Skip to content
This repository has been archived by the owner on Dec 28, 2021. It is now read-only.

XSS to Code execution vulnerability #156

Open
silviavali opened this issue Dec 5, 2017 · 9 comments
Open

XSS to Code execution vulnerability #156

silviavali opened this issue Dec 5, 2017 · 9 comments

Comments

@silviavali
Copy link

Hello,

I would like to report a XSS vulnerability in your application that leads to code execution.
I have a working poc that I dont want to post publicly.
Please contact me at silviavali14@gmail.com

@billchenchina
Copy link

See #153

@silviavali
Copy link
Author

Sure, the project is currently suspended, but as long as the previous version is available to be downloaded, people are exposed to using a version of Moeeditor with a code execution vulnerability.

@zhuzhuyule
Copy link

now, you can look this repo, this inherited Moeditor.

@Menci
Copy link
Member

Menci commented Jan 14, 2018

I'm sorry that now I have no time on developping, so let's fix the XSS bugs when the new version is started.

@NARKOZ
Copy link

NARKOZ commented Feb 8, 2018

@silviavali Hi. Could you email me your report? (see my profile for email address)

@silviavali
Copy link
Author

How are you related to the project (do I have permission by the project owner to send you the report)?

@Menci
Copy link
Member

Menci commented Mar 24, 2018

My email address is huanghaorui301@gmail.com

@silviavali
Copy link
Author

Report e-mailed to huanghaorui301@gmail.com @Menci

@silviavali
Copy link
Author

"XSS to code execution vulnerability due to enabled node integration"

Version 0.2.0-beta
Reported: 5th Dec, 2017
Report finally sent: 10th of May, 2017 (Disclosure of the vulnerability as the project has been vulnerable to code execution since December 2017, no fixes applied)

Description: MoeEditor is a markdown editor which allows to create and view .md files. However, the user input - content of the markdown file being viewed in the application, is not encoded properly for the output document which results in XSS. Improper encoding for the output document can result in XSS in any web application or any application using web technologies like HTML, JavaScript or CSS. At the moment XSS occurs in a browser window where node integration has been enabled, therefore the payload can be used to also require node modules like ’os’ hence also access operating systems native primitives.

Due to the combination of XSS occuring on a page where nodeIntegration is enabled (in Electron for browserWindow instance nodeIntegration defaults to true), XSS evolves into code execution. For example if user opens a markdown file with following contents or pastes it to the writing area,

Payload:

<onmouseover="alert(1)"> <s onmouseover="var os = require('os'); var hostname = os.platform(); var homedir = os.homedir(); alert('Host:' + hostname + 'directory: ' + homedir);">Hallo</s>

it will open alert box with the hostname and the homedirectory of the machine the application is
running on.

image

Possible scenario: Reverse shell

Attacker crafts a markdown file ’payload.md’ and makes it publicly available for download or tricks the victim to download it and open it with the Shiba application. Attacker starts netcat and listens on a port 1337 to receive /etc/passwd file content form the victim’s machine. Victim has downloaded and opened the file in Shiba application. If victim now hovers over the file content on the markdown editor, the payload gets executed on the background and the attacker receives the ‘/etc/passwd’ file content from the victim’s machine.

As node modules can be required, the attack scenario could be anything of the attacks imagination,
For example it would be possible to require files, write files, write binary code into file, hence delivering malware. It would also be possible to establish connections with remote locations to send files (for example /etc/passwd) from the victim’s machine to attacker controlled server, etc.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants