XML Notepad DTD Processing Vulnerability Allowing XXE Injection and Outbound Requests

A vulnerability in XML Notepad prior to version 2.9.0.21 allows for XML External Entity (XXE) injection by not disabling Document Type Definition (DTD) processing by default. This oversight enables attackers to craft malicious XML files that, when opened in XML Notepad, cause the application to make unintended outbound HTTP or SMB requests. Such actions could lead to the leakage of local file contents or the capture of NTLM credentials. The vulnerability arises from the automatic resolution of external entities in DTDs, creating a risk of unauthorized data access or transmission.

Impact

Exploitation of this vulnerability could result in unauthorized exfiltration of local files, capture of NTLM credentials through forced SMB authentication to an attacker-controlled server, or server-side request forgery (SSRF) against internal network services, particularly if the victim is on a corporate network.

Reproduction

To reproduce this vulnerability, create an XML file named 'bait.xml' that includes a DTD reference to a malicious DTD file hosted on an external server. When this file is opened in XML Notepad, the application will process the DTD and make an outbound request to the specified URL, demonstrating the DTD entity leakage. Additionally, the 'DtdEntityExplosion.xml' sample included with the vulnerability report can be used to illustrate the impact of a DTD that causes excessive memory usage, potentially leading to a denial of service.

Remediation

Users are advised to update to XML Notepad version 2.9.0.21, where this vulnerability has been addressed. In the updated version, the default setting for DTD processing has been changed to 'Ignore DTD=True', and users are prompted to review the documentation regarding the risks of enabling DTD processing for untrusted sources.