search

mathjax / MathJax

Beautiful and accessible math in all browsers
http://www.mathjax.org/
Apache License 2.0
10.04k stars 1.16k forks source link

CSS injection vulnerability in ```\unicode{}``` macro #3241

Open spixi opened 1 month ago

spixi commented 1 month ago

Issue Summary

The \unicode{} macro can be abused to load external resources using the CSS attribute background-image (and possible also other CSS atributes) with the url() function.

Steps to Reproduce:

A certain GitHub user page shows an inappropiate image upon opening their profile. In the following screenshot I stopped it before rendering. Screenshot_20240608_031622_Chrome

The user also used the exploit in comments to GitHub issues like https://github.com/wesnoth/wesnoth/issues/8964

The exploit can be also found in that users profile here: https://raw.githubusercontent.com/*username*/*username*/main/README.md

The URL in that script appears to be a github.com URL, but actually redirects to a github-production-user-asset-6210df.s3.amazonaws.com URL.

The background image is automatically loaded from an external source, specified by the attacker. This may endanger the user's privacy and in the worst case also could be abused to prepare other attacks, e. g. by stealing session tokens, clickjacking or phishing.

This also may be exploitable with other CSS attributes like src in a @font-face rule.

This vulnerability may be related to CVE-2018-1999024

Any other information you want to share that is relevant to the issue being reported. Especially, why do you consider this to be a bug? What do you expect to happen instead?

Technical details:

I am using the following MathJax configuration:

(unknown)

and loading MathJax via

(unknown)

Supporting information:

see screenshot

maxgubler commented 1 month ago

https://github.com/mathjax/MathJax/issues/3129 😃

dpvc commented 1 month ago

As mentioned by @maxgubler, this is a duplicate of #3129. See that issue for a work-around. It is resolved in v4 (now out in beta).

eecavanna commented 1 month ago

Thanks, @spixi, for reporting this and documenting the situation so thoroughly.

A project I contribute to received an issue comment from GitHub user https://github.com/simul on Friday, June 7, that was almost identical—if not completely identical—to the one shown in the screenshot in this issue description. When viewing the issue page, the viewport was immediately "taken over" by a full-screen image (it was a flashing image of a Discord URL).

I used curl to download the issue page and found the problematic comment. Someone (I assume, one of the project maintainers) has since deleted it from the issue page, but I still have the curl output. Here is the offending comment — in HTML format — copied from the curl output, for reference:

          <p dir="auto">sup</p>
<math-renderer class="js-display-math" style="display: block" data-static-url="https://github.githubassets.com/static" data-run-id="5287bd6428aa015df40f3018f5f9dcc0">$$\ce{$\unicode[goombafont; color:red; pointer-events: none; z-index: 5; position: fixed; inset: 0; opacity: 100%; background-size: 100% 100%; background-image: url('https://github.com/Roblox/t/assets/106361566/b3306f20-57e8-449d-95f7-0ec0597b4e7e');]{x0000}$}$$</math-renderer>

Do any of you know whether this issue has been reported to GitHub, Inc.? I am wondering whether they are aware of it as it may motivate them to upgrade to MathJax v4 (i.e. the version of MathJax that contains the fix).

gjsjohnmurray commented 1 month ago

I believe that the GitHub folk are aware of it. I observed the exploit in comments on two issues on the microsoft/vscode repo. One of the Issues had beef created by a core team member, a Microsoft employee. I emailed to alert him. Shortly afterwards the comment on his issue got hidden as abuse. The one on the other issue remained in hidden but was now defanged and accompanied by a notification that the \unicode clause it contained was not permitted to apply.

spixi commented 1 month ago

@eecavanna

A project I contribute to received an issue comment from GitHub user ... on Friday, June 7, that was almost identical—if not completely identical—to the one shown in the screenshot in this issue description. When viewing the issue page, the viewport was immediately "taken over" by a full-screen image (it was a flashing image of a Discord URL).

Yes, it was exactly the same code with the same flashing GIF image. I reported the user for "Active Malware or Exploits" and it seems they already have deleted the user simulified. The organization simul has nothing to do with this.

dpvc commented 1 month ago

Note that the original issue #3129 includes a v3 configuration that fixes the issue, so GitHub (and anyone else) could use that if they are not prepared to move to v4.