Skip to content

XML external entity (XXE) vulnerability: Out-of-Band XXE in SSDP Processing #8

New issue
New issue
Open
Open
XML external entity (XXE) vulnerability: Out-of-Band XXE in SSDP Processing#8
@Sami32

Description

@Sami32
Sami32
opened on Sep 21, 2018

The XML parser don't disable the inline DTDs parsing by default or do not provide a mean to disable it AFAIK.

The XML parsing engine in SSDP/UPNP functionality is vulnerable to an XML External Entity Processing (XXE) attack. Unauthenticated attackers on the same LAN can use this vulnerability to:

  • Access arbitrary files from the filesystem with the same permission as the user account running UMS.
  • Initiate SMB connections to capture NetNTLM challenge/response and crack to clear-text password.
  • Initiate SMB connections to relay NetNTLM challenge/response and achieve Remote Command Execution in Windows domains.

Exploitation can be demonstrated using evil-ssdp (https://gitlab.com/initstring/evil-ssdp).

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions