Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security] XSS in HelpModal leading to RCE via imported malicious data file #338

Closed
magicOz opened this issue Jun 21, 2020 · 4 comments · Fixed by #560
Closed

[Security] XSS in HelpModal leading to RCE via imported malicious data file #338

magicOz opened this issue Jun 21, 2020 · 4 comments · Fixed by #560
Labels
bug fixed-vnext Already fixed, close when vnext drops

Comments

@magicOz
Copy link

magicOz commented Jun 21, 2020

The help text-modal utilizes the React component attribute dangerouslySetInnerHTML when rendering the Info, Abuse Info, etc. texts. E.g.

dangerouslySetInnerHTML={Abuse(
sourceName,
sourceType,
targetName,
targetType,
targetId
)}

This makes the application vulnerable to XSS unless the input parameters are properly sanitized/encoded.

It turns out that the parameter targetId(objectid) isn't encoded, and is reflected in multiple Abuse Info-texts - making the application vulnerable.

settargetId(target.objectid);

Since Bloodhound is built using Electron, it is possible to spawn child processes from an XSS vector - leading to a RCE vulnerability.

By getting the victim to import a malicious data graph file and clicking Help on an edge connected to a malicious node, the XSS payload will trigger.

To mitigate this, encoding objectid the same way the node labels are encoded should do the trick.

PoC (Windows):
I've attached a zip, graph.zip, containing a malicious file, graph.json. (You may need to unzip and manually import the JSON-file).

  1. Import the file graph.json into BloodHound.
  2. Click Help on the edge between NODE1@DOMAIN.COM and MALICIOUS@DOMAIN.COM.
  3. This should pop notepad.exe C:/windows/win.ini
    poc
@magicOz magicOz changed the title XSS in HelpModal leading to RCE via imported malicious data file [Security] XSS in HelpModal leading to RCE via imported malicious data file Jun 30, 2020
@OS-WS
Copy link

OS-WS commented Feb 21, 2021

Hi, is there any fix for this security issue?
If so, in what commit?

Thanks!

@HHAC
Copy link

HHAC commented Jul 19, 2021

Following up on the previous question. Had this issue been resolved? If so what commit should I be looking at?

Thank you!

@rvazarkar rvazarkar added the bug label Jan 11, 2022
@ghost
Copy link

ghost commented Jul 19, 2022

Is there a specific reason why the help texts for example in Abuse.jsx are templated strings, not JSX components?

@rvazarkar
Copy link
Contributor

Mostly because it would take ages to convert them to JSX components at this point. I'm updating the code to encode all the variables passed to the help modal to prevent this for now. I've tested on the 4.2 branch with the PoC and it no longer works.

image

@rvazarkar rvazarkar added the fixed-vnext Already fixed, close when vnext drops label Aug 1, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug fixed-vnext Already fixed, close when vnext drops
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants