MediaWiki is vulnerable to XML quadratic blowup attacks
Closed, ResolvedPublic

Description

When xml_parse is used to process xml, and the data is buffered (like we do in XmlTypeCheck and XMPReader), it can exhaust memory up to php's configured memory_limit.


Version: unspecified
Severity: normal

Type: DoS
CVE: CVE-2015-2937

Details

Reference
bz69210
bzimport set Reference to bz69210.
bzimport changed Security from none to Software security bug.
Restricted Application changed the visibility from "Public (No Login Required)" to "Security (Project)". · View Herald TranscriptNov 22 2014, 3:41 AM
Restricted Application changed the edit policy from "All Users" to "Security (Project)". · View Herald Transcript
csteipp created this task.Aug 6 2014, 11:14 PM
Restricted Application changed the visibility from "Security (Project)" to "Custom Policy". · View Herald TranscriptNov 24 2014, 9:27 PM
Restricted Application changed the edit policy from "Security (Project)" to "Custom Policy". · View Herald Transcript

While investigating T85848, realized that yes, we are vulnerable to this.

In the most basic attack where all of the entities are in the text of a single element, it results in a String size overflow when the size gets over 2GB. If the entities are grouped into elements so no string is longer than 2GB, then zend eventually bails with zend_mm_heap corrupted.

The fix for T85848 should fix this (require resource limits before doing xml parsing). I'm not sure if that's more or less ugly than wordpress removing the DOCTYPE section before processing.

Demo of standard quadratic blowup, divided up so no string exceeds 2GB:

I'm not sure if that's more or less ugly than wordpress removing the DOCTYPE section before processing.

For reference, https://core.trac.wordpress.org/changeset/29404.

We could probably get away with that when we're just trying to figure out if the file is xml (MimeMagic's use of XmlTypeCheck), but we obviously have to leave entity expansion in for SVG filtering.

csteipp changed the title from "Check "XML Quadratic Blowup Attack"" to "MediaWiki is vulnerable to XML quadratic blowup attacks".Mar 19 2015, 8:59 PM
csteipp edited the task description. (Show Details)

XMLReader sanely stops parsing the xml when the expansion gets too big (around 15KB of entities for attributes, and somewhere between 50-100KB of entities in the body). xml_parse (under zend) stops parsing after about 10KB of entities, but when the entities are in the xml body, it keeps processing the expansion until it finishes. When the xml body data is added to a string in php, the string can either cause php to hit the memory limit, overflow the string length limit, or if memory_limit isn't set below the available memory zend quits and complains about heap corruption.

With the patch for T88310, svg parsing uses XMLReader so it's safe. XMP parsing is vulnerable without the patch from T85848. We can either backport the XMP patch to address this, or ensure memory_limit is set before parsing XMP blocks. Backporting the full XMP patch is probably easiest.

csteipp closed this task as "Resolved".Mar 28 2015, 5:17 AM
csteipp claimed this task.

With the patch for T88310, svg parsing uses XMLReader so it's safe. XMP parsing is vulnerable without the patch from T85848. We can either backport the XMP patch to address this, or ensure memory_limit is set before parsing XMP blocks. Backporting the full XMP patch is probably easiest.

Backported the XMP patch from T85848 to all branches, so both zend and hhvm are safe against this now.

csteipp changed the visibility from "Custom Policy" to "Custom Policy".Mar 31 2015, 12:35 PM
csteipp changed the visibility from "Custom Policy" to "Public (No Login Required)".Mar 31 2015, 9:14 PM
csteipp changed the edit policy from "Custom Policy" to "All Users".
csteipp changed Security from Software security bug to None.
csteipp edited the task description. (Show Details)Apr 9 2015, 10:56 PM