Possible XSS attack #1895
Comments
|
The issue is not with the sidebar, but the markdown renderer. I've emailed details to the devs, but @makotech222 has already identified a fix. |
|
Also, this needs to be fixed on the backend, client-side validation is never enough. @geneccx - Where can I find the fix that you mention @makotech222 contributed on? |
|
|
@NomNuggetNom please keep the issue open until it has been fixed. We want to be sure the Devs see this. |
|
After implementing this fix, you will likely also need to invalidate all existing sessions (logging everyone out) due to LemmyNet/lemmy#3499 In the meantime, From the matrix chat: Current mitigations
DELETE FROM custom_emoji_keyword;
DELETE FROM custom_emoji;
UPDATE comment SET content = '<REMOVED BY ADMIN>' WHERE content LIKE '%
|
Both the sidebar and the legal information field don't seem to escape strings? The "Legal" page in lemmy.world is allowing malicious JavaScript to run right now. |
It's custom emoji rendered anywhere. The mitigation is above, deleting your custom emojis until the fix is in place, and invalidate all sessions. |
EDIT: I'm wrong, it's indeed the emoji. |
Looks like you'll need to restart lemmy to make it uses the new secret. |
Thanks, I'll add that to the list of steps. |
|
@tgxn teaching more people how to exploit it in the wild probably isn't the best idea... |
Sure, I'll delete the post; but it's not like malicious actors care, we know that it's specifically:
|
It was already being executed in the wild on some of the largest instances before this issue was created. |
I am aware. The fix and mitigations came after discovering it being used in the wild. The point still stands, until more servers have had the chance to patch this up, and the Lemmy devs have had a chance to release the fix, sharing the specifics of how to execute the exploit can only cause more harm than good. |
Should these be |
|
Maybe quick and easy way to fix it would be to either use https://www.npmjs.com/package/safe-marked or adapt current solution to use https://www.npmjs.com/package/dompurify As always no user input can be trusted. |
|
What makes you think that custom emojis are used as the attack vector? The fact is that emojis can only be set by local admins, and they dont federate. So I fail to see how an attack could set emojis, unless he already gained admin privileges through another attack vector. |
I'm doing some triage right now. I'm not sure if I fully understand this yet, but this is in my instance's database. I think this means it will be injected if our users click into the infected discussion?
(Edit: Scrubbed to minimise proliferation) |
Anyone has viewed a page where that If you haven't already, you should take your instance offline until this has been sorted out. |
|
Those comments from the screenshot are all from lemmy.world, so they would not have any effect on the poster's instance. Or @abhibeckert are you aware of an additional vulnerability other than what has been discussed here? |
No if I was aware of anything you guys don't know I would've offered it. I was just answering their question, since they seemed to be unclear what the code does (and what the risk is). |
That code resolves to a url: |
|
As a precaution, I've run the measures suggested by @geneccx above (thanks!) and disabled federation for now. Hmm. This is not important for me personally now, but I still don't yet understand how this doesn't affect users on my local instance, who view the "infected" comment (which came from the lemmy.world federated post, but was living in my db). It seems to run on every browser onLoad and send the user's cookie. I'm not a frontend guy. I assume by the developers' comments that these must be escaped in some way. |
|
Mentioning #1900 which should prevent this and most other XSS attacks without modifying the db or other code (barely tested) |
i know, thats why i said workaround. It would be more than just waiting for an update and gettting users cookies snatched in the time. If everyone disbles federation for the time, the whole point of lemmy is more or less lost for the time. |
No, malicious comments (and other activities) need to be specific to the instance's custom emoji for the exploit to work. From my testing and observations, federated activities referencing custom emoji from those other instances do not trigger the issue. |
|
The current fix in #1897 doesn't really do anything when the emoji itself has a malicious image URL or alt text. This was also pointed out by #1897 (comment) My fix sanitizes everything in #1906, just to be safe. |
|
I agree that the code can still be improved. I filed #1904 to track proper HTML generation. Even your solution seems a bit strange as it generates possibly invalid or malicious HTML then tries to clean it, I think it would be better to just avoid generating invalid or malicious HTML in the first place. |
Just to be cautious, I'd also do the same with
as I'd also do the same without a space between onload/onerror and the first quotation mark. |
|
This is still incomplete. You could add two spaces instead of one and bypass that pattern. It is also one-time only. The only true fix is to push out an updated UI. |
|
Yep, there's no way to identify all possible cases where this is done. Update the frontend - the fix is available in 0.18.2-rc.1. Deleting the comments/posts is not technically necessary, it's more for cleanup afterwards anyway. |
That wouldn't be sufficient in my opinion, you could potentially inject a |
Which means, as long as there isn't a proper fix to this, we still don't know whether instances currently host other malicious JavaScript code that is still active and discretely stealing cookies. We only know that we got rid of the onload's. |
|
Just so we're all on the same page: the current fix wasn't getting rid of onloads, it was actually disabling the custom rendering logic for emojis. For now, the only known way to actually run this code was through custom emojis (before 0.18.2-rc.1). We can speculate that there are other XSS vulnerabilities, but there are no known ones at the moment. |
|
I just checked again in the It is very curious however. The exploit requires a title that is exactly the name of any custom emoji (not necessarily a compromised one, it just needs to be valid!) in the Markdown image tag to work and the image URL can be anything, but without a title it doesn't work. For instance, putting this in a comment successfully injects the JavaScript: but this won't work: Thus, a simple user without any admin rights can perfectly perform the exploit and attempt to steal admin cookies, so it's wrong to assume that it's exclusively a compromised custom emoji that is allowing the hack. |
|
It's usage of a local custom emoji by any user that triggers the exploit, and the PR fixes the usage piece such that normal users cannot inject arbitrary JS by using local custom emoji. Admins however, can still place arbitrary JS when creating an emoji. The existing PR fixes the current issue that is being exploited in the wild. |
This comment was marked as duplicate.
