Monday, September 18, 2017

Gem in a box XSS vulnerability - CVE-2017-14506

In this short blogpost I will give a short explain of XSS vulnerability i found on geminabox v0.13.5. which is a gems manager like rubygems.org so you can upload and download gems
Geminabox parses the uploaded gems and gives the users list of the gems on the system as the following image:


As you can see, the system parses the gem's details and present it on the web UI.
After few times, I succeeded to create a GEM file to exploit XSS, the attack scenario goes as follows:







  • Malicious attacker create GEM file with crafted homepage value (gem.homepage in .gemspec file) includes XSS payload as the following image:
  • The attacker access geminabox system and uploads the gem file (or uses CSRF/SSRF attack to do so). 
  • From now on, any user access Geminabox web server, executes the malicious XSS payload, that will delete any gems on the server, and won't let users use the geminabox anymore. (make victim's browser crash or redirect them to other hosts).

PoC video:



2 comments:

  1. You have spotted a potential problem with the web interface to Geminabox - in that it will allow a malicious gem to modify the web page and inject JavaScript code into the page. However, I fail to see how that will "delete any gems on the server" or "won't let users use the geminabox anymore."

    ReplyDelete
    Replies
    1. Via XSS attack, you can send requests to the server on behalf of who is visiting the website,
      the malicious javascript runs under the geminabox host, so whenever one visit the webisite, the malicious script will enumerate the uploaded gems, sends the relevant DELETE requests to the server, and they will be deleted.
      In addition, it is possible to cause DoS to the web application by injecting malicious javascript that crash the browser while clients accessing geminabox web app or just redirect the user's from the index page so they won't be able to use it.

      Delete