In a recent Product Security Review, Code White Researchers discovered a XXE vulnerability in Apache Flex BlazeDS/Adobe (see ASF Advisory). The vulnerable code can be found in the BlazeDS Remoting/AMF protocol implementation.
All versions before 4.7.1 are vulnerable. Software products providing BlazeDS Remoting destinations might be also affected by the vulnerability (e.g. Adobe LiveCycle Data Services, see APSB15-20).
An AMF message has a header and a body. To parse the body, the method
AmfMessageDeserializer is called.
In this method, the
responseURI and the length of the body are read. Afterwards, the method
readObject() is called which
eventually calls the method
readObject() of an
ActionMessageInput instance (either
In case of an
Amf0Input instance, the type of the object is read from the next byte. If type has the value 15, the following bytes of the body are parsed in method
readXml() as a UTF string.
The xml string gets passed to method
stringToDocument of class
XMLUtil where the
Document is created using the
DocumentBuilder is created through the
DocumentBuilderFactory, external entities are allowed by default.
The developer needs to configure the parser to prevent XXE.
Exploitation is easy, just send the XXE vector of your choice.