Since Bloodhound is built using Electron, it is possible to spawn child processes from an XSS vector - leading to a RCE vulnerability.
By getting the victim to import a malicious data graph file and clicking Help on an edge connected to a malicious node, the XSS payload will trigger.
To mitigate this, encoding objectid the same way the node labels are encoded should do the trick.
PoC (Windows):
I've attached a zip, graph.zip, containing a malicious file, graph.json. (You may need to unzip and manually import the JSON-file).
Import the file graph.json into BloodHound.
Click Help on the edge between NODE1@DOMAIN.COM and MALICIOUS@DOMAIN.COM.
This should pop notepad.exe C:/windows/win.ini
The text was updated successfully, but these errors were encountered:
magicOz
changed the title
XSS in HelpModal leading to RCE via imported malicious data file
[Security] XSS in HelpModal leading to RCE via imported malicious data file
Jun 30, 2020
Mostly because it would take ages to convert them to JSX components at this point. I'm updating the code to encode all the variables passed to the help modal to prevent this for now. I've tested on the 4.2 branch with the PoC and it no longer works.
The help text-modal utilizes the React component attribute
dangerouslySetInnerHTMLwhen rendering the Info, Abuse Info, etc. texts. E.g.BloodHound/src/components/Modals/HelpTexts/GenericAll/GenericAll.jsx
Lines 31 to 37 in 338e197
This makes the application vulnerable to XSS unless the input parameters are properly sanitized/encoded.
It turns out that the parameter
targetId(objectid) isn't encoded, and is reflected in multiple Abuse Info-texts - making the application vulnerable.BloodHound/src/components/Modals/HelpModal.jsx
Line 57 in 338e197
Since Bloodhound is built using Electron, it is possible to spawn child processes from an XSS vector - leading to a RCE vulnerability.
By getting the victim to import a malicious data graph file and clicking Help on an edge connected to a malicious node, the XSS payload will trigger.
To mitigate this, encoding
objectidthe same way the node labels are encoded should do the trick.PoC (Windows):
I've attached a zip, graph.zip, containing a malicious file,
graph.json. (You may need to unzip and manually import the JSON-file).graph.jsoninto BloodHound.NODE1@DOMAIN.COMandMALICIOUS@DOMAIN.COM.notepad.exe C:/windows/win.iniThe text was updated successfully, but these errors were encountered: