XML external entity (XXE) vulnerability: Out-of-Band XXE in SSDP Processing

[Sami32]

The XML parser don't disable the inline DTDs parsing by default or do not provide a mean to disable it AFAIK.

The XML parsing engine in SSDP/UPNP functionality is vulnerable to an XML External Entity Processing (XXE) attack. Unauthenticated attackers on the same LAN can use this vulnerability to:

• Access arbitrary files from the filesystem with the same permission as the user account running UMS.
• Initiate SMB connections to capture NetNTLM challenge/response and crack to clear-text password.
• Initiate SMB connections to relay NetNTLM challenge/response and achieve Remote Command Execution in Windows domains.

Exploitation can be demonstrated using evil-ssdp (https://gitlab.com/initstring/evil-ssdp).

[Sami32]

https://github.com/4thline/seamless/issues/9

[DrPoohXi]

老哥，那到底能不能使用啊