In this post I will go through CVE-2022-44019: the description, replication of the
vulnerability and POC.
TotalJS is an
Open-source JavaScript
platform providing
a lot of FOSS tools and libraries written in Javascript/NodeJS. This vulnerability affects
the TotalJS Code Editor product.
(link to the GitHub repo).
From the Official Code Editor
website we can
read:
"Try our best practices with the new Code Editor as a web application to develop
Total.js applications. Get more time for yourself and simplify your web development as
never
before. Code Editor must run on your server directly where you provide web applications.
You
can provide Code Editor, for example, on your Raspberry Pi.".
Description of the vulnerability
Using the API /api/common/ping it's possible to achieve remote command execution on the host
machine. This leads to complete control over the machine hosting the server.
Here the problem is the fact that the server doesn't sanitize correctly the input checking
that the host provided is a legitimate one, allowing also characters like ; ,
|
or &.
Replication of the vulnerability
Execute node index.js to start the server
Login in the application.
Execute this request as shown below:
The command that will be executed is ping -c 3 1.1.1.1; id.
The injected command is id, but of course can be an arbitrary command (a reverse
shell as well).
POC
See the Youtube Video POC here:
Capture a request in a proxy (like Burpsuite) and then change the parameters (Host with your
target, User-Agent and Authentication Cookie):