Patch XSS vulnerability

core/filters/base.rb

@@ -187,7 +187,7 @@ def self.is_valid_domain?(domain)
     def self.has_valid_browser_details_chars?(str)
       return false unless is_non_empty_string?(str)
 
-      !(str =~ %r{[^\w\d\s()-.,;:_/!\302\256]}).nil?
+      (str =~ %r{[^\w\d\s()-.,;:_/!\302\256]}).nil?
     end
 
     # Check for valid base details characters

core/filters/browser.rb

@@ -11,7 +11,7 @@ module Filters
     def self.is_valid_browsername?(str) # rubocop:disable Naming/PredicatePrefix
       return false unless is_non_empty_string?(str)
       return false if str.length > 2
-      return false if has_non_printable_char?(str)
+      return false unless has_valid_browser_details_chars?(str)
 
       true
     end
@@ -21,7 +21,7 @@ def self.is_valid_browsername?(str) # rubocop:disable Naming/PredicatePrefix
     # @return [Boolean] If the string has valid Operating System name characters
     def self.is_valid_osname?(str) # rubocop:disable Naming/PredicatePrefix
       return false unless is_non_empty_string?(str)
-      return false if has_non_printable_char?(str)
+      return false unless has_valid_browser_details_chars?(str)
       return false if str.length < 2
 
       true
@@ -32,7 +32,7 @@ def self.is_valid_osname?(str) # rubocop:disable Naming/PredicatePrefix
     # @return [Boolean] If the string has valid Hardware name characters
     def self.is_valid_hwname?(str) # rubocop:disable Naming/PredicatePrefix
       return false unless is_non_empty_string?(str)
-      return false if has_non_printable_char?(str)
+      return false unless has_valid_browser_details_chars?(str)
       return false if str.length < 2
 
       true
@@ -71,7 +71,7 @@ def self.is_valid_osversion?(str) # rubocop:disable Naming/PredicatePrefix
     # @return [Boolean] If the string has valid browser / ua string characters
     def self.is_valid_browserstring?(str) # rubocop:disable Naming/PredicatePrefix
       return false unless is_non_empty_string?(str)
-      return false if has_non_printable_char?(str)
+      return false unless has_valid_browser_details_chars?(str)
       return false if str.length > 300
 
       true
@@ -93,7 +93,7 @@ def self.is_valid_cookies?(str) # rubocop:disable Naming/PredicatePrefix
     # @return [Boolean] If the string has valid system platform characters
     def self.is_valid_system_platform?(str) # rubocop:disable Naming/PredicatePrefix
       return false unless is_non_empty_string?(str)
-      return false if has_non_printable_char?(str)
+      return false unless has_valid_browser_details_chars?(str)
       return false if str.length > 200
 
       true

core/main/handlers/browserdetails.rb

@@ -44,7 +44,7 @@ def setup
 
           # hooked window host name
           log_zombie_port = 0
-          if !@data['results']['browser.window.hostname'].nil?
+          if !@data['results']['browser.window.hostname'].nil? && BeEF::Filters.is_valid_hostname?(@data['results']['browser.window.hostname'])
             log_zombie_domain = @data['results']['browser.window.hostname']
           elsif !@data['request'].referer.nil? and !@data['request'].referer.empty?
             referer = @data['request'].referer
@@ -59,7 +59,7 @@ def setup
           end
 
           # hooked window host port
-          if @data['results']['browser.window.hostport'].nil?
+          if @data['results']['browser.window.hostport'].nil? || !BeEF::Filters.is_valid_port?(@data['results']['browser.window.hostport'].to_s)
             log_zombie_domain_parts = log_zombie_domain.split(':')
             log_zombie_port = log_zombie_domain_parts[1].to_i if log_zombie_domain_parts.length > 1
           else
@@ -92,6 +92,7 @@ def setup
             BD.set(session_id, 'browser.name.friendly', browser_friendly_name)
           else
             err_msg "Invalid browser name returned from the hook browser's initial connection."
+            browser_name = 'Unknown'
           end
 
           if BeEF::Filters.is_valid_ip?(zombie.ip)
@@ -242,11 +243,17 @@ def setup
             X_FORWARDED
             X_FORWARDED_FOR
           ].each do |header|
-            proxy_clients << (JSON.parse(zombie.httpheaders)[header]).to_s unless JSON.parse(zombie.httpheaders)[header].nil?
+            val = JSON.parse(zombie.httpheaders)[header]
+            unless val.nil?
+              val.to_s.split(',').each do |ip|
+                proxy_clients << ip.strip if BeEF::Filters.is_valid_ip?(ip.strip)
+              end
+            end
           end
 
           # retrieve proxy server
           proxy_server = JSON.parse(zombie.httpheaders)['VIA'] unless JSON.parse(zombie.httpheaders)['VIA'].nil?
+          proxy_server = nil unless proxy_server.nil? || BeEF::Filters.has_valid_browser_details_chars?(proxy_server)
 
           # store and log proxy details
           if using_proxy == true
@@ -273,6 +280,7 @@ def setup
             BD.set(session_id, 'browser.version', browser_version)
           else
             err_msg "Invalid browser version returned from the hook browser's initial connection."
+            browser_version = 'Unknown'
           end
 
           # get and store browser string
@@ -293,7 +301,11 @@ def setup
 
           # get and store browser language
           browser_lang = get_param(@data['results'], 'browser.language')
-          BD.set(session_id, 'browser.language', browser_lang)
+          if BeEF::Filters.has_valid_browser_details_chars?(browser_lang)
+            BD.set(session_id, 'browser.language', browser_lang)
+          else
+            err_msg "Invalid browser language returned from the hook browser's initial connection."
+          end
 
