Codenomicon has helped fix multiple critical flaws in popular XML libraries, including implementations from Sun Microsystems, Apache Software Foundation, and Python.
The company discovered the vulnerabilities in early 2009 as part of the development of a new product for XML testing. When XML libraries were subjected to tests, multiple vulnerabilities were quickly identified in parsing XML data.
The vulnerabilities could be exploited by enticing a user to open a specifically crafted XML file, or by submitting malicious requests to web services that handle XML content. The impact of the discovered vulnerabilities varies from DoS attacks to potential execution of malicious code on affected systems.
After the vulnerabilities had been found, Codenomicon worked together with CERT-FI (Finnish National Computer Emergency Response Team) to coordinate the remediation of the found issues with the affected vendors. In addition to Sun, Apache, and Python, a few other projects are expected to announce their fixes at a later time.
“XML implementations are ubiquitous – they are found in systems and services where one would not expect to find them”, says Erka Koivunen, Head of CERT-FI. “For us it is crucial that end users and organizations who use the affected libraries upgrade to the new versions. This announcement is just the beginning of a long remediation process that ends only when the patches have been deployed to production systems”, Koivunen continues.
XML has come a long way from the days when it provided support for just a few applications and file formats. Today, XML is used in .NET, SOAP, VoIP, Web Services, industrial automation (SCADA) and even banking infrastructure. The new advancements in XML fuzzing have led to the discovery of vulnerabilities and defects in important applications that are deployed in business-critical environments.
XML fuzzing takes XML message structures and alters them in ways beyond imagination. Breaking encodings, repetition of tag elements, dropping tags and elements, using recursive structures, overflows or special characters, and many other techniques will easily corrupt communications. The result can be a DoS situation, corruption of data, or even a situation where hostile code can be executed on a vulnerable host.