CVE-2022-43143: BUG: Beekeeper Remote Code Execution via XSS · Issue #1393 · beekeeper-studio/beekeeper-studio

Author: [email protected]

Date: 2022-10-07

OS: Windows, Linux, MacOS

Beekeeper Studio Version: 3.6.6

DB Type&Version: MySQL 5.7 and 8.0 Also

Summary

It has been possible to trigger remote code execution via Beekeeper’s Modal Container.

Description

Beekeeper has the modal container which indicates the user’s interaction is valid and due to a lack of sanitization of the modal contents, It has an XSS vulnerability like this:

[1]

[2]

The modal’s content also is transferred by MySQL packet when only the user’s interaction is invalid like this:

So, Taking advantage of the report in CVE-2022-26174, it has been possible Remote Code Execution via Modal Container.

In this case, I made the fake MySQL server which spoofs user’s modal output when the user puts some data in a table.

This is my sample fake SQL server : poc.py

You can see this poc video that fake SQL server triggers RCE via Beekeeper.

PoC_Video

In this video, I used this XSS script <input type="text" onfocus="require(‘child_process’).execSync(‘calc.exe’)" autofocus /> for modal error output and any input that user passes is replaced by that XSS script and re-passed to the user.

Finally, Malicious Code is triggered in the user’s PC and is continued until the modal is inactivated.

What’s More?

• Not only data inserting functions but also any functions which use error modal(e.g. create table), It seems that we can trigger RCE too.

Temporary Fake SQL Server

146.56.129.188:3306

• You can do these poc in this fake SQL server with Beekeeper
• If you have any problems, contact me via [email protected] or [email protected]
• Thank You :)