TuxGuitar Community, share your tablatures, get ranked, listen to other guys tabs, rank them, launch tuxguitar online, use our ultimate tuxguitar applet. There's a Guitar Tab of Goodbye Blue Sky, This song is a very beautiful song, and the composition is not a exception, well the tunning are written in the name of the track, hope you like. TuxGuitar Community, share your tablatures, get ranked, listen to other guys tabs, rank them, launch tuxguitar online, use our ultimate tuxguitar applet. TuxGuitar is a multitrack guitar tablature editor and player written in Java-SWT, It can open GuitarPro, PowerTab and TablEdit files. TuxGuitar is a multitrack guitar tablature editor and player written in Java-SWT, It can open GuitarPro, PowerTab and TablEdit files, and export to standart file-formats such as MIDI, Lilyond.

Editing sheet music
has never been easier

Guitar Pro allows you to edit your music scores and tablature for guitar, bass, and ukulele, as well as create backing tracks for drums or piano. This is a most thorough yet user-friendly tool for musicians who wish to get better, compose, or simply play along. Download our free trial and start editing your own music.

Guitar Pro features

Guitar Pro 7.5,
a major step forward

This new version is free for Guitar Pro 7 users. Opening tool windows by clicking on the score, file explorer, tablature editing for 9- and 10- strings guitars, mySongBook integration, batch conversion tool, MIDI import improvement, better orchestral soundbanks, enhanced drums view – discover the many new features of this update.

See what's new in Guitar Pro 7.5

The library of music scores
created by Guitar Pro

mySongBook brings you over 2,000 Guitar Pro transcriptions of your favorite songs available directly in the Guitar Pro software. You can shop for music scores by the unit or with our full access subscription that allows you to collect files from the entire library.

Browse the music scores

Our commitments

The Guitar Pro team is committed to assisting you.

TuxGuitar is an open-source tablature player and editor, that supports many different file formats, including proprietary Guitar Pro’s formats. As I play the guitar from time to time and use TuxGuitar for practice and learning songs I couldn’t resist peeking into it. By looking at the source code I noticed usages of XML parsers without anti-XXE configuration. I decided to dig into it to find out whether it is exploitable.

One of the occurrences led me to the GPXDocumentReader class. A quick look through revealed that this class is responsible for parsing GP6 and GP7 (also called GP) - the two newest Guitar Pro’s formats. Both of them are archives containing XML documents but compressed using different algorithms. GP6 is based on BCFZ which was unfamiliar for me and GP7 is just a zip, so my choice for further analysis was obvious. At that moment I wanted to learn how GP7 structure looks like. Instead of reading the code and re-creating the archive, I wanted to just find any already existing file and decompress it. Unfortunately, TuxGuitar doesn’t support exporting to this format, also as this format is quite new, it was hard to find any occurrence on the Internet (all tablatures I found were saved in older formats). So I used a trial of Guitar Pro to create very simple tablature and save it in the desired format. Finally, I was able to unzip it and look at its contents:

Tuxguitar Guitar Project

GPXFileSystem and GPXInputStream classes gave me information that Content/score.gpif is an XML file I may want to alter.

I opened the file, put an OOB stealing file payload (lines 2-6 and 8 are added by me) and saved the changes.

Adobe premiere pro cc for windows 7 free download. On my second machine I prepared the second part of the payload - ev1.dtd stealing content of /etc/hostname Behringer b dj software, free download.

and served it using python’s embedded HTTP server.

Finally, I loaded the tablatureand received the stolen file:

There are two drawbacks that impede exploitation:

1. After opening a malicious file, the application starts reporting a lot of parsing related errors. It makes the whole attack noisy and users definitely will see that something is wrong.
2. Because of how Java creates URLs it’s impossible to steal files containing newline characters.

Nonetheless, this vulnerability can be exploited to steal some local files, perform SSRF attacks against users’ internal services, or to leak users’ IP addresses. For many users, the whole idea of using this application is to use tablatures prepared by others and downloaded from the Internet, so it is not unlikely to encounter a malicious one.

Fix

According to OWASP XXE Prevention Cheat Sheet, this problem can be solved by proper configuration of a parser.

Tuxguitar Guitar Programs

Submission

Tuxguitar Guitar Pro 3

This vulnerability was initially reported on the project’s private issue tracker on 15.05.2020. Then resubmitted publicly: