Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1namo1LTk5OGctdjM2ds0keA

Improper Access Control in Onionshare

Between September 26, 2021 and October 8, 2021, Radically Open Security conducted a penetration test of OnionShare 2.4, funded by the Open Technology Fund's Red Team lab. This is an issue from that penetration test.

Description:

Anyone with access to the chat environment can write messages disguised as another chat participant.

Technical description:

Prerequisites:

otf-003-a

This screenshot shows Alice (glimpse-depress) and Bob (blinker-doorpost) joined a chatroom and are the only participants in the chatroom. Then the non-listed user squad-nursing writes a message in the chatroom without being visible in the list of users. The sending of the message itself is not required but was done here to show the initial access. The non-listed participant now renames himself to Bob and writes another message, seemingly coming from Bob.

This can be reproduced by slightly modifying the client-side JavaScript. The joined emit needs to be removed from the socket.on(connect) event handler. Therefore a client is not listed in the userlist and has no active session.

https://github.com/onionshare/onionshare/blob/d08d5f0f32f755f504494d80794886f346fbafdb/cli/onionshare_cli/resources/static/js/chat.js#L16-L18

This can be done either via a crafted client or runtime modification of the chat.js script in the browser's internal debugger.

It is still possible to call the text method and send text to the chat via websocket.

https://github.com/onionshare/onionshare/blob/d08d5f0f32f755f504494d80794886f346fbafdb/cli/onionshare_cli/web/chat_mode.py#L131-L139

It is also possible to call the update_username function and choose an existing username from the chat.

https://github.com/onionshare/onionshare/blob/d08d5f0f32f755f504494d80794886f346fbafdb/cli/onionshare_cli/web/chat_mode.py#L141-L162

Afterwards the hidden user can send messages that are displayed as coming from the impersonated user. There is no way to distinguish between the fake and original message.

Impact:

An adversary with access to the chat environment can impersonate existing chat participants and write messages but not read the conversation. The similar exploit described in OTF-004 (page 19) has only slightly more requirements but also allows for reading.

Recommendation:

Permalink: https://github.com/advisories/GHSA-gjj5-998g-v36v
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1namo1LTk5OGctdjM2ds0keA
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 2 years ago
Updated: over 1 year ago


CVSS Score: 4.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Identifiers: GHSA-gjj5-998g-v36v, CVE-2022-21692
References: Repository: https://github.com/onionshare/onionshare
Blast Radius: 1.0

Affected Packages

pypi:onionshare-cli
Dependent packages: 0
Dependent repositories: 0
Downloads: 376 last month
Affected Version Ranges: >= 2.3, < 2.5
Fixed in: 2.5
All affected versions:
All unaffected versions: