Tuesday, May 28, 2019 At 2:51PM
Aon’s Cyber Solutions recently discovered two vulnerabilities in RealObjects PDFreactior prior to version 10.1.10722 in the default configuration. The identified vulnerabilities allow attackers to perform Server-Side Request Forgery (SSRF) and XML External Entity Injection (XXE) attacks in cases where PDFreactor is used to process user-controllable HTML over a network. Exploitation of these vulnerabilities allows for an attacker to access local system files as well as internal network resources in order to retrieve secrets or bypass firewall rules. These vulnerabilities were discovered by Sean Melia.
Aon’s Cyber Solutions would like to thank RealObjects for working with us as part of our coordinated disclosure process to quickly remediate these vulnerabilities.
04/08/19 – Initial disclosure
04/09/19 – Receipt acknowledged
04/18/19 – Issues confirmed, documentation updates & fixes slated for 10.1
04/18/19 – SSRF issue discovered by a 3rd party and published as a 0 day on Twitter
04/24/19 – RealObjects publishes preliminary advisory with suggested workarounds
05/27/19 – Version 10.1.10722 released
CVE-2019-12153 Server-side request forgery (SSRF)
The PDFreactor library prior to version 10.1.10722 is vulnerable to Server-Side Request Forgery (SSRF) attacks, where user input defining a URL (e.g. protocol and hostname information) is accepted and used to build a request to an arbitrary host. An example of exploitation would be to access internal network resources such as “http://169.254.169.254/latest/meta-data/” and retrieve the AWS secret keys. Additionally, local system files can be extracted this way using the “file:/” or “netdoc://” handlers.
PDFreactor version 10.1.10722 will no longer load resources from the local filesystem by default. Documentation and sample code have been updated to clarify the risks of allowing external references and demonstrate how they may be safely allowed.
CVE-2019-12154 XML external entity (XXE)
The PDFreactor library prior to version 10.1.10722 is vulnerable to XML External Entity (XXE) attacks. User input defining an external resource, such as an XML document or SVG image, that contains a malicious payload is parsed by the backend Java XML Parser. When the malicious XML payload is parsed, local system files or internal hosts can be interacted with via common handlers such as “file:/”, “netdoc://”, or “http://”. This exposure is due to the way in which the parser handles XML documents containing external entities. When an XML parser encounters a DOCTYPE declaring an external entity, it expands all instances of the entity with the contents of the URI reference defined.
PDFreactor version 10.1.10722 disables External XML Entity processing by default. If a user wishes to enable it, the URLStreamHandler class has been updated to process External XML Entity resolution to allow for custom validation to be performed.
Author: Sean Melia