OS Command Injection in fabio286/antares

Valid

Reported on

Jun 25th 2021


✍️ Description

The application displays the connection error message returned by the server without removing the malicious tags, which leads to XSS attacks.

https://imgur.com/3MhhvFp.png https://i.imgur.com/RksNgXF.png

Being an application made in electron, an XSS can be scaled to RCE, making it possible to execute commands on the machine where the application is running.

https://i.imgur.com/6WeeUQH.png

🕵️‍♂️ Proof of Concept

Run a connection test to this server to check the XSS

Client: MySQL
Hostname/IP: 159.65.37.121
Port: 3307
User: any
Password: any

Run a connection test to this server to check the RCE (this opens firefox on linux and calculator on windows )

Client: MySQL
Hostname/IP: 159.65.37.121
Port: 3308
User: any
Password: any

💥 Impact

An attacker can create a server that returns a malicious error message and execute commands on the client machine.

We have contacted a member of the fabio286/antares team and are waiting to hear back 5 months ago
fabio286/antares maintainer
5 months ago

Hello Jonathan,

thanks for this report! I just fixed this vulnerability with te follow commit: https://github.com/Fabio286/antares/commit/3aef7e953ea82a9105d470cc62c68aacfc97f9d9

fabio286/antares maintainer confirmed that a fix has been merged on 3aef7e 5 months ago
The fix bounty has been dropped
Jonathan Toledo
5 months ago

Researcher


oh that was quick, I already tried again and everything is working as it should.