Title: Signal-desktop HTML tag injection
Date Published: 2018-05-14
Last Update: 2018-05-14
CVE Name: CVE-2018-10994
Class: Code injection
Remotely Exploitable: Yes
Locally Exploitable: No
Vendors contacted: Signal.org
Signal-desktop is the standalone desktop version of the secure Signal messenger. This software is vulnerable to remote code execution from a malicious contact, by sending a specially crafted message containing HTML code that is injected into the chat windows (Cross-site scripting).
- Signal-desktop messenger v1.7.1
- Signal-desktop messenger v1.8.0
- Signal-desktop messenger v1.9.0
- Signal-desktop messenger v1.10.0
Originally found in v1.9.0 and v1.10.0, but after reviewing the source code the aforementioned are the impacted versions.
Upgrade to Signal-desktop messenger v1.10.1 or v1.11.0-beta.3
For safer communications on desktop systems, please consider the use of a safer end-point client like PGP or GnuPG instead.
This vulnerability was found and researched by Iván Ariel Barrera Oro (@HacKanCuBa), Alfredo Ortega (@ortegaalfredo) and Juliano Rizzo (@julianor), with assistance from Javier Lorenzo Carlos Smaldone (@mis2centavos).
Technical Description – Exploit/Concept Code
While discussing a XSS vulnerability on a website using the Signal-desktop messenger, it was found that the messenger software also displayed a code-injection vulnerability while parsing the affected URLs.
The Signal-desktop software fails to sanitize specific html-encoded HTML tags that can be used to inject HTML code into remote chat windows. Specifically the <img> and <iframe> tags can be used to include remote or local resources.
For example, the use of iframes enables full code execution, allowing an attacker to download/upload files, information, etc. The <script> tag was also found injectable.
- Show an iframe with some text:
- Display content of user’s own /etc/passwd file:
- Show a base64-encoded image (bypass «click to download image»):
- 2018-05-10 18:45 GMT-3: vuln discovered
- 2018-05-11 13:03 GMT-3: emailed Signal security team
- 2018-05-11 15:02 GMT-3: reply from Signal: vuln confirmed & patch ongoing
- 2018-05-11 16:12 GMT-3: patch committed
- 2018-05-11 18:00 GMT-3: signal-desktop update published
- 2018-05-14 18:00 GMT-3: public disclosure