Security problems with crafted XML signatures
Web services can become a security problem according to a presentation at the Black Hat conference. To ensure the integrity of XML data exchanged between servers and clients, XML digital signatures (XMLDSIG) are used. XML signatures differ from the normal ASN.1 syntax for X.509 certificates, being easier to process and link to content. Unfortunately, as Brad Hill of iSec demonstrates in his presentation, XML signature processing can sometimes present problems. In particular Extensible Stylesheet Language Transform (XSLT) can allow documents to be manipulated in order to present them in different output formats.
XSLT style sheets, which can be contained within signatures, can cause servers to execute arbitrary code if read by a faulty parser. Hill names two possible containers within XMLDSIG - KeyInfo and SignedInfo - manipulation of which can be used for attacks. Back in July, Hill published a study of web application security and attacks using crafted signatures which, however, received little attention. Nevertheless, Sun felt compelled to release a new version of Java in order to fix this kind of vulnerabilities in its products. Sun has now followed up by releasing an update for its Java System Portal Server Software 7.0 for Sparc, Linux and x86. Versions 6.3.1 and earlier and versions 7.1 and 7.1u1 are not affected.
In his analysis, Hill cites versions of XML Security Toolkit (XSECT) prior to version 1.10, produced by the Institute for Applied Information Processing and Communication, as a vulnerable product. The organisation's XML Signature Library (IXSIL) also contained the bug. The Institute for Applied Information Processing and Communication (IAIK) supplied updates for IXSIL und XSECT in march. Whether other applications from other vendors are affected by the problem remains unknowns at present.
- Command Injection in XML Signatures and Encryption, report by Brad Hill
- A Security Vulnerability in Processing XSLT Style Sheets Affects Sun Java System Portal Server Software 7.0, security advisory by Sun