AndroidTacticalAssaultKit-CIV
AndroidTacticalAssaultKit-CIV copied to clipboard
deptofdefense
Safe DocumentBuilderFactory is not safe
Static code analysis flagged XML parsing in ATAK as vulnerable to XXE injection. The XMLUtils.getDocumenBuilderFactory() method attempts to disallow DTD to mitigate this threat, however the call to DocumentBuilderFactory.setFeature() fails with a ParserConfigurationException because the underlying XML parser does not support that feature.
To remedy this, it is suggested to use a Xerces-2 parser instead of the default parser that is included in Android.
Thank you. Were you able to trigger a XXE injection using the current code? Filed an investigation ticket to look into the usage of xerces.
Affirmative, was able to perform XXE exploit successfully in current code (4.5.0.1), the application crashed several seconds after importing the attached map source containing billion laughs attack XML bomb.
There is more info about XXE and Xerces here: https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#java
Thank you for your follow up.
The crash mechanism you provided exploits the XMLPullParser within the code. Specifically the code found in com.atakmap.map.layer.raster.mobac.MobacMapSourceFactory.parseCustomMapSource
This path code does not make use of XMLUtils. There are a few other code paths that make use of the PullParser and I will group those together when determining the best way forward for addressing this issue.
If you do come up with a crash mechanism that exploits the code paths that use XMLUtils, please follow up and I will likely file a separate JIRA ticket on our end.
Very Respectfully.