This is used for verification purposes while testing the vulnerability. Accesses an HTTP server at the $localIp variable. This allows us to collect or relay the NetNTLM challenge/response.Ģ. Accesses the SMB share running at the $smbServer variable. When Vuze parses this, it does two things:ġ. The POC used to prove this vulnerability (POC 1 below) contained the following XML content: This is expected behaviour for SSDP/UPNP.īy hosting a specially crafted XML file at that location, we can force Vuze to do several things. Vuze will automatically access the Device Descriptor over HTTP, parsing the XML content. When we do this, we provide the location of an XML file containing more information about our device. We can reply to that UDP multicast directly on the same port that the request initiated from, informing this client that we have a shared device. This is the first step in finding and adding Universal Plug and Play (UPNP) devices. The discovery process is handled by Simple Service Discovery Protocol (SSDP), which sends a UDP multicast out to 239.255.255.250 on port 1900. Vuze, like many other media servers, will attempt to discover other devices on a local network. Vuze version affected: Tested on 5.7.6.0 (current as of July 2018). Operating Systems affected: Verified Windows 10 (likely all versions) Impact: Information disclosure up to code executionĪffected component: Vuze Bittorrent Client's SSDP discovery / XML parsing Multiple attempts to contact Vuze team resulted in no replies. Initiate SMB connections to relay NetNTLM challenge/response and achieve Remote Command Execution in Windows domains.Įxploitation can be demonstrated using evil-ssdp (). Initiate SMB connections to capture NetNTLM challenge/response and crack to clear-text password. Access arbitrary files from the filesystem with the same permission as the user account running Vuze. Unauthenticated attackers on the same LAN can use this vulnerability to: The XML parsing engine for Vuze Bittorrent Client's SSDP/UPNP functionality is vulnerable to an XML External Entity Processing (XXE) attack. Issue: Out-of-Band XXE in Vuze Bittorrent Client's SSDP Processing
0 Comments
Leave a Reply. |