=====[BEGIN-ACROS-REPORT]=====

PUBLIC

=========================================================================
ACROS Security Problem Report #2009-01-05-1
-------------------------------------------------------------------------
ASPR #2009-01-05-1: XML Entity Explosion in Ruby
=========================================================================

Document ID:     ASPR #2009-01-05-1-PUB
Vendor:          Ruby (http://www.ruby-lang.org)
Target:          Ruby REXML library
Impact:          A vulnerability in the REXML library included in the
                 Ruby Standard Library allows an attacker to remotely
                 disable the web server
Severity:        High
Status:          Official patch available, workarounds available
Discovered by:   Luka Treiber of ACROS Security

Current version 
   http://www.acrossecurity.com/aspr/ASPR-2009-01-05-1-PUB.txt


Summary
=======

There is a vulnerability in the REXML library included in the Ruby
Standard Library. A so-called "XML entity explosion" attack technique
can be used for remotely bringing down (disabling) any application
which parses user-provided XML using REXML.

Most Rails applications should be vulnerable because Rails parses
user-provided XML with REXML by default.

Product Coverage
================

=== 1.8 series

 * 1.8.6-p287 and all prior versions
 * 1.8.7-p72 and all prior versions

=== 1.9 series

 * all versions


Note: Our tests were only performed on the above product versions. Other 
versions may or may not be affected. 


Analysis 
========

An attacker can cause a denial of service by causing REXML to parse a 
document containing recursively nested entities such as:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE member [
  <!ENTITY a "&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;">
  <!ENTITY b "&c;&c;&c;&c;&c;&c;&c;&c;&c;&c;">
  <!ENTITY c "&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;">
  <!ENTITY d "&e;&e;&e;&e;&e;&e;&e;&e;&e;&e;">
  <!ENTITY e "&f;&f;&f;&f;&f;&f;&f;&f;&f;&f;">
  <!ENTITY f "&g;&g;&g;&g;&g;&g;&g;&g;&g;&g;">
  <!ENTITY g "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx">
]>
<member>
&a;
</member>

This XML implements a so-called "XML entity explosion" attack, i.e., a 
recursive expansion of XML entities which consumes a large amount of CPU 
and memory on the target. While parsing the XML, entity a is being 
expanded into 10 entities b, each of which is expanded into 10 entities 
c, and so on. In the end, 30 megabytes of memory are consumed - unless 
the server decides to abort the processing or crashes under low memory 
conditions. It would be trivial to upgrade this attack so as to consume 
an unmanageable amount of memory.

The "Attack with parameter entities" works in a similar way, but using 
parameter entities instead.

As a result, all Ruby on Rails servers prior to the patched version can 
be easily taken down by small malicious requests.


Solution
========

Download the following monkey patch to fix this problem.
 
http://www.ruby-lang.org/security/20080823rexml/rexml-expansion-fix.rb

Then fix your application to load rexml-expansion-fix.rb before using
REXML:

 require "rexml-expansion-fix"
 ...
 doc = REXML::Document.new(str)
 ...

If you have a Rails application, copy rexml-expansion-fix.rb into a
directory on the load path (such as RAILS_ROOT/lib/), and put the
following line into config/environment.rb.

 require "rexml-expansion-fix"

If your application is Rails 2.1 or later, you can simply copy
rexml-expansion-fix.rb to RAILS_ROOT/config/initializers and it will
be required automatically.

By default, XML entity expansion limit is 10000.  You can change it by
changing REXML::Document.entity_expansion_limit.  e.g.

 REXML::Document.entity_expansion_limit = 1000

This fix has been made available as a gem and used by future versions of 
rails, but users should take corrective action immediately.


Workarounds 
===========

- Use another, non-vulnerable XML parser for parsing XML-formed POST 
  requests. 

- Developers may limit such attacks by only accepting requests from 
  trusted clients


References
==========

[1] http://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml/


Acknowledgments
===============

We would like to acknowledge Michael Koziarski [michael@koziarski.com] 
and the Ruby team for professional handling of the identified 
vulnerability.


Contact
=======

ACROS d.o.o.
Makedonska ulica 113
SI - 2000 Maribor

e-mail: security@acrossecurity.com
web:    http://www.acrossecurity.com
phone:  +386 2 3000 280
fax:    +386 2 3000 282

ACROS Security PGP Key
   http://www.acrossecurity.com/pgpkey.asc
   [Fingerprint: FE9E 0CFB CE41 36B0 4720 C4F1 38A3 F7DD]

ACROS Security Advisories
   http://www.acrossecurity.com/advisories.htm

ACROS Security Papers
   http://www.acrossecurity.com/papers.htm

ASPR Notification and Publishing Policy
   http://www.acrossecurity.com/asprNotificationAndPublishingPolicy.htm


Disclaimer
==========

The content of this report is purely informational and meant only for the
purpose of education and protection. ACROS d.o.o. shall in no event be
liable for any damage whatsoever, direct or implied, arising from use or
spread of this information. All identifiers (hostnames, IP addresses,
company names, individual names etc.) used in examples and demonstrations
are used only for explanatory purposes and have no connection with any
real host, company or individual. In no event should it be assumed that
use of these names means specific hosts, companies or individuals are
vulnerable to any attacks nor does it mean that they consent to being used
in any vulnerability tests. The use of information in this report is
entirely at user's risk.


Revision History
================

January 5, 2009: Initial release


Copyright
=========

(c) 2009 ACROS d.o.o. Forwarding and publishing of this document is
permitted providing the content between "[BEGIN-ACROS-REPORT]" and
"[END-ACROS-REPORT]" marks remains unchanged.

=====[END-ACROS-REPORT]=====