OS Command Injection in fabio286/antares
Jun 25th 2021
The application displays the connection error message returned by the server without removing the malicious tags, which leads to XSS attacks.
Being an application made in electron, an XSS can be scaled to RCE, making it possible to execute commands on the machine where the application is running.
🕵️♂️ Proof of Concept
Run a connection test to this server to check the XSS
Client: MySQL Hostname/IP: 126.96.36.199 Port: 3307 User: any Password: any
Run a connection test to this server to check the RCE (this opens firefox on linux and calculator on windows )
Client: MySQL Hostname/IP: 188.8.131.52 Port: 3308 User: any Password: any
An attacker can create a server that returns a malicious error message and execute commands on the client machine.