New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Vulnerability] Privilege escalation + Remote code execution (RCE) #401
Comments
|
nice work @yuriisanin what do you think the mitigation strategy is here? |
|
Both vuln are based on the creation of an audit with a custom language. With #403 I added a restriction on this parameter based on languages specified in database. Theses languages are already sanitized. |
|
@peregrinus I think the mitigation should include the following steps:
For template upload functionality:
|
|
@Zeecka I believe it's still possible to set arbitrary audit language using 'PUT /api/audits/:auditId/general' endpoint. Please, check the proposed mitigation above. |
|
Agree, the Concerning the upload functionnality, some users use other extensions such as [Edit] I changed my PR using |
|
CVE-2022-45771 assigned. |
Unprivileged user can obtain JWT secrets by exploiting translate functionality for report generator. This could allow an attacker to achieve privilege escalation and remote code execution (RCE).
Video PoC on YouTube:

Privilege escalation by obtaining JWT secret
Requirements:
finding.vulnTypeorfinding.categorytagSTR:
../lib/auth.jsaslanguage, later the file will be loaded and executed usingrequirefunction and as a result bothjwtSecretandjwtRefreshSecretwill be exported. See translate.js, auth.jsRequest:
Response:
finding.vulnType - {vulnType}orfinding.category - {category}tag. See templating docRequest:
Response:
categoryorvulnTypeproperty should containjwtSecret.Request:
Response:
jwtSecret.Request:
Response:
rolefield toadmininside your JWT token and sign it using obtainedjwtSecret.JWT paload:
{ "id": "637a2065ab932e0012015580", "username": "justuser", "role": "admin", "firstname": "justuser", "lastname": "justuser", "email": "justuser@0d.tf", "phone": "12345", "roles": [ "audits:create", "audits:read", "audits:update", "audits:delete", "images:create", "images:read", "clients:create", "clients:read", "clients:update", "clients:delete", "companies:create", "companies:read", "companies:update", "companies:delete", "languages:read", "audit-types:read", "vulnerability-types:read", "vulnerability-categories:read", "sections:read", "templates:read", "users:read", "roles:read", "vulnerabilities:read", "vulnerability-updates:create", "custom-fields:read", "settings:read-public" ], "iat": 1668958053, "exp": 1668958953 }Remote code execution
Requirements:
STR:
Request:
Response:
The content of the file is base64 encoded JS code:
../../report-templates/exploit-poc.jsaslanguage, later the file will be loaded and executed usingrequirefunction. See translate.jsRequest:
Response:
Request:
Response:
Request:
Response:
The following logs should appear:
The text was updated successfully, but these errors were encountered: