Headline
CVE-2022-41139: Stored XSS in MITRE CALDERA Debrief Plugin - Gist Contact
MITRE CALDERA 4.1.0 allows stored XSS via app.contact.gist (aka the gist contact configuration field), leading to execution of arbitrary commands on agents.
Vulnerability Description:
A third stored cross-site scripting (XSS) vulnerability was discovered in the gist contact configuration field of MITRE CALDERA. We confirmed it was possible as the blue user to attack the red user provided through the Docker Compose CALDERA deployment. More specifically, we were able to introduce an attack as the blue user that resulted in the red user (once they triggered the vuln) to execute arbitrary commands on agents that are part of an operation.
Successful exploitation of this vulnerability can provide an attacker with the means to escalate their privileges within the application and the ability to run arbitrary code on any enrolled systems.
The vulnerability was tested on mitre/caldera@a1f6a91.
Proof of Concept:
- Create a Caldera test environment
- Login to Caldera with the red user
- Click Configuration
- Set app.contact.gist to "><img src=x onerror=prompt(document.domain)>
- Click Update
- Click debrief
- Move your mouse over the C2 Server icon
- Observe prompt
Fix:
Remediation strategy provided by Jonathan (Jay) Yee from the MITRE Caldera development team:
This specific vulnerability in debrief was patched in mitre/debrief@d815b60
The debrief plugin commit was also pinned to the latest release, caldera v4.1.0
Users running caldera versions older than v4.1.0 are urged to update the debrief plugin to the latest version:
git submodule update --remote --force plugins/debrief
Patched plugin: Patched commit
Timeline:
Reported: September 19th, 2022
Acknowledged: September 21st, 2022
Fixed: September 21st, 2022