Exposing External XML Entity Attacks in Android IntelliJ Plugin

IntelliJ is an IDE that a lot of developers know and love. Not only does it provide an intuitive UI but it also gives us plugins for all the languages we love — including Android. One of our astute engineers was building the Android IntelliJ plugin when a commit message flicked past and caught his eye. The commit mentioned details on fixing an XXE vulnerability! Oh no! What exactly are XXE attacks, how do they affect IntelliJ, and what can I do about them? Lets dive deeper.

What are External XML Entity (XXE) attacks

XML External Entity attacks can be conducted against applications which parse XML input without the correct precautions. As you may know, XML files are structured documents which contain elements that can be parsed into objects for servers. Most XML parsers are configured by default to allow the processing of external entities. Attackers can leverage this to insert malicious data type definitions (DTD) which can be executed and inserted into the application.

Potential impacts of XXE attacks

1. Information Disclosure

POST http://example.com/xml HTTP/1.1
<!DOCTYPE foo [
  <!ELEMENT foo ANY>
  <!ENTITY attack SYSTEM
  "file:///etc/passwd">
]>
<foo>
  &attack;
</foo>

When the above example is sent to an endpoint accepting XML to parse, the resulting entity created will contain the contents of the /etc/passwd file. This could also be used to target other files or even to check if certain files exist on a system; thus resulting in information disclosure.

2. Denial of Service (DoS)

POST http://example.com/xml HTTP/1.1
<!DOCTYPE foo [
  <!ELEMENT foo ANY>
  <!ENTITY bar "Ha ">
  <!ENTITY e1 "&bar;&bar;">
  <!ENTITY e2 "&e1;&e1;&e1;&e1;">
  <!ENTITY e3 "&e2;&e2;&e2;&e2;&e2;">
  <!ENTITY e4 "&e3;&e3;&e3;&e3;&e3;">
]>
<foo>
  This is how I laugh &bar;
</foo>

Take the above request as an example. The way that the entities are defined means that when &bar; is called, the number of Ha’s printed increases exponentially. This form of XXE attack is commonly referred to as the “Billion Laughs attack”. If the attacker continued the pattern shown above they could overload the system and produce DoS conditions.

3. Remote Code Execution (RCE)

Using XXE attacks, remote code execution attacks are possible. To perform such attacks however, the stars have to align and the moon to be in waxing. By this I mean that the circumstances in which this type of attack is possible through an XXE flaw are limited and far between. It has been seen in the wild though: in late 2013, a computer engineer from Brazil — Reginaldo Silva — found a remote code execution(RCE) flaw through XXE in Facebook.

What is happening with the IntelliJ plugin?!

On the 2nd of August, 2017, Dmitry Avdeev submitted a commit to the jetbrains adt-tools-basewhich contained fixes in multiple places for External XML Entity attacks. Prior to these commits, several of the common com.android.tools libraries located in Maven and used in the IntelliJ Android plugin did not restrict what entities could be parsed. This would have allowed attackers to declare document types and use that to access files or cause denial of service conditions.

Great! They fixed it though right? Yes… but no. After the initial fix, a subsequent commit which occurred 6 days later reverted one of the fixes. The commit in question removed a restriction on document type declaration in:

common/src/main/java/com/android/utils/PositionXmlParser.java

It remains to be seen why this was reverted.

If you use libraries under the com.android.tools group ID, you should know that the library has yet to be updated on Maven. Fear not though! For SourceClear customers SVE 4902 contains the latest information and will be updated when a fixed version has been released.

How can I avoid XXE attacks?

External XML Entity attacks can easily be avoided by disabling doctype declarations.The code for this would look something like

factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);

There are subtle nuances depending on the langauge and the parser that you are using. For a highly detailed and concise guidance on these nuances, OWASP has a great XXE Prevention Cheat Sheet.

If you’re interested in hearing more about finding vulnerabilities and malware in open-source code at scale, REGISTER for our live webinar on September 6th 9 AM PST with Mark Curphey, CEO and Founder of SourceClear.