来源

关联漏洞

介绍

# ThingsBoard Privilege Escalation Using Stored XSS

While tinkering with IoT technology, I found vulnerability in the Thingsboard Application that allowed avenues for privilege escalation.

Thingsboard is an open-source application that allows device management, data collection, processing and visulaization for IoT services and deployments. Furthermore, a single Thingsboard instance (managed by a Tenant Administrator) can host services for multiple organizations with separate Company Administrators for each.

While exploring its features, I noticed a file upload functionality in the "Image Gallery" view. Unfortunately, the feature was vulnerable to stored cross-site scripting which allowed an adversary to escalate privileges by leveraging authentication token theft. 

This vulnerability impacts all Thingsboard releases, including Community, Cloud, and Professional editions. I responsibly reported the issue to the Thingsboard security team, who acknowledged it and committed to addressed it in a future release. Subsequently, I reported the vulnerability to MITRE, resulting in the assignment of a CVE.

## TL;DR

- Bug: Stored Cross-Site Scripting
- Severity: **CRITICAL**
- OWASP Vulnerability Category: [A03 Injection](https://owasp.org/Top10/A03_2021-Injection/)
- CVSS 4.0 Score: 8.8 `CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H`
- Affected Software Releases: Community Edition, Professional Edition, Cloud
- Affected Versions: 3.8.1 or earlier
- Vendor Details: Thingsboard (https://github.com/thingsboard/thingsboard)
 

## Pre-Requisites

To demonstrate the vulnerability, one would require an installation of [ThingsBoard](https://thingsboard.io/) ([Github Repository](https://github.com/thingsboard/thingsboard)) with at least one low privileged user.


## Steps to Reproduce

- **Step 1:** Log into a low privileged customer account.
    
    ![low_priv_user](./images/test_user.jpg)

- **Step 2:** Navigate to `Resources > Image Gallery`

    ![image_gallery](./images/image_gallery.jpg)

- **Step 3:** Craft a malicious image file (*here, a SVG file is used with JavaScript Payload*) to exploit the Cross Site Scripting vulnerability.

    ![svg_with_xss_payload](./images/xss_svg_payload.jpg)

- **Step 4:** Upload the file and inspect the response to identify the destination file path where the payload was uploaded.

    ![publicLink](./images/fileupload_publicLink.jpg)

- **Step 5:** Visit the `publicLink` file path to trigger the payload.

    ![XSS_triggered](./images/xss_cookie_alert_firefox.jpg)

## Account Takeover

Since, the payload is stored on the legitimate thingsboard instance, an adversary can easily trick high value targets (eg: Tenant Administrator, Company Administrator etc.) to steal authentication tokens.

A demonstration of above mentioned impact:

- **Step 1:** Log into a high value account (*here Tenant administrator account is used in chrome browser, to demonstrate isolated enviroment from the firefox browser used above*).

    ![tenant_admin](./images/login_as_tenant_admin.jpg)

- **Step 2:** Visit the `publicLink` file path, retrieved earlier.

    ![XSS_triggered](./images/xss_cookie_alert.jpg)

文件快照

 [4.0K]  /data/pocs/78e524636a409151455a03972e263e24a9ed1e89
├── [4.0K]  images
│   ├── [145K]  fileupload_publicLink.jpg
│   ├── [ 69K]  image_gallery.jpg
│   ├── [191K]  login_as_tenant_admin.jpg
│   ├── [ 48K]  test_user.jpg
│   ├── [ 98K]  upload_xss_svg.jpg
│   ├── [ 98K]  xss_cookie_alert_firefox.jpg
│   ├── [ 64K]  xss_cookie_alert.jpg
│   └── [ 29K]  xss_svg_payload.jpg
└── [3.2K]  README.md

1 directory, 9 files

备注