alexpinel/Dot

Vulnerability Report: Remote Code Execution in the Dot Desktop Application

Opened this issue · 0 comments

EDMPL commented

Hi, sorry for reporting it here. I want to report a security vulnerability that I've found in the application.

Tested on: MacOS
Affected Version: 0.9.3

Description

A critical vulnerability has been identified in the Dot Electron desktop application. The issue stems from an improperly sanitized user input in the chat box that leads to Cross-Site Scripting (XSS) vulnerability. Since the nodeIntegration attribute is set to true, it is possible to call the NodeJS API and laverage the issue to Remote Code Execution (RCE). By exploiting this XSS vulnerability, an attacker can execute arbitrary system-level commands, posing a significant security risk to end users.

Affected Code:

Lack of Sanitization of User Input and LLM Output (Root Cause):

Dot/src/render.js

Line 61 in db2728c

userBubble.innerHTML = `<strong>${message}</strong>`;

Dot/src/render.js

Line 78 in db2728c

botBubble.innerHTML = marked.parse(message);

nodeIntegration set to true (Please disable it if its not needed):

Dot/src/index.js

Line 344 in db2728c

nodeIntegration: true,

Dot/src/index.js

Line 471 in db2728c

nodeIntegration: true,

Dot/src/index.js

Line 774 in db2728c

nodeIntegration: true,

Simple PoC:
Payload (remove the [blank]): <img[blank]src=x[blank]onerror="alert(require('child_process').execSync('id').toString());">

Screenshot 2024-12-30 at 00 03 28

Recommendation:
Escape special characters or HTML Tags in the chat box. If its really needed, create a whitelist of allowed HTML tags that could not lead to issue like XSS.

Simple Example:
{
msg = msg.replaceAll(/</g, "<");
msg = msg.replaceAll(/>/g, ">");
add more sanitization here.....
}