https://github.com/eqstlab/cve-2024-25293

mjml-app v3.0.4 & 3.1.0-beta RCE exploit
https://github.com/eqstlab/cve-2024-25293

Last synced: 4 months ago
JSON representation

mjml-app v3.0.4 & 3.1.0-beta RCE exploit

• Host: GitHub
• URL: https://github.com/eqstlab/cve-2024-25293
• Owner: EQSTLab
• Created: 2024-09-06T06:12:32.000Z (almost 2 years ago)
• Default Branch: main
• Last Pushed: 2024-09-06T06:12:55.000Z (almost 2 years ago)
• Last Synced: 2025-02-23T17:47:37.804Z (over 1 year ago)
• Homepage:
• Size: 1000 Bytes
• Stars: 0
• Watchers: 1
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

          
# MJML Local Code Execution PoC

A Proof-Of-Concept for CVE-2024-25293 vulnerability. 



mjml-app v3.0.4 & 3.1.0-beta was discovered to contain a remote code execution (RCE)

In this repository there is an example vulnerable application and proof-of-concept (POC) exploit of it.

As a PoC there is a python file that automates the process. 

---------------------------------------

### 1.Vunerability Overview:

 * Vulnerability Subject: Local Code Execution

 * Vulnerability Version: mjml-app 3.0.4-win & mjml-app 3.1.0-beta

 * Attack Type: Remote Code Execution

 * Attack Component: In the 'mj-button' tag within the affected source code file, the 'href' attribute enables local code execution.

 * Reserved CVE Number: CVE-2024-25293

---------------------------------------

### 2. Vulnerability Cause:

*  mjml-app 3.0.4-win & mjml-app 3.1.0 beta suffers from Security Misconfiguration In the 'mj-button' tag, which can result in arbitrary code execution.

* Exploit explain

  * Running local files through event tags in mjml applications poses a security threat. In addition, the code can be executed by combining Path Traversal within the application, requiring a patch.

![image](https://github.com/EQSTLab/PoC/assets/131337101/98d338c6-812d-4329-93df-2c64bb636868)

Proof-of-concept (POC)

----------------------

**Step 1) The attacker creates an 'mj-button' with an 'href' tag and**

* **case 1) Code Execution with Path Traversal (notepad.exe)**

* **case 2) Code Execution (calc.exe)**

```html

  

    

      

         jruru 

         Code Execution 

      

    

  

```

![mjml1](https://github.com/QnA4u/CVE/assets/131337101/862946a8-18f8-4d09-a850-6a296588780a)

**Step 2) The attacker creates the main phishing project with the following code.**

```py

  

    This is a demo jruru

  

```

![mjml2](https://github.com/QnA4u/CVE/assets/131337101/aaf108f9-a2d6-4e21-baf9-7f50266e5afa)

**Step 3) The victim opens the shared project and clicks the button, triggering the execution of payload(etc. calc , notepad)**

![mjml3](https://github.com/QnA4u/CVE/assets/131337101/a15a815f-94b8-4e20-b15f-a9d90c5dcdce)

---------------------------------------

### 3. Additional Information

Running exe files through href tags within an application is risky, and running files in combination with Path Traversal is a security concern. This allows phishing projects to be created and deployed to execute local files. Therefore, it is essential to modify this feature to prevent such execution.