Hello, welcome to the Friday, October 25th, 2019 edition of the Sandcent Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from Santa Monica, California.

Italian web application security company Shielder has blocked about a very interesting and dangerous vulnerability in the popular

LSP for XML library.

This is an XML parsing library that is used in products like for example the Visual

Studio code XML plugin or the Eclipse Wild Web developer plugin.

Essentially, if you're parsing XML in particular in developer tools like this, there is a good

chance that you may be using the LSP for XML library.

The issue here is an XML external entity problem. Now, XML external entities are

really a feature, but a dangerous feature. With this feature, it's possible to specify an entity

as part of an XML document that will be retrieved from a web server. So as the editor loads the

XML document and parses it, it will reach out to the web server to download additional content.

This in itself is of course kind of dangerous. For example, we could like forge requests that way, but that's not the

only problem here with the LSP for XML library. The next issue is that in order to be more

efficient, the library caches the content locally on the developer's system. To save the content, the file name is derived from the URL that was used to retrieve the document

without cleaning up things like dot-dot slashes and such.

So you will end up with directory traversal and you will be able to essentially upload a document

to the user's workstation in an arbitrary location with an arbitrary file name, with the only

restriction being that the developer has to have the ability to write in that particular

location.

And then, of course, then pretty quickly leads to remote code execution.

All the attacker has to be able to do is find a location, find a file name, where this file will likely then be executed.

...