DroidDLNA icon indicating copy to clipboard operation
DroidDLNA copied to clipboard
verified publisher icon offbye

XML external entity (XXE) vulnerability: Out-of-Band XXE in SSDP Processing

Open Sami32 opened this issue 7 years ago • 2 comments

The XML parser don't disable the inline DTDs parsing by default or do not provide a mean to disable it AFAIK.

The XML parsing engine in SSDP/UPNP functionality is vulnerable to an XML External Entity Processing (XXE) attack. Unauthenticated attackers on the same LAN can use this vulnerability to:

  • Access arbitrary files from the filesystem with the same permission as the user account running UMS.
  • Initiate SMB connections to capture NetNTLM challenge/response and crack to clear-text password.
  • Initiate SMB connections to relay NetNTLM challenge/response and achieve Remote Command Execution in Windows domains.

Exploitation can be demonstrated using evil-ssdp (https://gitlab.com/initstring/evil-ssdp).

Sami32 avatar Sep 21 '18 17:09 Sami32

https://github.com/4thline/seamless/issues/9

Sami32 avatar Sep 25 '18 21:09 Sami32

老哥,那到底能不能使用啊

DrPoohXi avatar Jun 26 '20 09:06 DrPoohXi