You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Summary: Cross Site Request Forgery(CSRF) file upload in import feature leads to Remote Code Execution.
Description: When we import a tar file, there's a request made to /api/notes/root/import. Along with the file contents, there are settings like Safe Import. The issue is that there's no CSRF protections on this endpoint, which lets an attacker make request to this endpoint with the malicious tar file which has the following snippet of code
and also explicitly set the safeImport to false to disable it. After successful import, if the user clicks on the imported note, code is executed.
Note: Since the application binds to a random port, we can bruteforce to know the port. The way I chose to do it was to include the ckeditor.js file from /libraries/ckeditor/ckeditor.js endpoint and upon successful script include we can be sure of which port the application's server is running on.
Reproduction Steps:
I wouldn't want a proof of concept lying on the web for people to just try it, so I'd just walk you through the steps.
Firstly, see the import request in which the tar file is uploaded, you'll notice that there's no protections against CSRF attacks.
Like I've already mentioned, we can bruteforce the port number and then we can upload the malicious file (see Arbitrary Code Execution #398 ). You'll see it successfully imported and when you click on the imported note, calc.exe pops up.
Summary: Cross Site Request Forgery(CSRF) file upload in import feature leads to Remote Code Execution.
Description: When we import a
tar
file, there's a request made to/api/notes/root/import
. Along with the file contents, there are settings like Safe Import. The issue is that there's no CSRF protections on this endpoint, which lets an attacker make request to this endpoint with the malicioustar
file which has the following snippet of codeand also explicitly set the
safeImport
tofalse
to disable it. After successful import, if the user clicks on the imported note, code is executed.Note: Since the application binds to a random port, we can bruteforce to know the port. The way I chose to do it was to include the
ckeditor.js
file from/libraries/ckeditor/ckeditor.js
endpoint and upon successful script include we can be sure of which port the application's server is running on.Reproduction Steps:
tar
file is uploaded, you'll notice that there's no protections against CSRF attacks.Demo : Video Link
Fix: Implement Anti CSRF.
The text was updated successfully, but these errors were encountered: