In late 2022, a subtle but potentially serious vulnerability was uncovered in a widely used Java utility library, Codehaus-Plexus, specifically in the XML utilities it provides. This flaw, tracked as CVE-2022-4245, has the potential to enable XML injection attacks under the right circumstances. Let’s break down what happened, why it matters, look at code examples, and see how it can be exploited.
What Is Codehaus-Plexus?
Codehaus-Plexus is a set of Java utilities used by many Apache Maven components and open-source projects. The flaw impacts its XML utilities, particularly the class org.codehaus.plexus.util.xml.XmlWriterUtil.
What’s the Vulnerability? (CVE-2022-4245)
The vulnerability exists in the method XmlWriterUtil#writeComment. This is a helper method for writing XML comments like:
<!-- user comment goes here -->
According to the XML specification, the double-dash sequence (--) is not allowed inside XML comments. Doing so breaks the XML and may alter how parsers treat the input. The writeComment function simply drops the user-provided comment string into the XML, without checking for --> or -- inside the comment. An attacker can craft input so the comment “breaks out” and injects raw XML or data.
Let’s look at a simplified and vulnerable version of the method
public static void writeComment(Writer writer, String comment) throws IOException {
writer.write("<!-- ");
writer.write(comment);
writer.write(" -->");
}
It just dumps whatever you give it, without checks.
Suppose you have this user input
Smith --> <malicious>gotcha!</malicious><!--
What actually gets written to the XML file?
<!-- Smith --> <malicious>gotcha!</malicious><!-- -->
Now the comment is broken, and real XML (<malicious>gotcha!</malicious>) is injected "outside" the comment! Any XML parser reading this will process the injected tag.
Why Is This a Problem? (Risk Details)
- XML Injection: Attackers could inject new tags or elements, potentially subverting logic, breaking schemas, or injecting scripts in some contexts.
- Application-Specific Impact: In applications where user comment data is later consumed by logic assuming it's all commented-out, an attacker could reactivate disabled tags, cause denial of service, or leak data.
- Secondary Attacks: XML injection might be combined with other vulnerabilities (XML External Entity injection, for example).
Step-by-Step Exploit
1. Find an endpoint or function that uses XmlWriterUtil#writeComment (or similar) with untrusted user input.
`
harmless --> INJECTED! INJECTED!
Here’s a tiny Java program demonstrating the issue
import java.io.StringWriter;
public class PlexusXmlCommentVulnDemo {
public static void main(String[] args) throws Exception {
String userInput = "harmless --> <peekaboo>INJECTED!</peekaboo><!--";
StringWriter writer = new StringWriter();
writer.write("<!-- ");
writer.write(userInput);
writer.write(" -->");
System.out.println(writer.toString());
}
}
Output
<!-- harmless --> <peekaboo>INJECTED!</peekaboo><!-- -->
How to Fix It
Defensive coding means never outputting unsafe strings to places like XML comments!
Correct way: Escape -- sequences or reject input containing it.
Here’s a quick fix idea for the writeComment method
public static void writeCommentSafe(Writer writer, String comment) throws IOException {
if (comment.contains("--")) {
throw new IllegalArgumentException("Comment contains illegal XML comment sequence '--'");
}
writer.write("<!-- ");
writer.write(comment);
writer.write(" -->");
}
Or you can sanitize
comment = comment.replace("--", "- -");
Official References
- NVD entry for CVE-2022-4245
- Codehaus Plexus GitHub
- XML Comment Syntax (W3C spec)
Conclusion
CVE-2022-4245 is a reminder that the smallest oversight in string handling, especially in libraries used for XML/HTML or config files, can open the door for injection attacks. All it takes is one unescaped sequence and careful attackers could slip malicious payloads past your system’s defenses.
If your project (or your dependencies) uses Plexus Utils for XML writing, check your versions and sanitize all inputs to writeComment. Don’t let an innocent-looking comment be the way someone gets inside your app!
Timeline
Published on: 09/25/2023 20:15:00 UTC
Last modified on: 10/02/2023 19:27:00 UTC