-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
25b1a66
commit 9d3fa22
Showing
9 changed files
with
16 additions
and
16 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -12,7 +12,7 @@ There are 4 things that have to happen in order to find [CVE-2023-22621](https:/ | |
| - The version of Strapi should be _at least_ **version 4.5.5 and below**. | ||
| - No other hacker _somehow_ saw any of the three aformentioned scenarios first. | ||
|
|
||
| The stars have aligned in my favor and I found exactly that in one of the websites of a _billion_ dollar company listed in the New York Stock Exchange. And I happen to be invited to their private [bug bounty program](https://en.wikipedia.org/wiki/Bug_bounty_program). | ||
| The stars have aligned in my favor and with this [CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures), I managed to fully take over one of the websites of a _billion_ dollar company listed in the New York Stock Exchange. And I happen to be invited to their private [bug bounty program](https://en.wikipedia.org/wiki/Bug_bounty_program). | ||
|
|
||
| # Exploitation | ||
| I have a server that pings me of new subdomains of this company every 5pm Manila time so I can check them out after work. | ||
|
|
@@ -30,7 +30,7 @@ Realizing this, was nothing short of exhilariting, since it's been months since | |
|
|
||
| Claiming the super admin of a website is nice and dandy, but like most other security researchers, I asked myself: "How can I escalate this to something even more severe?". | ||
|
|
||
| The next step was obvious, I googled: "strapi cve". One particular [CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures) instantly caught my attention: **[CVE-2023-22621](https://nvd.nist.gov/vuln/detail/CVE-2023-22621)** which allows for an authenicated user to execute the highly coveted **[_remote code execution_](https://en.wikipedia.org/wiki/Arbitrary_code_execution).** | ||
| The next step was obvious, I googled: "strapi cve". One particular CVE instantly caught my attention: **[CVE-2023-22621](https://nvd.nist.gov/vuln/detail/CVE-2023-22621)** which allows for an authenicated user to execute the highly coveted **[_remote code execution_](https://en.wikipedia.org/wiki/Arbitrary_code_execution).** | ||
|
|
||
| The CVE ticks all of the boxes: | ||
| - You need to have super admin access (I got that) ✔ | ||
|
|
@@ -79,7 +79,7 @@ This exploit runs when a confirmation email is sent, so an API call that registe | |
| $ curl -vvv -X POST -H 'Content-Type: application/json' -d '{"email":"[email protected]", "username":"rcetrigger1", "password": "Test1234!"}' https://strapi.[redacted].com/auth/local/register/ | ||
| ``` | ||
|
|
||
| Upon execution of the cURL command, Strapi attempts to validate the email template. The exploit then takes advantage of a template validation bypass and `runs the reverse shell payload via `node`. The reverse shell then initiates a TCP connection to my attacker server, which spawns a `bash` session. | ||
| Upon execution of the cURL command, Strapi attempts to validate the email template. The exploit then takes advantage of a template validation bypass and runs the reverse shell payload via `node`. The reverse shell then initiates a TCP connection to my attacker server, which spawns a `bash` session. | ||
|
|
||
| Now the attacker machine has logged in to the server as `root`, **giving me total control of the server**: | ||
|
|
||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -68,7 +68,7 @@ <h1 class="post-title">Remote code execution in a billion-dollar publicly traded | |
| <li>The version of Strapi should be <em>at least</em> <strong>version 4.5.5 and below</strong>.</li> | ||
| <li>No other hacker <em>somehow</em> saw any of the three aformentioned scenarios first.</li> | ||
| </ul> | ||
