XSS 2 RCE on @flipper_zero
Got RCE through an XSS on lab.flipper.net , here's the writeup thread
github.com/caioluders/poc…
(PoC Video, printing 1337 on the flipper screen)
Got RCE through an XSS on lab.flipper.net , here's the writeup thread
github.com/caioluders/poc…
(PoC Video, printing 1337 on the flipper screen)
Was installing the unleashed firmware on my flipper and notice that the "channel" parameter was being reflected on the dropdown. By pure reflex I injected an <img/src/onerror=alert(1)> tag and boom XSS
ref : tinyxss.terjanq.me
ref : tinyxss.terjanq.me
The vulnerability occurs because of the "v-html" directive of Vue.js on the page
<q-item-label v-html="scope.opt.label" />
vuejs.org/api/built-in-d…
<q-item-label v-html="scope.opt.label" />
vuejs.org/api/built-in-d…
alert() is boring, let's get RCE! The website is used to interface with your @flipper_zero , install new apps, new firmware, commands, etc. This is done using the Web Serial API, an experimental API to read/write on serial devices, what could go wrong?
developer.mozilla.org/en-US/docs/Web…
developer.mozilla.org/en-US/docs/Web…
The website has to ask the user for permission to connect, like for the webcam, but we can assume that the user already accepted because the XSS won't show if the flipper isn't connected. So I went to read how the serial communication is done on github.com/flipperdevices…
Looks like if we can execute screenFrame(data) the application will send a command to flipper display on the screen, which is enough for the PoC. The problem was that everything was wrapped with Webpack.
Spent a lot of time debugging trying to find globally accessible objects and oh boi was impossible (accepting tips). Having gave up to use the app's own code, I had to make my payload to directly communicate via serial with flipper.
So I just open a navigator.serial.getPorts() and communicate with it, right? Wrong, the port is already being used and I can't get the reference of it because of Webpack.
My workaround was to disconnect it and connect again, doing a .click() on the disconnect button (fuck webpack). Now we just need to send the right data to the flipper aaaaaaand ... the protocol is undocumented, nice
It uses ProtoBuf which is not that hard to understand but what an overkill of a protocol does flipper have gosh (actually amazing) github.com/flipperdevices…
To simplify the PoC I just did all the steps on the application itself and console.log() the shit out of it, had to use HTTP Mock to change the js to properly get all the "packets" since it was too fast.
Also had to manually edit the 3rd byte of every packet on the final payload, because it's incremental (guessing powers), btw every connection begins with "start_rpc_session\r". Not sure what every byte is, but the biggest byte array is a bmp representation of the "1337" on screen
Then just replayed the data to the serial.
github.com/caioluders/poc…
What a wonderful era we live in, where XSS can get you RCE on an embedded device (ಥ﹏ಥ)
github.com/caioluders/poc…
What a wonderful era we live in, where XSS can get you RCE on an embedded device (ಥ﹏ಥ)
• • •
Missing some Tweet in this thread? You can try to
force a refresh
