[EN] A-Z: TuxGuitar - stealing local files (XXE)
TuxGuitar is an open-source tablature player and editor, that supports many different file formats, including proprietary Guitar Pro’s formats. As I play the guitar from time to time and use TuxGuitar for practice and learning songs I couldn’t resist peeking into it. By looking at the source code I noticed usages of XML parsers without anti-XXE configuration. I decided to dig into it to find out whether it is exploitable.
One of the occurrences led me to the
GPXDocumentReader class. A quick look through revealed that this class is responsible for parsing
GP7 (also called
GP) - the two newest Guitar Pro’s formats. Both of them are archives containing XML documents but compressed using different algorithms.
GP6 is based on
BCFZ which was unfamiliar for me and
GP7 is just a
zip, so my choice for further analysis was obvious. At that moment I wanted to learn how
GP7 structure looks like. Instead of reading the code and re-creating the archive, I wanted to just find any already existing file and decompress it. Unfortunately, TuxGuitar doesn’t support exporting to this format, also as this format is quite new, it was hard to find any occurrence on the Internet (all tablatures I found were saved in older formats). So I used a trial of Guitar Pro to create very simple tablature and save it in the desired format. Finally, I was able to unzip it and look at its contents:
GPXInputStream classes gave me information that
Content/score.gpif is an XML file I may want to alter.
I opened the file, put an OOB stealing file payload (lines 2-6 and 8 are added by me) and saved the changes.
On my second machine I prepared the second part of the payload -
ev1.dtd stealing content of
and served it using python’s embedded HTTP server.
There are two drawbacks that impede exploitation:
- After opening a malicious file, the application starts reporting a lot of parsing related errors. It makes the whole attack noisy and users definitely will see that something is wrong.
- Because of how Java creates URLs it’s impossible to steal files containing newline characters.
Nonetheless, this vulnerability can be exploited to steal some local files, perform SSRF attacks against users’ internal services, or to leak users’ IP addresses. For many users, the whole idea of using this application is to use tablatures prepared by others and downloaded from the Internet, so it is not unlikely to encounter a malicious one.
According to OWASP XXE Prevention Cheat Sheet, this problem can be solved by proper configuration of a parser.
This vulnerability was initially reported on the project’s private issue tracker on 15.05.2020. Then resubmitted publicly: