GHSL-2024-164: Remote Code Execution (RCE) via Cross-Site Scripting (XSS) in Umbrel - CVE-2024-49379

Coordinated Disclosure Timeline

• 2024-07-17: Reported via Email.
• 2024-07-31: Version 1.2.2 of umbrelOS with fix released.
• 2024-07-31: Asked to delay release of advisory to give users time to update.
• 2024-10-07: Umbrel changed release notes and urged users to update in the umbrelOS UI.

Summary

A Cross-Site Scripting (XSS) vulnerability was found in the login functionality of Umbrel, a home server OS. It can lead up to Remote Code Execution (RCE).

Project

Umbrel

Tested Version

umbrelOS 1.2.1

Details

Cross-site scripting to RCE (GHSL-2024-164)

The login functionality of Umbrel before version 1.2.2 contains a reflected cross-site scripting (XSS) vulnerability in use-auth.tsx. An attacker can specify a malicious redirect query parameter to trigger the vulnerability. If a JavaScript URL is passed to the redirect parameter the attacker provided JavaScript will be executed after the user entered their password and clicked on login.

The redirect query parameter flows unchecked from getRedirectPath():

getRedirectPath() {
	return new URLSearchParams(window.location.search).get('redirect') || '/'
},

into the window.location.href sink:

window.location.href = redirect.getRedirectPath()

This vulnerability was discovered with the help of CodeQL’s Client-side cross-site scripting query.

Proof of concept

An attacker can send the following link to a victim, who will login:

http://umbrel.local/login?redirect=javascript:alert(window.localStorage.getItem('jwt'))

For sake of demonstration, the newly minted JWT of the user will be displayed in an alert. Arbitrary javascript can be executed by the attacker in the context of the victim’s session.

Due to the possibility of executing code inside the terminal of an Umbrel instance an attacker also has the possibility of creating a JavaScript which will lead to command execution on the server side. For example, following JavaScript creates the file pwned.txt in the /tmp/ folder of the Umbrel instance:

let x = new WebSocket('ws://umbrel.local/terminal?appId=&rows=18&cols=159&token='.concat(window.localStorage.getItem('jwt')));
x.addEventListener('open', (event) => {
    x.send('date >> /tmp/pwned.txt\n');
});

An attacker could weave such a script into the URL of the proof of concept shown above. This URL needs to be accessed by a user who can reach the Umbrel instance. So, an attacker might point a user to this URL (e.g. via Phishing email, redirect from a malicious website). This might enable an attacker to steal arbitrary files such as private keys from an Umbrel instance that’s not directly accessible from the Internet.

Impact

This issue may lead up to Remote Code Execution (RCE).

CVE

• CVE-2024-49379

Credit

This issue was discovered and reported by GHSL team member @p- (Peter Stöckli).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2024-164 in any communication regarding this issue.