XML External Entity (XXE) injections in PDF description may lead to denial of service

Forum for the PDF-XChange Editor - Free and Licensed Versions

Moderators: TrackerSupp-Daniel, Tracker Support, Paul - Tracker Supp, Vasyl-Tracker Dev Team, Chris - Tracker Supp, Sean - Tracker, Ivan - Tracker Software, Tracker Supp-Stefan

Post Reply
jherve
User
Posts: 2
Joined: Fri Aug 31, 2018 2:40 pm

XML External Entity (XXE) injections in PDF description may lead to denial of service

Post by jherve »

Hello,

When opening PDF file, PDF-XChange Editor search an XML structure "x:xmpmeta" inside the document and try to parse its content. If this field contains a DOCTYPE and ENTITY, the parser will use them.
Such comportment (usually called "XML External Entity injection") may be exploited by creating malicious document in order to cause Denial of Service.

The attachment is a Proof-of-Concept that contains a XML Description with several ENTITY:
- The ENTITY "hello" will insert "Hello from ENTITY" in the "producer" field.
- The ENTITY "dos_9" is "recursive" (kind of) and would cause a denial of service if used in the description (known as "Billion Laughs attack": https://en.wikipedia.org/wiki/Billion_laughs_attack)

Moreover, when installed on Windows, PDF-XChange Editor seems to be used by the windows explorer to load and display the producer name when the cursor is on the PDF file icon. In such case, the denial of service may happen even if the user does not try to open the file.

Can you do something about this behavior?

Regards.
Attachments
pocXXE.pdf
Proof of Concept
(148.88 KiB) Downloaded 211 times
User avatar
Paul - Tracker Supp
Site Admin
Posts: 6836
Joined: Wed Mar 25, 2009 10:37 pm
Location: Chemainus, Canada
Contact:

Re: XML External Entity (XXE) injections in PDF description may lead to denial of service

Post by Paul - Tracker Supp »

Thanks for this jherve,

we are investigating right now.
Best regards

Paul O'Rorke
Tracker Support North America
http://www.tracker-software.com
User avatar
TrackerSupp-Daniel
Site Admin
Posts: 8440
Joined: Wed Jan 03, 2018 6:52 pm

Re: XML External Entity (XXE) injections in PDF description may lead to denial of service

Post by TrackerSupp-Daniel »

Hello jherve,
Thank you again for bringing this vulnerability to our attention. We have just completed developing a fix for this, it will be implemented into the upcoming (327.0) release of our software.
Have an excellent day!
Dan McIntyre - Support Technician
Tracker Software Products (Canada) LTD

+++++++++++++++++++++++++++++++++++
Our Web site domain and email address has changed as of 26/10/2023.
https://www.pdf-xchange.com
Support@pdf-xchange.com
Spiff
User
Posts: 82
Joined: Sun Apr 18, 2010 11:41 am
Location: the Netherlands

Re: XML External Entity (XXE) injections in PDF description may lead to denial of service

Post by Spiff »

Dear Tracker Support,

Thanks very much, I noticed the fix in Editor version 7.0.327.0.

I am still on Editor version 6.0.322.7. I haven't updated to version 7.0, because I don't need the hassle of customizing 7.0, I still like how I customized 6.0, very much. If there is no serious security reason to update 6.0.322.7 to 7.0, I rather won't.

Could you tell me, please, whether Editor 6.0.322.7 is affected by the mentioned vulnerability?
If so, could you tell whether a "Billion Laughs attack" exploiting this vulnerability can 'only' cause a denial-of-service attack? Or are there other ways the mentioned vulnerability can be exploited, that are more harmful than 'only' a DoS? If DoS is the worst that could happen, then I think I can happily keep using Editor version 6.0.322.7.

Thanks very much
and best regards
User avatar
Tracker Supp-Stefan
Site Admin
Posts: 17824
Joined: Mon Jan 12, 2009 8:07 am
Location: London
Contact:

Re: XML External Entity (XXE) injections in PDF description may lead to denial of service

Post by Tracker Supp-Stefan »

Hello Spiff,

Yes, as the fix was implemented on the last day of August - any previous build could potentially be affected by the issue in the original post.

