ghsa-gjj5-998g-v36v
Vulnerability from github
Published
2022-01-21 23:20
Modified
2024-10-07 21:20
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
5.3 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Summary
Improper Access Control in Onionshare
Details

Between September 26, 2021 and October 8, 2021, Radically Open Security conducted a penetration test of OnionShare 2.4, funded by the Open Technology Fund's Red Team lab. This is an issue from that penetration test.

  • Vulnerability ID: OTF-003
  • Vulnerability type: Improper Access Control
  • Threat level: Moderate

Description:

Anyone with access to the chat environment can write messages disguised as another chat participant.

Technical description:

Prerequisites:

  • Alice and Bob are legitimate users
  • A third user has access to the chat environment

otf-003-a

This screenshot shows Alice (glimpse-depress) and Bob (blinker-doorpost) joined a chatroom and are the only participants in the chatroom. Then the non-listed user squad-nursing writes a message in the chatroom without being visible in the list of users. The sending of the message itself is not required but was done here to show the initial access. The non-listed participant now renames himself to Bob and writes another message, seemingly coming from Bob.

This can be reproduced by slightly modifying the client-side JavaScript. The joined emit needs to be removed from the socket.on(connect)event handler. Therefore a client is not listed in the userlist and has no active session.

https://github.com/onionshare/onionshare/blob/d08d5f0f32f755f504494d80794886f346fbafdb/cli/onionshare_cli/resources/static/js/chat.js#L16-L18

This can be done either via a crafted client or runtime modification of the chat.js script in the browser's internal debugger.

It is still possible to call the text method and send text to the chat via websocket.

https://github.com/onionshare/onionshare/blob/d08d5f0f32f755f504494d80794886f346fbafdb/cli/onionshare_cli/web/chat_mode.py#L131-L139

It is also possible to call the update_username function and choose an existing username from the chat.

https://github.com/onionshare/onionshare/blob/d08d5f0f32f755f504494d80794886f346fbafdb/cli/onionshare_cli/web/chat_mode.py#L141-L162

Afterwards the hidden user can send messages that are displayed as coming from the impersonated user. There is no way to distinguish between the fake and original message.

Impact:

An adversary with access to the chat environment can impersonate existing chat participants and write messages but not read the conversation. The similar exploit described in OTF-004 (page 19) has only slightly more requirements but also allows for reading.

Recommendation:

  • Implement proper session handling
Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "onionshare-cli"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.3"
            },
            {
              "fixed": "2.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-21692"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-01-19T19:20:26Z",
    "nvd_published_at": "2022-01-18T23:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Between September 26, 2021 and October 8, 2021, [Radically Open Security](https://www.radicallyopensecurity.com/) conducted a penetration test of OnionShare 2.4, funded by the Open Technology Fund\u0027s [Red Team lab](https://www.opentech.fund/labs/red-team-lab/). This is an issue from that penetration test.\n\n- Vulnerability ID: OTF-003\n- Vulnerability type: Improper Access Control\n- Threat level: Moderate\n\n## Description:\n\nAnyone with access to the chat environment can write messages disguised as another chat participant.\n\n## Technical description:\n\nPrerequisites:\n\n- Alice and Bob are legitimate users\n- A third user has access to the chat environment\n\n![otf-003-a](https://user-images.githubusercontent.com/156128/140665707-1ecc897e-d33b-4f5b-b585-eb4475c1599f.png)\n\nThis screenshot shows Alice (`glimpse-depress`) and Bob (`blinker-doorpost`) joined a chatroom and are the only participants in the chatroom. Then the non-listed user squad-nursing writes a message in the chatroom without being visible in the list of users. The sending of the message itself is not required but was done here to show the initial access. The non-listed participant now renames himself to Bob and writes another message, seemingly coming from Bob.\n\nThis can be reproduced by slightly modifying the client-side JavaScript. The `joined` emit needs to be removed from the `socket.on(connect) `event handler. Therefore a client is not listed in the userlist and has no active session.\n\nhttps://github.com/onionshare/onionshare/blob/d08d5f0f32f755f504494d80794886f346fbafdb/cli/onionshare_cli/resources/static/js/chat.js#L16-L18\n\nThis can be done either via a crafted client or runtime modification of the `chat.js` script in the browser\u0027s internal debugger.\n\nIt is still possible to call the text method and send text to the chat via websocket.\n\nhttps://github.com/onionshare/onionshare/blob/d08d5f0f32f755f504494d80794886f346fbafdb/cli/onionshare_cli/web/chat_mode.py#L131-L139\n\nIt is also possible to call the `update_username` function and choose an existing username from the chat.\n\nhttps://github.com/onionshare/onionshare/blob/d08d5f0f32f755f504494d80794886f346fbafdb/cli/onionshare_cli/web/chat_mode.py#L141-L162\n\nAfterwards the hidden user can send messages that are displayed as coming from the impersonated user. There is no way to distinguish between the fake and original message.\n\n## Impact:\n\nAn adversary with access to the chat environment can impersonate existing chat participants and write messages but not read the conversation. The similar exploit described in OTF-004 (page 19) has only slightly more requirements but also allows for reading.\n\n## Recommendation:\n\n- Implement proper session handling",
  "id": "GHSA-gjj5-998g-v36v",
  "modified": "2024-10-07T21:20:07Z",
  "published": "2022-01-21T23:20:21Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/onionshare/onionshare/security/advisories/GHSA-gjj5-998g-v36v"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21692"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/onionshare/onionshare"
    },
    {
      "type": "WEB",
      "url": "https://github.com/onionshare/onionshare/releases/tag/v2.5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/onionshare-cli/PYSEC-2022-43.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Improper Access Control in Onionshare"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.