## https://sploitus.com/exploit?id=1E9525B3-D72A-51BE-B627-9513A41606E8
# CVE-2023-30856 Security Patch for eDEX-UI
## โ ๏ธ Critical Security Alert
**eDEX-UI is archived and abandoned** (October 2021). This vulnerability allows **remote command execution** through cross-site WebSocket hijacking. The original maintainers have **no plans to patch this issue**.
---
## Vulnerability Details
**CVE-2023-30856** - Cross-site WebSocket Hijacking โ Remote Command Execution (RCE)
- **Severity**: **CRITICAL 10.0** (NIST NVD) / High 8.3 (GitHub CNA)
- **Attack Vector**: Network
- **Attack Complexity**: Low
- **Privileges Required**: None
- **User Interaction**: None (automatic when browsing web)
- **Scope**: Changed
- **Impact**: **HIGH** Confidentiality, Integrity, Availability compromise
### How the Attack Works
1. User runs eDEX-UI (opens WebSocket on localhost)
2. User visits malicious website in browser
3. Website connects to eDEX-UI's WebSocket (`ws://localhost:3000`)
4. Website sends arbitrary commands to your shell
5. **Commands execute with your user privileges**
### Vulnerable Code Location
```
edex-ui/src/classes/terminal.class.js:458
this.wss.on("connection", ws => {
```
## Community Security Patch
Since **no official patch exists**, this community fix implements origin validation:
```javascript
// REPLACE the WebSocket server initialization with:
this.wss = new this.Websocket({
port: this.port,
clientTracking: true,
verifyClient: info => {
// Existing single connection limit
if (this.wss.clients.length >= 1) {
return false;
}
// CRITICAL FIX: Block external origins
const origin = info.req.headers.origin;
if (origin && !origin.startsWith("file://")) {
console.log(`๐ก๏ธ BLOCKED malicious connection from: ${origin}`);
return false;
}
return true;
}
});
```
### What This Prevents
- โ Malicious websites connecting to your terminal
- โ Remote command execution attacks
- โ Cross-site WebSocket hijacking
- โ Unauthorized shell access
## Immediate Actions Required
### 1. Apply the Patch (Urgent)
**Location**: `src/classes/terminal.class.js` around line 458
Find the WebSocket server creation and add the `verifyClient` validation shown above.
### 2. Verification
After patching, malicious connection attempts will be logged:
```
BLOCKED malicious connection from: https://malicious-site.com
```
### 3. Test Local Functionality
eDEX-UI should continue working normally with local file-based connections.
## Official Workarounds (From Maintainers)
Since **no patch will be released**, the original team suggests:
1. **Shut down eDEX-UI when browsing the web**
2. **Run eDEX-UI with minimal privileges** (limited user account)
*These workarounds are impractical for normal use - applying the community patch is recommended.*
## Building the Patched Version
eDEX-UI uses legacy dependencies that are challenging to build on modern systems:
### Prerequisites
```bash
# Use Node.js 16.x (required for compatibility)
nvm use 16.20.2
# Install build tools (Ubuntu/Debian)
sudo apt-get install build-essential python3-dev
# For other systems:
# CentOS/RHEL: sudo yum groupinstall "Development Tools"
# Arch: sudo pacman -S base-devel python
# macOS: xcode-select --install
```
## Run Without Building
If building fails persistently, you can run eDEX-UI in development mode with the security patch:
```bash
# Apply the patch to src/classes/terminal.class.js
# Then run in development mode:
npm start
```
**Note**: Development mode still applies your security patch and is safer than unpatched eDEX-UI.
## Risk Assessment
### Before Patch: **CRITICAL RISK** โ (CVSS 10.0)
- Any website can execute commands on your system
- **MAXIMUM severity rating** - Complete system compromise possible
- No user interaction required
- Works silently in background
- Full access to your user account privileges
- **Confidentiality, Integrity, and Availability all HIGH impact**
### After Patch: REDUCED RISK โ
- External WebSocket connections blocked
- Local functionality preserved
- Attack surface significantly reduced
### Ongoing Risks (Unmaintained Software) โ ๏ธ
- Other undiscovered vulnerabilities likely exist
- Dependencies are 3+ years old with known security issues
- No future security updates will be provided
- Compatibility with modern systems will degrade
## Recommended Migration Path
**For Security-Conscious Users**: Migrate to maintained alternatives
### Modern Terminal Alternatives
- **Warp** - Modern terminal with AI features
- **Hyper** - Electron-based, actively maintained
- **Alacritty** - Fast, GPU-accelerated
- **Kitty** - Feature-rich with good performance
- **Windows Terminal** - Microsoft's modern terminal
- **iTerm2** - macOS-specific advanced terminal
### For eDEX-UI's Unique Features
- **Cool-retro-term** - Retro terminal aesthetics
- **Terminator** - Multiple terminal panes
- **Guake/Yakuake** - Drop-down terminals
- **Custom themes** in modern terminals can replicate the sci-fi look
## Legal and Ethical Notice
### This Community Patch
- โ Addresses the specific CVE-2023-30856 vulnerability
- โ Maintains original functionality
- โ Does not modify licensing or distribution rights
- โ ๏ธ Provided "as-is" without warranty
- โ ๏ธ Users assume responsibility for modifications
### Continued Use of eDEX-UI
- **Not recommended for production environments**
- **Personal use only** - understand the security implications
- **Regular security monitoring** is essential
- **Network isolation** strongly recommended
## Resources
### Security Information
- **CVE Database**: CVE-2023-30856
- **NVD Published**: April 28, 2023
- **NVD Last Modified**: November 21, 2024
- **NIST CVSS**: **10.0 CRITICAL** (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
- **GitHub CNA CVSS**: 8.3 High (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L)
- **GitHub Security Advisory**: GHSA-q8xc-f2wf-ffh9
- **CWE Classifications**: CWE-346 (Origin Validation Error), CWE-1385 (Missing Origin Validation in WebSockets)
- **Reporter**: aufzayed
### Technical References
- **WebSocket Hijacking**: https://christian-schneider.net/CrossSiteWebSocketHijacking.html
- **Vulnerable Code**: `edex-ui/src/classes/terminal.class.js:458`
- **CWE Classification**: CWE-1385
---
## Summary
**eDEX-UI is abandoned software with a critical RCE vulnerability.** The original maintainers will not provide patches. This community fix prevents the specific attack while you plan migration to maintained software.
**๐ Apply this patch immediately if you continue using eDEX-UI. Plan migration to secure, maintained alternatives.**