This comment was marked as duplicate.
|
I think their point is it's wrong to assume the icon is the only vulnerability, just because that's the approach the hackers used this time. |
|
Sure, but who's assuming that? There's movement now in other areas, including adding a CSP, potentially revisiting the JWT implementation, among others. There are going to be other exploits, that is inevitable. Focus is better directed towards layers of defence rather than speculation. |
|
@sunaurus I think it would be good to learn from this and add some automated method to quickly deploy urgent security patches. There are thousands of lemmy instances and it will take forever for all of them to update. I'm not suggesting fully automated software updates, just some way to quickly patch a critical vulnerability like this one. |
Maybe with an opt-in/opt-out option because I'm sure some very specific admins will be up in arms about the potential abuse. |
|
Hey everyone, admin of EDIT: in the meantime I've shut down the instance. I'm trying my hardest to stop this from proliferaring, at least through our instance. |
I would definitely welcome an API endpoint controlled by a few trusted instance admins that could be polled every minute or so with a very simple GET request. In the case of a security issue that requires immediate attention by an admin or sysadmin I would have my server shutdown or stop all containers if it receives a certain agreed-upon response. This is the only way we can have small instances run by few people who might be asleep without them becoming attack vectors. Worst case it's a false positive and my instance goes down, but I rather have this than compromise any user data. Thinking about it, this could also be a useful warning service for a multitude of scenarios. I'll consider setting up a button for authenticated users to press, in this case not to shut down the instance but to give me some sort of alert for medium-tier incidents. |
I think you meant to propose checking for GitHub for new releases instead of adding a new points of failure and additional vulnerability surfaces |
|
For future reference, this was patched by commit e80bcf5 and became available in version |
Sure... that option needs to exist, but it maybe don't make it too easy? Automatically applying security patches is standard practice and the potential for abuse by a rogue Lemmy developer is vastly smaller than the potential abuse from a delayed installation. If I was running a Lemmy instance, I would be defederating every instance that hasn't updated to v0.18.2.rc.1 until they do update. If instance admins want to, you know, sleep, then these patches need to be automated. |
|
What would defederation accomplish? The patch is in the client, patched servers can still send messages that trigger the bug. The problem is that the UI renders it insecurely. Let's not get too excited. I think that there should be a designated channel for vulnerability announcements but I don't think we need to jump straight to automatically installing new code on servers. Without very careful design that can add worse vulnerabilities than it would prevent. |
It would force those instance admins to update. Also.. Admin and moderator accounts have been accessed on some of those servers. Login tokens for any (all?) other users may have also been compromised. And they have been posting links to illegal content. The patch doesn't reset those JWT tokens either. So while the barn door is closed once instances update the wolf could be locked inside with the chickens. |
|
Also why should anyone install an RC version? Please release an official patch version. No one should have to install an RC to patch a bug. |
This is a serious enough issue to backport this to an official version. |
|
We plan on doing a release with a fix tomorrow, please be patient. |
@dessalines If it's not already on your radar, please also consider posting a GitHub security advisory on the issue for visibility, and also enabling private vulnerability reporting |
and others
Requirements
Summary
The sidebar dangerously sets HTML but does not configure the Markdown render to strip HTML codes. This enables simple XSS attacks like<img onload="maliciousCodeHere()" />. It seems like an attempt is made to create a markdown renderer with HTML disabled, however.It now seems that this attack might be done via custom emojis.
Steps to Reproduce
Technical Details
markdown-itdoes some extremely simple guarding, but they don't claim to prevent XSS. Custom HTML should be removed in favor of plugins.Lemmy Instance Version
0.18.1
Lemmy Instance URL
No response
The text was updated successfully, but these errors were encountered: