Popcorn Time 0.4.7 - XSS to RCE

Summary

NamePopcorn Time 0.4.7 - XSS to RCE
Code nameBowie
ProductPopcorn Time
Affected versionsVersion 0.4.7 (Just Keep Swimming)
StatePublic
Release date2022-05-17

Vulnerability

KindXSS to RCE
Rule010. Stored cross-site scripting (XSS)
RemoteNo
CVSSv3 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N
CVSSv3 Base Score7.7
Exploit availableNo
CVE ID(s)CVE-2022-25229

Description

Popcorn Time 0.4.7 has a Stored XSS in the Movies API Server(s) field via the settings page. The nodeIntegration configuration is set to on which allows the webpage to use NodeJs features, an attacker can leverage this to run OS commands.

Proof of Concept

Steps to reproduce

  1. Open the Popcorn time application.

  2. Go to settings.

  3. Enable Show advanced settings.

  4. Scroll down to the API Server(s) section.

  5. Insert the following PoC inside the Movies API Server(s) field and click on Check for updates.

a"><script>require('child_process').exec('calc');</script>
  1. Scroll down to the Database section and click on Export database.

  2. The application will create a .zip file with the current configuration.

  3. Send the configuration to the victim.

  4. The victim must go to Settings -> Database and click on Import Database

  5. When the victim restarts the application the XSS will be triggered and will run the calc command.

System Information

  • Version: Popcorn Time 0.4.7.
  • Operating System: Windows 10.0.19042 N/A Build 19042.
  • Installer: Popcorn-Time-0.4.7-win64-Setup.exe

Exploit

There is no exploit for the vulnerability but can be manually exploited.

Mitigation

An updated version of PopcornTime is available at the vendor page.

Credits

The vulnerability was discovered by Oscar Uribe from the Offensive Team of Fluid Attacks.

References

Vendor page https://github.com/popcorn-official/popcorn-desktop

Issue https://github.com/popcorn-official/popcorn-desktop/issues/2491

Timeline

Time-lapse-logo

2022-04-26

Vulnerability discovered.

Time-lapse-logo

2022-04-26

Vendor contacted.

Time-lapse-logo

2022-05-04

Vendor Confirmed the vulnerability.

Time-lapse-logo

2022-05-07

Vulnerability patched.

Time-lapse-logo

2022-05-17

Public Disclosure.