Closed Bug 1621692 (CVE-2020-6816) Opened 9 months ago Closed 6 months ago

mutation XSS in bleach.clean when math or svg and an RCDATA tag whitelisted and strip=False

Categories

(Webtools :: Bleach-security, defect)

defect

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: g-k, Assigned: g-k)

References

()

Details

Attachments

(1 file)

From the reporter submitted via security@ email:

Hello,

My name is Yaniv Nizry and I’m a researcher in the CxSCA group at Checkmarx.

I reported a mXSS in bleach last month, And I encountered another way to exploit bleach again.

Details:
There are some tags that are parsed differently whether they are inside or outside a Math/Svg tags.
For example, style tag:

Inside the svg tag it parses as XML and outside it parses as raw text.

In addition, there are some tags that when applying them to the inner html of svg/math tag they pop out:

PoC:

TL;DR – Poc example <svg><style><img src=x onerror=alert(1)>

In order to exploit this we need a tag that will not sanitize our data but will be parsed as HTML/XML (in order for the tag to pop out and run).
Here is a list of those tags (our condition for exploitation is svg or math whitelisted as well as one of the following):
script
noscript
style
noframes
xmp
noembed
iframe

The data in the style tag usually doesn’t supposed to run, but since it’s in an svg, the data inside it is XML\HTML. So the img tag will pop out of the svg and run.

I started investigating where in the code the problem is. It seems that the parsing is done right (it does recognize the tags inside the svg->style not as raw text) but for some reason it doesn’t sanitize it.
this vulnerability will not work in case the strip flag in bleach.clean function is set to true (default is false), here is the place it deletes the unwanted data:

I have one speculation where the problem is:

In bleach/_vendor/html5lib/serializer.py line 297, it ignores the namespace so if a tag is in an svg it will be treated the same, I did the patch above (not sure if it’s a good one). And also in line 302 looks like namespace check is in the TODO list.

I'm going to file separate bugs for impacted sites reported in the original email.

Summary: 2nd mXSS → mXSS via math or svg tag

Confirmed on Python 3.8.1 w/ bleach 3.1.1

Assignee: nobody → gguthe
Status: NEW → ASSIGNED
Summary: mXSS via math or svg tag → mutation XSS in bleach.clean when math or svg and an RCDATA tag whitelisted and strip=False
Attached file Advisory Fix GH PR

Tests pass locally on python versions 2.7 and 3.7 (and 3.8 modulo unrelated failures for the url parsing change) and in docs/ make doctest and make linkcheck pass.

bleach.clean("<svg><iframe><img evilAttribute='evilJS'></iframe>", tags=["svg", "math", "iframe"])
"<svg><iframe><img evilAttribute='evilJS'></iframe></svg>"
bleach.clean("<svg><iframe><img evilAttribute='evilJS'></iframe>", tags=["svg", "math", "iframe", "img"])
'<svg><iframe></iframe></svg><img>'

Something interesting, when img tag is allowed it pops out like in the browser and gets sanitize but when it's not white-listed it doesn't sanitize.
(that's why the onerror attribute on the MDN test got removed, but even when i tried to use an unlisted tag Ex. <svg onload=evilJS> it got removed as well because the following line removes everything that is in an iframe tag, after the bleach clean:
parsed.filterIframeHosts(settings.ALLOWED_IFRAME_PATTERNS), https://github.com/mdn/kuma/blob/b87f06ec0a1039f092b6e660ad1771839d8503c9/kuma/wiki/content.py#L195)

the advisory and v3.1.2 are public https://pypi.org/project/bleach/3.1.2/

Assigning CVE-2020-6816. Greg, can you add this to the advisory please?

Alias: CVE-2020-6816
Flags: needinfo?(gguthe)

This bug is part of a group of bugs in a security or private group which have the old default Severity of normal which has not been changed, and the default priority of --. This indicates that this bugs Severity should be set to -- so it will show up in triage lists.

Trying to set that severity again.

Severity: normal → --
Status: ASSIGNED → RESOLVED
Closed: 6 months ago
Resolution: --- → FIXED
Group: webtools-security
You need to log in before you can comment on or make changes to this bug.