zhiyun xss

这篇文章准备申请CVE,故全文使用英语。

This article is going to apply for a CVE id, so the full text is in English.

OFFICIAL SITE

The official introduction of the software is:

Zhiyun Document Translation is a tool software produced by Zhiyun Document Reading Public Account to help researchers read pdf documents. Use it to read documents. You no longer need to switch the copy of the text on the pdf to the web page for translation, greatly improving the user experience and reading efficiency. While improving reading comprehension literature, it also takes into account the improvement of English proficiency. The software integrates multiple translation engines, you can always find a translation engine you like. Support Chinese-English translation. Support reading and translating PDF documents and documents. Support input translation mode.

The version I tested is V6.2.0, and this software written by C#.

The code of the software has been obfuscated. Although the exploit of the poc does not require anti-obfuscation, in order to understand the situation of the vulnerable code, it needs to be deobfuscated.

I use de4dot to deobfuscate this software.

The vulnerable code is at namespace pdf > class Form1 > Method 翻译 :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
namespace pdf
{
// Token: 0x02000005 RID: 5
public partial class Form1 : Form
{
public // Token: 0x06000041 RID: 65 RVA: 0x00006A40 File Offset: 0x00004C40
void 翻译(object str)
{
try
{
string arg_16_0;
if (str != null)
{
if ((arg_16_0 = str.ToString()) != null)
{
goto IL_16;
}
}
arg_16_0 = "";
IL_16:
string text = arg_16_0;
this.上一次翻译的文本 = text;
string text2 = "";
if (ClassMain.HasChinese(text))
{
text = text.Replace(" ", "") + " ";
}
string documentText;
if (!text.Contains(" "))
{
text2 = this.getYouDaodanci(text);
documentText = text2;
}
else
{
text = text.Trim();
if (ClassMain.isjiekounum == 2)
{
text2 = this.getGoogle(text);
}
else if (ClassMain.isjiekounum == 1)
{
text2 = this.getBaiDu(text);
}
else if (ClassMain.isjiekounum == 3)
{
string text3 = this.gettengxun(text);
text2 = text3;
}
else if (ClassMain.isjiekounum == 4)
{
text2 = this.getYouDao(text);
}
else if (ClassMain.isjiekounum == 5)
{
text2 = this.getSouGou(text);
}
documentText = string.Concat(new string[]
{
"<!doctype html><html><head><meta charset=\"utf-8\"></head><body><div style=\"width:100%; \"><p style=\" font-family:'微软雅黑'; font-size:1.06em; font-weight:bold;line-height:2.5em;letter-spacing:1px; margin:0px; padding:0em 0.4em 0em 0em; \">翻译:</p><p style=\" font-family: Arial; font-size:0.94em; line-height:1.75em;letter-spacing:1px; margin:0; padding:0em 0.4em 0em 0em; text-align: justify; \">",
text2,
"</p><p style=\"margin:0.4em; padding:0;\"></p><p style=\" font-family:'微软雅黑'; font-size:1.06em; font-weight:bold;line-height:2.5em;letter-spacing:1px; margin:0; padding:0em 0.4em 0em 0em; \">原文:<span style=' font-size: 0.6em;font-weight: 100; color:#737070'> 可修改后右键重新翻译</span></p><p contenteditable=\"true\"; style=\" font-family: Arial; font-size:0.94em; line-height:1.56em;letter-spacing:1px; margin:0; padding:0em 0.4em 0em 0em; text-align: justify; \">",
text,
"</p></div></body></html>"
}); # vulnerable!!! text from the user
}
this.webBrowser1.DocumentText = documentText;
this.webBrowser1.Refresh();
if (this.webBrowser1.ContextMenuStrip == null)
{
this.webBrowser1.ContextMenuStrip = this.contextMenuStrip1;
}
}
catch (Exception ex)
{
Console.WriteLine(ex.ToString());
}
}
}
}

After getting the input from the user, without filtering, the text is combined with the html of the documentText here and output to webBrowser1.

If the user enters <script>alert(/xss/);</script>, the XSS vulnerability can be triggered.

Because the software input must be pdf. Write the xss statement in the pdf, open the pdf with malicious js statement in the software and select the js statement with the mouse to let the software translate to trigger XSS.

Files and poc uploaded to Github: https://github.com/WWILLV/zhiyun-xss

0%