Appsmith Vulnerabilities Can be Chained to Achieve 1-Click Admin Account Takeover
September 1, 2022
Several vulnerabilities in Appsmith (which have now been patched) can be chained to achieve one-click full admin account takeover. Attackers can first exploit an XSS vulnerability to steal internal MongoDB credentials, then exploit an SSRF vulnerability to connect to the internal MongoDB.
While navigating the different widgets available in Appsmith, we encountered an widget called Iframe. Using this widget users can insert iframes with arbitrary URLs and srcDoc in their Appsmith dashboards. We observed that the field named srcDoc is vulnerable to XSS.
Even though we couldn’t gain access to the cookies, we were able to use an iframe to fetch sensitive content from an API endpoint that only administrators have access to. One such endpoint was “/api/v1/admin/env” which contains the environment variables of Appsmith, including infrastructure-related credentials. Any other user apart from the administrator can not access the endpoint.
Once the exploit is ready, it needs to be published so that other users can access it. This can be done by making the Appsmith dashboard public, and can be accessed by anyone.
Now, this base64 encoded data can be decoded by the attacker by running the following command:$ echo “<base64_encoded_data>” | base64 –decode
The decoded MongoDB credentials can be used for further investigation and exploitation.
Access to Internal MongoDB via SSRF
From our previous testing on Appsmith, we know that there are protections that restrict access to the cloud instances' internal metadata but there are no restrictions on the localhost. In addition, Appsmith has a feature which allows users to connect MongoDB as a data source.We then checked if this functionality can be used to connect to the internal MongoDB running on localhost. This was done by filling the connection and authentication details obtained previously into the form which allows users to connect to MongoDB as a data source.
On clicking on the “Save” option, the data source was added successfully. After which, we were able to view all the collections in the Appsmith database, on the UI.
Escalating privileges to Administrator
For each of these collections, it was possible to run the following DB queries
Out of all the collections, the one named “Users” contains the details of all users on the platform.At this stage there are several ways to escalate privileges to an administrator. It is even possible to modify the admin user password hash or add admin policies to our user. We proceeded by fetching the admin policies from MongoDB, using the FIND command.
We found that the administrator account has the following policies associated with it.
Then, using the update command, we updated the policies assigned to our user with the admin policies. On clicking on “RUN” we got a successful response from MongoDB.
To validate the vulnerability, we logged in to our user account via a different browser and found that it had access to all admin functionalities and permissions to manage users, workspaces, and instances.[caption id="attachment_22172" align="alignnone" width="630"]
We tried accessing the endpoint i.e. “/api/v1/admin/env”, which only administrators, and got a successful response from the server.
Attackers can first exploit the XSS vulnerability to steal internal MongoDB credentials, then an SSRF vulnerability can be exploited to connect to internal MongoDB to execute DB queries and achieve full account takeover or privilege escalation.Also, Appsmith does not have a signup restriction in the default installation. So if an Appsmith instance is exposed to the internet, anyone can signup and have access to the vulnerable functionality in which the SSRF vulnerability was discovered.This can have large-scale impact, given that over a 1000 Appsmith instances are exposed on the internet:
The root vulnerabilities in this chain (CVE-2022-38298 and CVE-2022-38299) have been fixed by Appsmith
Maintain a whitelist of domains or addresses that your application accesses
CloudSEK submitted this vulnerability to Appsmith via their well-defined vulnerability disclosure process. Subsequently, the Appsmith team fixed this issue in their next release. Appsmith versions 1.7.12 and above do not have this vulnerability.
Sparsh is a Cyber Security Analyst at CloudSEK. This security professional hunts for points of vulnerability in client domains. He is OSCP certified and a bug bounty hunter who plays CTF for Team UnderDawg.
Deepanjli is CloudSEK's Lead Technical Content Writer and Editor. She is a pen wielding pedant with an insatiable appetite for books, Sudoku, and epistemology. She works on any and all content at CloudSEK, which includes blogs, reports, product documentation, and everything in between.