LocalS3 XML External Entity Injection Vulnerability Allowing Server-Side Request Forgery

A vulnerability in LocalS3, an Amazon S3 mock service, prior to version 1.21, allows for XML External Entity (XXE) injection during the bucket creation process. The service's XML parser, when handling the CreateBucketConfiguration XML document, is configured to resolve external entities. This flaw enables an attacker to declare an external entity that points to an internal URL, which the server fetches while parsing the XML. The vulnerability arises in the location constraint processing, where the XML parser improperly validates external entities. Exploiting this issue can lead to server-side request forgery (SSRF) attacks, allowing access to internal services or resources that should be off-limits to external networks. The responses from these internal requests are included in the bucket configuration, potentially leaking sensitive information.

Impact

Exploitation of this vulnerability allows unauthenticated attackers to induce the server to make HTTP requests to internal networks and services, which could expose sensitive information or facilitate further attacks on internal systems. The only requirement for exploitation is the ability to send HTTP requests to the LocalS3 service.

Reproduction

To reproduce this vulnerability, create an XML document that includes an external entity declaration pointing to an internal target. Then, send a PUT request to create a new bucket with this configuration. After the bucket is created, retrieve the bucket location to see the resolved entity content. The server processes the XML, resolves the external entity by requesting the internal URL, and includes the response in the bucket's location constraint, which can be accessed through the bucket location endpoint.

Remediation

Users are advised to update to LocalS3 version 1.21 or later, where this vulnerability has been addressed. For those unable to update, consider disabling external entity processing in the XML parser, implementing input validation to reject XML documents with DOCTYPE declarations or external entity references, or using a different XML parser that does not process external entities by default.