Regards,
Stefan
Spiff
User
Posts: 82
Joined: Sun Apr 18, 2010 11:41 am
Location: the Netherlands

Re: XML External Entity (XXE) injections in PDF description may lead to denial of service

Post by Spiff »

Thanks, Stefan.

Could you also answer my other questions, that I asked in my previous post?
Can a "Billion Laughs attack" exploiting the mentioned vulnerability 'only' cause a denial-of-service attack?
Or are there other ways the mentioned vulnerability can be exploited, other than a DoS attack, attacks that are potentially more harmful than 'only' a DoS?
If DoS is the very worst that could happen, then I think I can happily keep using Editor version 6.0.322.7.

If you can't answer those questions, perhaps someone else can? (Perhaps the topic starter, jherve?)

Thanks again
and best regards
User avatar
Paul - Tracker Supp
Site Admin
Posts: 6836
Joined: Wed Mar 25, 2009 10:37 pm
Location: Chemainus, Canada
Contact:

Re: XML External Entity (XXE) injections in PDF description may lead to denial of service

Post by Paul - Tracker Supp »

Hi Spiff,

I have it from the lead developer that the "vulnerability" would just be the "DoS attack".

On a system with a multicore CPU, one core would be caught in a loop that could take literally years to complete. The Editor would hang.

You said :
I haven't updated to version 7.0, because I don't need the hassle of customizing 7.0, I still like how I customized 6.0, very much
You do know that the "classic UI" is still available in V7? You would only have to go through the hassle of customizing once, and you could export your preferences from V6 and use them in a V6 "Portable" editor. That way when you update to V7 you can compare the UI side by side and make this one time chore easier...
Best regards

Paul O'Rorke
Tracker Support North America
http://www.tracker-software.com
Spiff
User
Posts: 82
Joined: Sun Apr 18, 2010 11:41 am
Location: the Netherlands

Re: XML External Entity (XXE) injections in PDF description may lead to denial of service

Post by Spiff »

Paul - Tracker Supp wrote: I have it from the lead developer that the "vulnerability" would just be the "DoS attack".
On a system with a multicore CPU, one core would be caught in a loop that could take literally years to complete. The Editor would hang.
Thanks very much for that information, Paul.
Of course it is better not to see such attack, but in my opinion, it is definitely not the scariest kind of attack, as a reboot would fix it.

Off topic
Paul - Tracker Supp wrote: You do know that the "classic UI" is still available in V7? You would only have to go through the hassle of customizing once, and you could export your preferences from V6 and use them in a V6 "Portable" editor. That way when you update to V7 you can compare the UI side by side and make this one time chore easier...
Yes, I know that the classic UI is still available in V7, and that the hassle of customizing V7 is a one time thing. (Well, I suppose that is until there is a version 8. :wink:)
I have captures of all my V6 settings, that would be helpful in the process of customizing V7. However, your suggestion to export V6 preferences and to use those in a V6 Portable Editor, to be able to compare the UI side by side, that may be even better. Thanks very much for that suggestion! Nevertheless, I think it's a hassle. After moving from Viewer to Editor V6 and customizing it in the way that I had customized the Viewer before, I was disappointed that I would need to do that again with V7. I was not the only one that was disappointed about that, there was a lot of talk about it. I was still hoping that Tracker Software would find a way to implement an option in V7 to customize it the way as V6 by simply importing the V6 preferences. I'm afraid that won't happen.
For now, I'm staying on 6.0.322.7, but thank you very much for your suggestion to use V6 Portable for UI comparison!

Off topic
One more thing -
January 2018, there was an issue with reply notification, I didn't receive any e-mail notifications of new replies.
That problem no longer exists. I receive topic reply notification without any problem, now. Nice!

Thanks once more,
and best regards
User avatar
Tracker Supp-Stefan
Site Admin
Posts: 17824
Joined: Mon Jan 12, 2009 8:07 am
Location: London
Contact:

Re: XML External Entity (XXE) injections in PDF description may lead to denial of service

Post by Tracker Supp-Stefan »

Many thanks for the follow up Spiff!

