Headline
CVE-2022-43143: BUG: Beekeeper Remote Code Execution via XSS · Issue #1393 · beekeeper-studio/beekeeper-studio
A cross-site scripting (XSS) vulnerability in Beekeeper Studio v3.6.6 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the error modal container.
Author: [email protected]
Date: 2022-10-07
OS: Windows, Linux, MacOS
Beekeeper Studio Version: 3.6.6
DB Type&Version: MySQL 5.7 and 8.0 Also
Summary
It has been possible to trigger remote code execution via Beekeeper’s Modal Container.
Description
Beekeeper has the modal container which indicates the user’s interaction is valid and due to a lack of sanitization of the modal contents, It has an XSS vulnerability like this:
[1]
[2]
The modal’s content also is transferred by MySQL packet when only the user’s interaction is invalid like this:
So, Taking advantage of the report in CVE-2022-26174, it has been possible Remote Code Execution via Modal Container.
In this case, I made the fake MySQL server which spoofs user’s modal output when the user puts some data in a table.
This is my sample fake SQL server : poc.py
You can see this poc video that fake SQL server triggers RCE via Beekeeper.
PoC_Video
In this video, I used this XSS script <input type="text" onfocus="require(‘child_process’).execSync(‘calc.exe’)" autofocus /> for modal error output and any input that user passes is replaced by that XSS script and re-passed to the user.
Finally, Malicious Code is triggered in the user’s PC and is continued until the modal is inactivated.
What’s More?
- Not only data inserting functions but also any functions which use error modal(e.g. create table), It seems that we can trigger RCE too.
Temporary Fake SQL Server
146.56.129.188:3306
- You can do these poc in this fake SQL server with Beekeeper
- If you have any problems, contact me via [email protected] or [email protected]
- Thank You :)
Related news
A remote code execution (RCE) vulnerability in Beekeeper Studio v3.2.0 allows attackers to execute arbitrary code via a crafted payload injected into the display fields.