ID Product Version Vulnerability
SUID-2019-00003* Scytl Secure Vote (sVote) 2.1 XXE

Description

Several XXE vulnerabilities could be found when auditing the code.

TransformerFactory
File: /evoting-solution/source-code/scytl-cryptolib/cryptolib-asymmetric/src/main/java/com/scytl/cryptolib/asymmetric/utils/DomUtils.java
// Write DOM data to output stream. try { TransformerFactory transformerFactory = TransformerFactory.newInstance(); transformerFactory.setAttribute( XMLConstants.ACCESS_EXTERNAL_DTD, ""); Transformer transformer = transformerFactory.newTransformer(); transformer.setOutputProperty(OutputKeys.OMIT_XML_DECLARATION, "yes"); transformer.transform(new DOMSource(dom), new StreamResult( outStream)); } catch (TransformerException e) { throw new GeneralSecurityException( DOM_DATA_WRITE_ERROR_MESSAGE, e); } finally { closeQuietly(outStream); } This implementation misses an important setting: transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");

SAXReader
File: \evoting-solution-master\source-code\maven-generic-conf\extlibs\ec2-plugin\src\main\java\hudson\plugins\ec2\Eucalyptus.java
try { HttpsURLConnection con = (HttpsURLConnection)metadataUrl.openConnection(); makeIgnoreCertificate(con); Document metadata = new SAXReader().read(con.getInputStream()); this.ec2endpoint = readURLFromMetadata(metadata, "ec2"); this.s3endpoint = readURLFromMetadata(metadata, "s3"); } The class is directly initialized with missing settings:

SAXBuilder builder = new SAXBuilder(); builder.setFeature("http://apache.org/xml/features/disallow-doctype-decl",true); builder.setFeature("http://xml.org/sax/features/external-general-entities", false); builder.setFeature("http://xml.org/sax/features/external-parameter-entities", false); Document doc = builder.build(new File(fileName));

The vulnerabilities have been confirmed by the vendor.
However since the classes haven't been directly used in version 2.1 the software isn't directly exploitable.
Further iterations might reuse code or implement unsafe coding practices which render the vulnerability exploitable.

Disclosure Timeline

Credit

Jannis Kirschner & Anthony Schneiter from Team SUID


*SUID-ID's are referencing security issues and bad practices that are not neccessarly exploitable but still might cause issues in certain scenarios.