Source: cve@mitre.org
An issue was discovered in ezXML 0.8.3 through 0.8.6. The ezxml_parse_* functions mishandle XML entities, leading to an infinite loop in which memory allocations occur.
ezXML, a library for parsing XML, is vulnerable to a denial-of-service (DoS) attack due to improper handling of XML entities, leading to an infinite loop and exhaustion of system resources. This vulnerability allows attackers to crash applications using ezXML by providing a specially crafted XML file, resulting in application unavailability and potential system instability.
Step 1: Payload Delivery: The attacker crafts a malicious XML file. This file contains a specially crafted XML entity definition.
Step 2: XML Parsing: The vulnerable application, using the ezXML library, attempts to parse the malicious XML file.
Step 3: Entity Expansion: The parser encounters the malicious entity definition and attempts to resolve it.
Step 4: Infinite Recursion: The entity definition is crafted to reference itself (directly or indirectly), causing the parser to enter an infinite loop during entity expansion.
Step 5: Memory Allocation: Within the infinite loop, the parser repeatedly allocates memory to resolve the entity, rapidly consuming available system resources.
Step 6: Denial of Service: The memory exhaustion leads to a denial-of-service condition, crashing the application and potentially impacting the entire system.
The vulnerability lies within the ezxml_parse_* functions of the ezXML library. Specifically, the functions fail to properly handle recursive XML entity definitions. When an attacker provides an XML file containing a malicious entity definition that references itself (directly or indirectly), the parsing function enters an infinite loop. This loop triggers repeated memory allocations as the parser attempts to resolve the entity, ultimately leading to memory exhaustion. The lack of proper bounds checking and entity resolution safeguards allows the parser to consume all available memory, causing the application using ezXML to crash and potentially impacting the entire system's stability. The root cause is a logic flaw in how the parser handles recursive entity expansion, failing to detect and prevent the infinite recursion.
While no specific APTs are definitively linked, the ease of exploitation and potential for system disruption make this vulnerability attractive to various threat actors. CISA KEV: Not Listed.
Monitor application logs for excessive memory consumption or unexpected crashes during XML parsing.
Network traffic analysis: Look for unusual XML file sizes or patterns in requests to applications using ezXML.
System monitoring: Observe CPU and memory usage spikes when applications using ezXML are active.
Implement file integrity monitoring to detect any unauthorized modification of XML files.
Upgrade to a patched version of ezXML (0.8.7 or later).
Implement input validation to restrict the size and complexity of XML files accepted by the application.
Limit the resources (CPU, memory) allocated to the XML parsing process.
Use a web application firewall (WAF) to filter malicious XML payloads.
Consider using a different XML parsing library that is not vulnerable.