Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

XSS to Code execution vulnerability #156

Open
silviavali opened this issue Dec 5, 2017 · 9 comments

Comments

@silviavali
Copy link

commented Dec 5, 2017

Hello,

I would like to report a XSS vulnerability in your application that leads to code execution.
I have a working poc that I dont want to post publicly.
Please contact me at silviavali14@gmail.com

@billchenchina

This comment has been minimized.

Copy link

commented Dec 10, 2017

See #153

@silviavali

This comment has been minimized.

Copy link
Author

commented Jan 3, 2018

Sure, the project is currently suspended, but as long as the previous version is available to be downloaded, people are exposed to using a version of Moeeditor with a code execution vulnerability.

@zhuzhuyule

This comment has been minimized.

Copy link

commented Jan 3, 2018

now, you can look this repo, this inherited Moeditor.

@Menci

This comment has been minimized.

Copy link
Member

commented Jan 14, 2018

I'm sorry that now I have no time on developping, so let's fix the XSS bugs when the new version is started.

@NARKOZ

This comment has been minimized.

Copy link

commented Feb 8, 2018

@silviavali Hi. Could you email me your report? (see my profile for email address)

@silviavali

This comment has been minimized.

Copy link
Author

commented Feb 19, 2018

How are you related to the project (do I have permission by the project owner to send you the report)?

@Menci

This comment has been minimized.

Copy link
Member

commented Mar 24, 2018

My email address is huanghaorui301@gmail.com

@silviavali

This comment has been minimized.

Copy link
Author

commented May 10, 2018

Report e-mailed to huanghaorui301@gmail.com @Menci

@silviavali

This comment has been minimized.

Copy link
Author

commented May 17, 2018

"XSS to code execution vulnerability due to enabled node integration"

Version 0.2.0-beta
Reported: 5th Dec, 2017
Report finally sent: 10th of May, 2017 (Disclosure of the vulnerability as the project has been vulnerable to code execution since December 2017, no fixes applied)

Description: MoeEditor is a markdown editor which allows to create and view .md files. However, the user input - content of the markdown file being viewed in the application, is not encoded properly for the output document which results in XSS. Improper encoding for the output document can result in XSS in any web application or any application using web technologies like HTML, JavaScript or CSS. At the moment XSS occurs in a browser window where node integration has been enabled, therefore the payload can be used to also require node modules like ’os’ hence also access operating systems native primitives.

Due to the combination of XSS occuring on a page where nodeIntegration is enabled (in Electron for browserWindow instance nodeIntegration defaults to true), XSS evolves into code execution. For example if user opens a markdown file with following contents or pastes it to the writing area,

Payload:

<onmouseover="alert(1)"> <s onmouseover="var os = require('os'); var hostname = os.platform(); var homedir = os.homedir(); alert('Host:' + hostname + 'directory: ' + homedir);">Hallo</s>

it will open alert box with the hostname and the homedirectory of the machine the application is
running on.

image

Possible scenario: Reverse shell

Attacker crafts a markdown file ’payload.md’ and makes it publicly available for download or tricks the victim to download it and open it with the Shiba application. Attacker starts netcat and listens on a port 1337 to receive /etc/passwd file content form the victim’s machine. Victim has downloaded and opened the file in Shiba application. If victim now hovers over the file content on the markdown editor, the payload gets executed on the background and the attacker receives the ‘/etc/passwd’ file content from the victim’s machine.

As node modules can be required, the attack scenario could be anything of the attacks imagination,
For example it would be possible to require files, write files, write binary code into file, hence delivering malware. It would also be possible to establish connections with remote locations to send files (for example /etc/passwd) from the victim’s machine to attacker controlled server, etc.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
5 participants
You can’t perform that action at this time.