Source: cve@mitre.org
An issue was discovered in ezXML 0.8.3 through 0.8.6. The function ezxml_ent_ok() mishandles recursion, leading to stack consumption for a crafted XML file.
ezXML, a library for parsing XML files, is vulnerable to a denial-of-service (DoS) attack due to a stack consumption vulnerability. A crafted XML file can trigger excessive recursion within the ezxml_ent_ok() function, leading to a crash or system instability. This vulnerability could be exploited to disrupt services that rely on ezXML for XML parsing.
Step 1: Payload Delivery: The attacker crafts a malicious XML file containing deeply nested or circular entity references.
Step 2: File Ingestion: The targeted application or service, using the vulnerable ezXML library, attempts to parse the crafted XML file.
Step 3: Recursive Trigger: The ezxml_ent_ok() function is called repeatedly as the parser encounters the nested or circular entity references.
Step 4: Stack Exhaustion: The repeated function calls consume the stack space, leading to stack overflow.
Step 5: Denial of Service: The stack overflow results in a crash, segmentation fault, or system instability, effectively causing a denial of service.
The vulnerability lies within the ezxml_ent_ok() function of the ezXML library. This function is responsible for handling XML entity references. The flaw is a recursive call within this function that is not properly bounded. A malicious actor can craft an XML file with deeply nested or circular entity references. When the parser encounters these references, ezxml_ent_ok() is called repeatedly, consuming the stack with each recursive call. This leads to stack exhaustion, resulting in a segmentation fault or a system crash. The lack of proper input validation and recursion depth limits allows for the uncontrolled stack growth, making the system vulnerable to a DoS attack. The root cause is a design flaw in the entity handling logic, specifically the lack of a mechanism to prevent unbounded recursion.
While no specific APTs are directly linked to this CVE, any threat actor seeking to disrupt services that utilize ezXML could potentially exploit this vulnerability. This is a low-severity vulnerability. Not on CISA KEV.
Monitor system logs for segmentation faults or crashes related to XML parsing processes.
Analyze network traffic for unusually large XML files or XML files with complex entity structures.
Implement intrusion detection system (IDS) rules to identify XML files with excessive entity nesting or circular references.
Monitor CPU and memory usage of processes that parse XML files; spikes may indicate an attack in progress.
Examine core dumps for stack traces related to ezxml_ent_ok().
Upgrade to a patched version of ezXML (if available).
If upgrading is not possible, consider using a different XML parsing library.
Implement input validation to restrict the size and complexity of XML files accepted by the application.
Limit the depth of entity expansion during XML parsing.
Implement resource limits (e.g., CPU, memory) for XML parsing processes to prevent excessive resource consumption.
Apply a Web Application Firewall (WAF) with XML parsing protection.