Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

BUG: Beekeeper Remote Code Execution via XSS #1393

Closed
goseungduk opened this issue Oct 8, 2022 · 2 comments · Fixed by #1438
Closed

BUG: Beekeeper Remote Code Execution via XSS #1393

goseungduk opened this issue Oct 8, 2022 · 2 comments · Fixed by #1438

Comments

@goseungduk
Copy link

goseungduk commented Oct 8, 2022

Author: bob11.devranger@gmail.com

Date: 2022-10-07

OS: Windows, Linux, MacOS

Beekeeper Studio Version: 3.6.6

DB Type&Version: MySQL 5.7 and 8.0 Also


Summary

It has been possible to trigger remote code execution via Beekeeper’s Modal Container.

Description

Beekeeper has the modal container which indicates the user’s interaction is valid and due to a lack of sanitization of the modal contents, It has an XSS vulnerability like this:

[1]
image
image

[2]
image
image

The modal’s content also is transferred by MySQL packet when only the user’s interaction is invalid like this:
image

So, Taking advantage of the report in CVE-2022-26174, it has been possible Remote Code Execution via Modal Container.

In this case, I made the fake MySQL server which spoofs user’s modal output when the user puts some data in a table.

This is my sample fake SQL server : poc.py

You can see this poc video that fake SQL server triggers RCE via Beekeeper.

PoC_Video

In this video, I used this XSS script <input type="text" onfocus="require('child_process').execSync('calc.exe')" autofocus /> for modal error output and any input that user passes is replaced by that XSS script and re-passed to the user.

Finally, Malicious Code is triggered in the user’s PC and is continued until the modal is inactivated.

image

What’s More?

  • Not only data inserting functions but also any functions which use error modal(e.g. create table), It seems that we can trigger RCE too.

Temporary Fake SQL Server

146.56.129.188:3306

@goseungduk goseungduk changed the title BUG: Beekeeper RCE via XSS BUG: Beekeeper Remote Code Execution via XSS Oct 25, 2022
@rathboma
Copy link
Collaborator

Thanks. Looking into this. Will get fixed asap

rathboma added a commit that referenced this issue Nov 21, 2022
- Replaced Noty with a custom fork of noty that uses text as innerText, not innerHTML
- Replaced VueNoty wrapper with custom implementation
@rathboma
Copy link
Collaborator

Fixed in 3.7.10

rathboma added a commit that referenced this issue Nov 21, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants