lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 14 May 2018 20:51:42 -0300
From: Alfredo Ortega <>
Subject: [FD] CVE-2018-10994: HTML tag injection in Signal-desktop

Title: HTML tag injection in Signal-desktop

Date Published: 14-05-2018

CVE Name: CVE-2018-10994

Class: Code injection

Remotely Exploitable: Yes

Locally Exploitable: No

Vendors contacted:

Vulnerability Description:

Signal-desktop is the standalone desktop version of the secure Signal
This software is vulnerable to remote code execution from a malicious
by sending a specially crafted message containing HTML code that is
into the chat windows (Cross-site scripting).

Vulnerable Packages:

Signal-desktop messenger v1.7.1
Signal-desktop messenger v1.8.0
Signal-desktop messenger v1.9.0
Signal-desktop messenger v1.10.0

Solution/Vendor Information/Workaround

Upgrade to Signal-desktop messenger v1.10.1, v1.11.0-beta.3.


This vulnerability was found and researched by:
Iván Ariel Barrera Oro (@HacKanCuBa), Alfredo Ortega (@ortegaalfredo) and
Juliano Rizzo (@julianor), with assistance from
Javier Lorenzo Carlos Smaldone (@mis2centavos).

Technical Description - Exploit/Concept Code

While discussing a XSS vulnerability on a website using the Signal-desktop
messenger, it was found that the messenger software also displayed a
code-injection vulnerability while parsing the affected URLs.
The Signal-desktop software fails to sanitize specific html-encoded HTML
that can be used to inject HTML code into remote chat windows.
Specifically the <img> and <iframe> tags can be used to include remote
or local
resources. For example, the use of iframes enables full code execution,
 an attacker to download/upload files, information, etc. The <script>
tag was
also found injectable.
In the Windows operative system, the CSP fails to prevent remote
inclusion of
resources via the SMB protocol. In this case, remote execution of
JavaScript can
be achieved by referencing the script in a SMB share as the source of an
iframe tag, for example: <iframe src=\\DESKTOP-XXXXX\Temp\test.html>.
The included javascript code is then executed automatically, without any
interaction needed from the user. The vulnerability can be triggered in the
Signal-Desktop client by sending a specially crafted message. Example

    Show an iframe with some text:


    Show a base64-encoded image (bypass "click to download image"):


    Include and auto-execute a remote JavaScript file (for Windows



    * 2018-05-10 18:45 GMT-3: vuln discovered

    * 2018-05-11 13:03 GMT-3: emailed Signal security team

    * 2018-05-11 15:02 GMT-3: reply from Signal: vuln confirmed & patch

    * 2018-05-11 16:12 GMT-3: patch committed

    * 2018-05-11 18:00 GMT-3: signal-desktop update published

    * 2018-05-14 18:00 GMT-3: public disclosure

    * Patch:
    * Writeup:

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux - Powered by OpenVZ