MeshCentral From Agent-Controlled Stored XSS to Fleet-Wide R...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://techanarchy.net/meshcentral-from-xss-to-rce
• Blog Title: MeshCentral: From Agent-Controlled Stored XSS to Fleet-Wide RCE
• Suggested Section: Network Services Pentesting -> 80,443 - Pentesting Web Methodology -> MeshCentral; also cross-reference from Pentesting Web -> XSS and WebSocket Attacks

🎯 Content Summary

The post documents a full exploit chain against MeshCentral, an open-source, self-hosted remote monitoring and device management platform. The vulnerability is tracked as GitHub Advisory GHSA-c7hr-448w-65px and affects MeshCentral 1.1.59 and below. The core issue is stored XSS in agent-controlled metadata: a rogue or compromised MeshAgent can inject arbitrary HTML/JavaScript into the osdesc OS description field of its coreinfo...

🔧 Technical Details

Agent-controlled stored XSS through trusted device metadata: Management platforms often trust metadata submitted by enrolled agents and later render that metadata in administrator dashboards. If fields such as OS description, hostname, device model, username, or agent status are stored and displayed without output encoding, a rogue or compromised agent can inject HTML/JavaScript. In this case, MeshCentral accepted an agent coreinfo value named osdesc and rendered it in the device details UI. A payload such as <img src=x onerror="alert('XSS: '+document.domain)"> becomes stored XSS and executes when an admin views the device.

Agent impersonation using locally readable enrollment secrets: If an endpoint agent stores its enrollment configuration, node identity, certificate, or private key material in files readable by low-privileged users, a local attacker can copy those files and impersonate the agent from another system....

🤖 Agent Actions

Done.

Updated:

• src/network-services-pentesting/pentesting-web/meshcentral.md
• src/network-services-pentesting/pentesting-web/README.md
• src/SUMMARY.md

Added a new MeshCentral page covering:

• agent-controlled stored XSS via device metadata
• low-privileged agent impersonation via MeshAgent.msh / MeshAgent.db
• /agent.ashx handshake notes
• XSS to privileged /control.ashx WebSocket abuse
• runcommands / runAsUser:0 fleet-wide RCE pattern
• detection and upgrade guidance
• references to the blog, advisory, PoC, and fix PR

Validation:

• Checked diff
• Verified linked internal paths exist
• Ran git diff --check
• mdbook build could not be run because mdbook is not installed in this environment

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://techanarchy.net/meshcentral-from-xss-to-rce

Content Categories: Based on the analysis, this content was categorized under "Network Services Pentesting -> 80,443 - Pentesting Web Methodology -> MeshCentral; also cross-reference from Pentesting Web -> XSS and WebSocket Attacks".

Repository Maintenance:

• MD Files Formatting: 978 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0