XSS in modules output

[chadillac]

How to reproduce:

example payload:

$ cat this_is_a_test
this
<h1>is a</h1>
test
<strong>payload</strong>
<script>alert('this is a test');</script>

upload the this_is_a_test sample to the Viper instance, go to the modules tab and run the All Strings module...

You'll get an alert and formatted HTML in the display.

Why it's bad: This could allow malicious code embedded in malware samples to achieve execution in an analysts browser session...

How to fix it: It should be using innerText over innerHTML when injecting the content into the page, as this will have it bypass HTML processing attempts. An alternative fix would be running all output returned from modules through an HTML special characters encoding process before injecting the content into the page.

Either case should fix the problem.

[frennkie]

Unfortunately the fix is not that trivial (as far as my tests are going) - but definitely thanks for reporting this problem.

I think print_output needs to be fixed to output useful AND safe information. As Django has an escape function that takes care of defusing (common) attacks it should be considered here.

[chadillac]

the other option is to HTML encode the strings that come out of the strings command before you hand them back to the web UI.

[chadillac]

additionally you could slap it in a <pre> tag, but this could allow escaping and XSS injection as well with the right payload, but should at least stop <script> tags and the like from getting execution in the browser instance... a case of a binary containing </pre><script> might be able to still get code execution but I haven't tested it.

[frennkie]

Can you check the approach used in #12?

[chadillac]

Can you check the approach used in #12?

yep, that should do it.

[frennkie]

ToDo: Write warning that users should exercise caution when using viper-web (e.g. dedicated Browser/private mode).