           # get and store the cookies
           cookies = get_param(@data['results'], 'browser.window.cookies')
@@ -309,6 +321,7 @@ def setup
             BD.set(session_id, 'host.os.name', os_name)
           else
             err_msg "Invalid operating system name returned from the hook browser's initial connection."
+            os_name = 'Unknown'
           end
 
           # get and store the OS family
@@ -322,15 +335,28 @@ def setup
           # get and store the OS version
           # - without checks as it can be very different, for instance on linux/bsd)
           os_version = get_param(@data['results'], 'host.os.version')
-          BD.set(session_id, 'host.os.version', os_version)
+          if BeEF::Filters.has_valid_browser_details_chars?(os_version)
+            BD.set(session_id, 'host.os.version', os_version)
+          else
+            err_msg "Invalid operating system version returned from the hook browser's initial connection."
+            os_version = 'Unknown'
+          end
 
-          # get and store the OS arch - without checks
+          # get and store the OS arch
           os_arch = get_param(@data['results'], 'host.os.arch')
-          BD.set(session_id, 'host.os.arch', os_arch)
+          if BeEF::Filters.has_valid_browser_details_chars?(os_arch)
+            BD.set(session_id, 'host.os.arch', os_arch)
+          else
+            err_msg "Invalid operating system architecture returned from the hook browser's initial connection."
+          end
 
           # get and store default browser
           default_browser = get_param(@data['results'], 'host.software.defaultbrowser')
-          BD.set(session_id, 'host.software.defaultbrowser', default_browser)
+          if BeEF::Filters.has_valid_browser_details_chars?(default_browser)
+            BD.set(session_id, 'host.software.defaultbrowser', default_browser)
+          else
+            err_msg "Invalid default browser returned from the hook browser's initial connection."
+          end
 
           # get and store the hardware type
           hw_type = get_param(@data['results'], 'hardware.type')

extensions/admin_ui/media/javascript/ui/panel/zombiesTreeList.js

@@ -467,36 +467,38 @@ try{
 		}
 
 		// set zombie hover balloon text for tree node
+		// Use Ext.util.Format.htmlEncode() to prevent XSS via malicious browser properties
+		var encode = Ext.util.Format.htmlEncode;
 		var balloon_text = "";
-		balloon_text += hooked_browser.ip;
+		balloon_text += encode(hooked_browser.ip);
 		balloon_text += "<hr/>"
 		balloon_text += "<img width='13px' height='13px' class='zombie-tree-icon' src='<%= @base_path %>/media/images/favicon.png' /> ";
-		balloon_text += "Origin: " + hooked_browser.domain + ":" + hooked_browser.port;
+		balloon_text += "Origin: " + encode(hooked_browser.domain) + ":" + encode(hooked_browser.port);
 		balloon_text += "<br/>";
 		balloon_text += "<img width='13px' height='13px' class='zombie-tree-icon' src='<%= @base_path %>/media/images/icons/" + escape(browser_icon) + "' /> ";
-		balloon_text += "Browser: " + hooked_browser.browser_name + " " + hooked_browser.browser_version;
+		balloon_text += "Browser: " + encode(hooked_browser.browser_name) + " " + encode(hooked_browser.browser_version);
 		balloon_text += "<br/>";
 		balloon_text += " <img width='13px' height='13px' class='zombie-tree-icon' src='<%= @base_path %>/media/images/icons/" + escape(os_icon) + "' /> ";
 		if (hooked_browser.os_version == 'Unknown') {
-		  balloon_text += "OS: " + hooked_browser.os_name;
+		  balloon_text += "OS: " + encode(hooked_browser.os_name);
 		} else {
-		  balloon_text += "OS: " + hooked_browser.os_name + ' ' + hooked_browser.os_version;
+		  balloon_text += "OS: " + encode(hooked_browser.os_name) + ' ' + encode(hooked_browser.os_version);
 		}
 		balloon_text += "<br/>";
 		balloon_text += " <img width='13px' height='13px' class='zombie-tree-icon' src='<%= @base_path %>/media/images/icons/" + escape(hw_icon) + "' /> ";
-		balloon_text += "Hardware: " + hooked_browser.hw_name;
+		balloon_text += "Hardware: " + encode(hooked_browser.hw_name);
 		balloon_text += "<br/>";
 
 		if ( !hooked_browser.country || !hooked_browser.country_code || hooked_browser.country == 'Unknown' ) {
 			balloon_text += " <img width='13px' height='13px' class='zombie-tree-icon' src='<%= @base_path %>/media/images/icons/unknown.png' /> ";
 			balloon_text += "Location: Unknown";
 		} else {
 			balloon_text += " <img width='13px' height='13px' class='zombie-tree-icon' src='<%= @base_path %>/media/images/icons/country-squared/" + escape(hooked_browser.country_code.toLowerCase()) + ".svg' /> ";
-			balloon_text += "Location: " + hooked_browser.city + ", " + hooked_browser.country;
+			balloon_text += "Location: " + encode(hooked_browser.city) + ", " + encode(hooked_browser.country);
 		}
 
 		balloon_text += "<hr/>";
-		balloon_text += "Local Date: " + hooked_browser.date;
+		balloon_text += "Local Date: " + encode(hooked_browser.date);
 		hooked_browser.qtip = balloon_text;
 
 		// set zombie text label for tree node
@@ -511,7 +513,7 @@ try{
 			text += "<img width='13px' height='13px' class='zombie-tree-icon' src='<%= @base_path %>/media/images/icons/country-squared/" + escape(hooked_browser.country_code.toLowerCase()) + ".svg' /> ";
 		}
 
-		text += hooked_browser.ip;
+		text += encode(hooked_browser.ip);
 		hooked_browser.text = text;
 
 		//save a new online HB