Glad we could make all those suggestions - so you now have some options when you finally decide to go through the setting up V7 process!
As for later migrating from V7 to V8 - settings should be preserved. Adding the ribbon UI was a very significant redesign - and that's why settings could not be kept from V6 for V7 (even for the Classic UI).

Happy to hear that the e-mail notifications now work for you!

Cheers,
Stefan
Spiff
User
Posts: 82
Joined: Sun Apr 18, 2010 11:41 am
Location: the Netherlands

Re: XML External Entity (XXE) injections in PDF description may lead to denial of service

Post by Spiff »

Off topic
Tracker Supp-Stefan wrote: [...] Adding the ribbon UI was a very significant redesign - and that's why settings could not be kept from V6 for V7 (even for the Classic UI).
Yes, I understand.
However, I thought I remembered some earlier reply in which Tracker Support mentioned that development would see if there could be a way to implement an option in a later build, to customize V7 as V6 by simply importing the V6 preferences. I may have misunderstood. Or perhaps the idea was abandoned, as it proved too difficult.
Anyhow, I'm still very happy with 6.0.322.7, for now.
And as I will migrate from Windows to Linux by the end of Windows 7 support, I must say goodbye to PDF-XChange Editor anyway, which is really a pity. I hope that Okular will be good enough to fulfill my annotation needs on Linux. It'll be quite a step back, from PDF-XChange Editor.

Kind regards,
Spiff
User avatar
Tracker Supp-Stefan
Site Admin
Posts: 17824
Joined: Mon Jan 12, 2009 8:07 am
Location: London
Contact:

Re: XML External Entity (XXE) injections in PDF description may lead to denial of service

Post by Tracker Supp-Stefan »

Hello Spiff,

Wine is always an option on Linux ;)
And yes - we did have plans originally to see how we can import settings from V6 to V7 but it did indeed turn out to be quite a complicated task!

Regards,
Stefan
Spiff
User
Posts: 82
Joined: Sun Apr 18, 2010 11:41 am
Location: the Netherlands

Re: XML External Entity (XXE) injections in PDF description may lead to denial of service

Post by Spiff »

Off topic
Tracker Supp-Stefan wrote: Wine is always an option on Linux ;)
Thanks, Stefan, yes, I know, but I don't want to depend upon Wine. Let's see if I can live without PDF-XChange Editor. My annotation needs are limited, so I hope Okular will be enough.
Tracker Supp-Stefan wrote: And yes - we did have plans originally to see how we can import settings from V6 to V7 but it did indeed turn out to be quite a complicated task!
Ah, so I was right about that, so I hadn't lost my mind after all. :D

Thanks very much once again
and kind regards
User avatar
Paul - Tracker Supp
Site Admin
Posts: 6836
Joined: Wed Mar 25, 2009 10:37 pm
Location: Chemainus, Canada
Contact:

Re: XML External Entity (XXE) injections in PDF description may lead to denial of service

Post by Paul - Tracker Supp »

Spiff, don't lose the Editor over spilled wine! ;-)

We actually do our best to support the Editor under Wine in Ubuntu LTS using both the Repository and WineHQ releases of wine. I use it every day in Linux and could not imagine giving it up!

Image

Wine is pretty stable and easy to use. When the time comes I strongly suggest you give it a try.
Best regards

Paul O'Rorke
Tracker Support North America
http://www.tracker-software.com
Spiff
User
Posts: 82
Joined: Sun Apr 18, 2010 11:41 am
Location: the Netherlands

Re: XML External Entity (XXE) injections in PDF description may lead to denial of service

Post by Spiff »

Off topic
Thanks very much, Paul.
I still would prefer to use Kubuntu without Wine. But if Okular should not be enough, I will remember your suggestion, and consider Editor under Wine.

Thanks once more
and best regards
User avatar
Paul - Tracker Supp
Site Admin
Posts: 6836
Joined: Wed Mar 25, 2009 10:37 pm
Location: Chemainus, Canada
Contact:

Re: XML External Entity (XXE) injections in PDF description may lead to denial of service

Post by Paul - Tracker Supp »

:D
Best regards

Paul O'Rorke
Tracker Support North America
http://www.tracker-software.com
Post Reply