In a recent Product Security Review, Code White Researchers discovered a XXE vulnerability in Apache Flex BlazeDS/Adobe (see ASF Advisory). The vulnerable code can be found in the BlazeDS Remoting/AMF protocol implementation.
All versions before 4.7.1 are vulnerable. Software products providing BlazeDS Remoting destinations might be also affected by the vulnerability (e.g. Adobe LiveCycle Data Services, see APSB15-20).
Vulnerability Details
An AMF message has a header and a body. To parse the body, the method readBody() of AmfMessageDeserializer is called.
In this method, the targetURI, responseURI and the length of the body are read. Afterwards, the method readObject() is called which
eventually calls the method readObject() of an ActionMessageInput instance (either Amf0Input or Amf3Input).
In case of an Amf0Input instance, the type of the object is read from the next byte. If type has the value 15, the following bytes of the body are parsed in method
readXml() as a UTF string.
The xml string gets passed to method stringToDocument of class XMLUtil where the Document is created using the DocumentBuilder.
When a DocumentBuilder is created through the DocumentBuilderFactory, external entities are allowed by default.
The developer needs to configure the parser to prevent XXE.
Exploitation
Exploitation is easy, just send the XXE vector of your choice.
