CVE-2019-1698 PoC — Cisco IoT Field Network Director XML External Entity Vulnerability

Source

https://github.com/raytran54/CVE-2019-1698

Associated Vulnerability

Title:Cisco IoT Field Network Director XML External Entity Vulnerability (CVE-2019-1698)
Description:A vulnerability in the web-based user interface of Cisco Internet of Things Field Network Director (IoT-FND) Software could allow an authenticated, remote attacker to gain read access to information that is stored on an affected system. The vulnerability is due to improper handling of XML External Entity (XXE) entries when parsing certain XML files. An attacker could exploit this vulnerability by importing a crafted XML file with malicious entries, which could allow the attacker to read files within the affected application. Versions prior to 4.4(0.26) are affected.

Readme

# CVE-2019-1698
- Check the diff code betwween ver has vuln and ver of code with fix vuln:

**Code reference 1:** <https://plugins.trac.wordpress.org/changeset/3040809/notificationx/trunk/includes/Core/Rest/Analytics.php>
![image](https://github.com/user-attachments/assets/1922c3f4-7443-4723-b3d2-6aee7adc4510)


**Code reference 2:** <https://plugins.trac.wordpress.org/changeset/3040809/notificationx/trunk/includes/Core/Database.php>
![image](https://github.com/user-attachments/assets/715b4747-46ed-42d8-8112-be2a5d64a705)


Therefore, the following file is relevant to this CVE:

```
wp-content/plugins/notificationx/includes/Core/Rest/Analytics.php
```
Now, we will check the file might have vuln code:
![image](https://github.com/user-attachments/assets/6001cf4f-fbba-4686-a418-835e4219c04a)
Focus on the `insert_analytics()` function:
![image](https://github.com/user-attachments/assets/e6451538-1939-42c2-ad64-b439e4b51fc1)
It receives the `$request` (coming from the user) and extracts the `type` parameter.

Then, this value is then passed to the `CoreAnalytics::get_instance()->insert_analytics()` function:
![image](https://github.com/user-attachments/assets/e610daf2-bc69-4a4d-b4e5-12d360d2fcc1)

To trigger this code, we can notice the mapped route (from the `Analytics` class, inside the `register_routes()` function):

```
$this->namespace . '/' . $this->rest_base
```

And the constructor for the `Analytics` class reveals the values for the `namespace` and `rest_base` variables:

```
public function __construct() {
	$this->namespace = 'notificationx/v1';
	$this->rest_base = 'analytics';
	add_action('rest_api_init', [$this, 'register_routes']);
}
```

So, the relevant (vulnerable) code that accepts the user-supplied `type` parameter, can be reached via the following route:

```
notificationx/v1/analytics
```
But what's the method for exploiting and where is the SQL query for injection?

Since the user-supplied `type` parameter is passed to:

```
CoreAnalytics::get_instance()->insert_analytics( absint( $params['nx_id'] ), $type );
```

Locating this function:

![image](https://github.com/user-attachments/assets/f2ec69d3-f2f6-47aa-b523-b1a36970a386)
 Let's check this function code in the highlighted file:

`wp-content/plugins/notificationx/includes/Core/Analytics.php`**:**
![image](https://github.com/user-attachments/assets/f97acfc4-2865-4869-bb81-93b7aa7d767e)

If you are thinking that it the vulnerability lies in the `increment_count()` function, then you are absolutely on the right track!

Here's the `increment_count` function (and it has the `$type` parameter coming from the user):
![image](https://github.com/user-attachments/assets/3944bf4e-b9f9-4fca-a95c-b5b4d5bebf47)

This function in-turn calls `update_analytics()` function. Let's address for it:
![image](https://github.com/user-attachments/assets/7627a8fb-0d9a-42c8-bf5e-28f4718474ce)

![image](https://github.com/user-attachments/assets/5a15a5ef-594b-4f20-a990-d2ec63044c98)

File Snapshot

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →