A hacker discovered a XXE flaw in the EpubCheck library that affects major epub services causing information disclosure and denial of service conditions.
The security expert and bug hunter Craig Arendt (@craig_arendt) has discovered flaws in major eBook readers including the ones commercialized by Amazon, Apple, and Google.
The expert discovered different XML external entity (XXE) vulnerabilities in the online epub ebook services that use leverages the ‘EpubCheck’ library. The library is used for the operations of format conversions into the universal Epub book format.
“Applying a familiar XXE pattern to exploit services & readers that consume the ePUB format. Exploiting vulnerabilities in EpubCheck <= 4.0.1 (ePub Validation Java Library & tool), Adobe Digital Editions <= 4.5.2 (book reader), Amazon KDP (Kindle Publishing Online Service), Apple Transporter, and Google Play Book uploads, etc.”
“ePub is a standard format for open books maintained by IDPF (International Digital Publishing Forum). IDPF is a trade and standards association for the digital publishing industry, set up to establish a standard for ebook publishing. Their membership list: http://idpf.org/membership/members” reads a blog post published by Arendt.
The researcher focused its tests the tool/Java library called EpubCheck (provided by IDPF) used to validate books in the ePub format. Publishers perform a validation step using the library to verify that the format is valid and Arendt discovered the XML external entity (XXE) issue.
“The validator tool (EpubCheck) was vulnerable to XXE, so any application that relies on a vulnerable version to check the validity of a book would be susceptible to this type of attack.” continues the analysis.
Arendt explained that in the case of Amazon, the KDP Kindle file upload service used to help publishers upload their books was affected by an XXE flaw that could be exploited by attackers to steal books and data.
A similar flaw affected the Apple Transporter service that ships books to the App Store.
“Parsing maliciously crafted EPUB may lead to disclosure of user information
Description: An information disclosure issue existed in the parsing of EPUB. This issue was addressed through improved parsing. CVE-2016-7666: Craig Arendt of Stratum Security” state the advisory published by Apple.
Arendt confirmed that during the test he accidentally grabbed the shadow password file for one of the epub services using the vulnerable EpubCheck library.
The Google Play Books service was not affected by the XXE flaw, but the expert discovered the possibility to trigger an XML Entity expansion flaw that could be exploited to cause denial of service through an explosive growth of parsed data.
“The software uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.” states the advisory published by the Mitre.org.
“If the DTD contains a large number of nested or recursive entities, this can lead to explosive growth of data when parsed, causing a denial of service.”
Similar problems affect other services that permit Java and Flash, Arendt will disclose further attacks once the vendors have fixed the vulnerabilities he reported.
All the vendors above have already applied the necessary security patches to the vulnerable epub services.