ENTITY+lol2+"
%26lol1%3b%26lol1%3b%26lol1%3b%26lol1%3b%26lol1%3b%26lol1%3b%26l
ol1%3b%26lol1%3b%26lol1%3b%26lol1%3b"><!ENTITY+lol3+"%26lol2%3b%
26lol2%3b%26lol2%3b%26lol2%3b%26lol2%3b%26lol2%3b%26lol2%3b%26lo
l2%3b%26lol2%3b%26lol2%3b"><!ENTITY+lol4+"%26lol3%3b%26lol3%3b%2
6lol3%3b%26lol3%3b%26lol3%3b%26lol3%3b%26lol3%3b%26lol3%3b%26lol
3%3b%26lol3%3b"><!ENTITY+lol5+"%26lol4%3b%26lol4%3b%26lol4%3b%26
lol4%3b%26lol4%3b%26lol4%3b%26lol4%3b%26lol4%3b%26lol4%3b%26lol4
%3b">]><m+xmlns%3d"http%3a//oracle.com/richClient/comm"><k+v%3d"
type"><s>%26lol5%3b</s></k></m>
The following screenshot demonstrates that the above login request takes
approximately 20 times longer to process than a normal login request. With
additional entity expansions, an attacker could bring down the web server
- completely.
Best Practice
Configure the XML parser to not process DTDs in the <!DOCTYPE> declaration. In addition, URI
resolution should be disabled to prevent against external entity attacks and denial of service
conditions caused by hanged requests.
This issue appears to be a vulnerability in Oracle’s Application Development Framework (ADF). If
that is the case, consider using a web application firewall to block malicious requests until Oracle
issues a patch.