| <p>The stars have aligned in my favor and I found exactly that in one of the websites of a <em>billion</em> dollar company listed in the New York Stock Exchange. And I happen to be invited to their private <a href="https://en.wikipedia.org/wiki/Bug_bounty_program">bug bounty program</a>.</p> | ||
| <p>The stars have aligned in my favor and with this <a href="https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures">CVE</a>, I managed to fully take over one of the websites of a <em>billion</em> dollar company listed in the New York Stock Exchange. And I happen to be invited to their private <a href="https://en.wikipedia.org/wiki/Bug_bounty_program">bug bounty program</a>.</p> | ||
| <h1 id="exploitation">Exploitation</h1> | ||
| <p>I have a server that pings me of new subdomains of this company every 5pm Manila time so I can check them out after work.</p> | ||
| <p>Usually I don’t find anything in my probes, and this one: <strong>strapi.[redacted].com</strong> also didn’t trigger any alarms at first. | ||
|
|
@@ -78,7 +78,7 @@ <h1 id="exploitation">Exploitation</h1> | |
| <p>Realizing this, was nothing short of exhilariting, since it’s been months since I got a paid bug bounty.</p> | ||
| <h1 id="escalation">Escalation</h1> | ||
| <p>Claiming the super admin of a website is nice and dandy, but like most other security researchers, I asked myself: “How can I escalate this to something even more severe?".</p> | ||
| <p>The next step was obvious, I googled: “strapi cve”. One particular <a href="https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures">CVE</a> instantly caught my attention: <strong><a href="https://nvd.nist.gov/vuln/detail/CVE-2023-22621">CVE-2023-22621</a></strong> which allows for an authenicated user to execute the highly coveted <strong><a href="https://en.wikipedia.org/wiki/Arbitrary_code_execution"><em>remote code execution</em></a>.</strong></p> | ||
| <p>The next step was obvious, I googled: “strapi cve”. One particular CVE instantly caught my attention: <strong><a href="https://nvd.nist.gov/vuln/detail/CVE-2023-22621">CVE-2023-22621</a></strong> which allows for an authenicated user to execute the highly coveted <strong><a href="https://en.wikipedia.org/wiki/Arbitrary_code_execution"><em>remote code execution</em></a>.</strong></p> | ||
| <p>The CVE ticks all of the boxes:</p> | ||
| <ul> | ||
| <li>You need to have super admin access (I got that) ✔</li> | ||
|
|
@@ -111,7 +111,7 @@ <h2 id="spawning-a-shell-as-root-in-the-compromised-server">Spawning a shell as | |
| ls | ||
| api config favicon.ico package.json README.md | ||
| build extensions node_modules public yarn.lock | ||
| </code></pre></div><p>In order to prove the RCE, I left an inconspicuous text file in the server. So I left one at <code>/root/tedminfosec.txt</code>:</p> | ||
| </code></pre></div><p>In order to prove the RCE, I left an inconspicuous text file in the server at <code>/root/tedminfosec.txt</code>:</p> | ||
| <div class="highlight"><pre style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-sh" data-lang="sh">root@<span style="color:#f92672">[</span>redacted<span style="color:#f92672">]</span>:/home/<span style="color:#f92672">[</span>redacted<span style="color:#f92672">]</span>/project/strapi# cat /root/tedminfosec.txt | ||
| hello from [email protected] | ||
| </code></pre></div><h1 id="impact">Impact</h1> | ||
|
|
@@ -138,7 +138,7 @@ <h1 id="responsible-disclosure">Responsible disclosure</h1> | |
| <footer> | ||
|
|
||
| <span> | ||
| © <time datetime="2024-02-19 13:32:42.4326394 +0800 +08 m=+0.304749101">2024</time> . Made with <a href='https://gohugo.io'>Hugo</a> using the <a href='https://github.com/EmielH/tale-hugo/'>Tale</a> theme. | ||
| © <time datetime="2024-02-19 14:44:24.3683721 +0800 +08 m=+0.304057101">2024</time> . Made with <a href='https://gohugo.io'>Hugo</a> using the <a href='https://github.com/EmielH/tale-hugo/'>Tale</a> theme. | ||
| </span> | ||
| </footer> | ||
|
|
||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters