Includes old PDF.js vulnerable to CVE-2018-5158, allowing attacker supplied JS to be executed in user browser on viewing a PDF in repository web UI
HackerOne report #462996 by certifiable on 2018-12-14:
Summary: Includes old PDF.js vulnerable to CVE-2018-5158, allowing attacker supplied javascript to be executed in a users browser (in a web worker context initially) simply by the user viewing a PDF in the repository web UI
Description: The version of PDF.js embedded in Gitlab is 1.8.172, which is vulnerable to CVE-2018-5158. Per the summary, attacker supplied javascript will be executed in a web worker context. https://bugzilla.mozilla.org/show_bug.cgi?id=1452075 has a lot of pertinent detail, and is well worth a read. The PoC I have uploaded is derived from the one attached to that bug report, with a few minor modifications (the original has a spurious '/' character as the first byte, which prevents rendering in gitlab because of file type detection, and I changed the message).
I have not as yet managed to derive a full exploit, but the bugzilla link above does provide a general direction that suggests it should be possible to pass fonts to the viewer that will contain further javascript that will execute in the main browser context, at which point we're into full on Stored XSS territory. I will continue to work on that, mainly out of interest, but I don't believe it strictly necessary before reporting the underlying issue. Please let me know if you have a particular interest in a well developed exploit to confirm severity.
Steps To Reproduce:
- Create a project
- add/commit/push the test.pdf attached
- As any user, navigate to the Repository/FIles view for that project
- Open the web developer console in your browser
- Click the PDF in the files view
- Observe "Stored XSS" being logged to the console
Supporting Material/References:
N/A
Impact
Stored XSS executing javascript in the PDF.js web worker context upon the user simply viewing a malicious PDF via the repository UI, with as yet unproven potential to escalate that to full XSS inside the main browser context.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!