Common Attack Pattern Enumeration and Classification
A Community Resource for Identifying and Understanding Attacks
Client applications such as web browsers that process HTML data often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. These adverse effects may include the parser crashing, consuming too much of a resource, executing too slowly, executing code supplied by an attacker, allowing usage of unintended system functionality, etc. An attacker's goal is to leverage parser failure to his or her advantage. In some cases it may be possible to jump from the data plane to the control plane via bad data being passed to an XML parser. [R.484.1]
"A remote code execution vulnerability exists in the way that Microsoft Windows parses XML content. The vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the logged-on user.
In a web-based attack scenario, an attacker would have to host a website that contains a specially crafted webpage that is used to exploit this vulnerability. An attacker would have no way to force users to visit such a website. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes the user to the attackers' website." [R.484.2]
The client software crashes after visiting a URL downloaded from a hostile server.
Carefully validate and sanitize all user-controllable data prior to passing it to the XML parser routine. Ensure that the resultant data is safe to pass to the XML parser.
The client software should have the latest patches and should be audited for vulnerabilities before being used to communicate with potentially hostile servers.
[R.484.1] [REF-43] Shlomo, Yona. "XML Parser Attacks: A summary of ways to attack an XML Parser". What is an XML Parser Attack?. 2007. <http://yeda.cs.technion.ac.il/~yona/talks/xml_parser_attacks/slides/slide2.html>.
[R.484.2] [REF-44] "Microsoft Security Bulletin MS13-002". Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution. Version 1.1. Microsoft Security Response Center Archive. Microsoft. January 8, 2013. <http://technet.microsoft.com/en-us/security/bulletin/ms13-002>.
More information is available — Please select a different filter.