ID	Product	Version	Vulnerability
SUID-2019-00003	Scytl Secure Vote (sVote)	2.1	XXE

*SUID-ID's are referencing security issues and bad practices that are not neccessarly exploitable but still might cause issues in certain scenarios.

Description

Several XXE vulnerabilities could be found when auditing the code.

TransformerFactory
File: /evoting-solution/source-code/scytl-cryptolib/cryptolib-asymmetric/src/main/java/com/scytl/cryptolib/asymmetric/utils/DomUtils.java

// Write DOM data to output stream.
try {
TransformerFactory transformerFactory =
    TransformerFactory.newInstance();
transformerFactory.setAttribute(
    XMLConstants.ACCESS_EXTERNAL_DTD, "");

Transformer transformer = transformerFactory.newTransformer();
transformer.setOutputProperty(OutputKeys.OMIT_XML_DECLARATION,
    "yes");
transformer.transform(new DOMSource(dom), new StreamResult(
    outStream));
} catch (TransformerException e) {
throw new GeneralSecurityException(
    DOM_DATA_WRITE_ERROR_MESSAGE, e);
} finally {
closeQuietly(outStream);
}

This implementation misses an important setting: transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");

SAXReader
File: \evoting-solution-master\source-code\maven-generic-conf\extlibs\ec2-plugin\src\main\java\hudson\plugins\ec2\Eucalyptus.java

try {
           HttpsURLConnection con = (HttpsURLConnection)metadataUrl.openConnection();
           makeIgnoreCertificate(con);
           Document metadata = new SAXReader().read(con.getInputStream());
           this.ec2endpoint = readURLFromMetadata(metadata, "ec2");
           this.s3endpoint = readURLFromMetadata(metadata, "s3");
       }

The class is directly initialized with missing settings:

SAXBuilder builder = new SAXBuilder();
builder.setFeature("http://apache.org/xml/features/disallow-doctype-decl",true);
builder.setFeature("http://xml.org/sax/features/external-general-entities", false);
builder.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
Document doc = builder.build(new File(fileName));

The vulnerabilities have been confirmed by the vendor.
However since the classes haven't been directly used in version 2.1 the software isn't directly exploitable.
Further iterations might reuse code or implement unsafe coding practices which render the vulnerability exploitable.

Timeline

Date	Event
February 08 2020	Submitted vulnerability to vendor
February 18 2020	Vendor acknowledged the vulnerability

Credits

Name	Team
Anthony Schneiter	SUID
Jannis Kirschner	SUID