Gregor Samsa: Exploiting Java's XML Signature Verification

Java's standard library hides a JIT compiler for processing untrusted XSLT programs. This vulnerability, CVE-2022-34169, was caused by an integer truncation bug in the JIT compiler. It allows arbitrary code execution in Java-based web applications and identity providers that support SAML single-sign-on. XML signatures are widely used in SAML, a standard for authenticating users in web applications. SAML involves exchanging XML documents between the service provider (application) and identity provider (IdP). XML signatures ensure the integrity of these documents. To verify XML signatures, the application must run attacker-controlled transforms on attacker-controlled input. One such transform is XSLT, a powerful XML programming language. Java's implementation of XSLT uses a JIT compiler to execute XSLT programs. However, this JIT compiler had an integer truncation bug that could be exploited to gain arbitrary code execution. The vulnerability was patched in July 2022 for OpenJDK and September 2022 for Apache BCEL. While this specific issue is resolved, researchers expect similar vulnerabilities in SAML due to the inherent complexity of XML signature validation. This vulnerability highlights the existence of memory-safe language vulnerabilities despite their lower frequency compared to memory safety issues in C or C++ codebases. The validation process of XML signatures consists of two steps: reference validation and signature validation. In Java, signature validation is performed before reference validation, allowing attackers to bypass signature validation requirements. XSLT transforms can be embedded in XML signatures, requiring the verifier to run the XSLT program on the referenced XML data. This opens up a potential attack surface for external attackers. Java's implementation of XSLT validation calls the Apache BCEL library, which contains the vulnerable JIT compiler. This vulnerability could have been exploited in Java applications that rely on SAML for authentication.