Although the annotator tool’s source code is not directly provided in the repository a docker image is provided. From there it is easy to get access to the source code by either extracting the docker tar image, which can be exported from docker itself, or connecting to the container with an interactive session and browsing the application files.

The vulnerability is based on the hard coded value of config.jwt.secret = Hm************tA which is located at config/config.production.js Using this value it is possible to create new jwt tokens that have the super_admin role and allow a low level user to make previously restricted actions.

To make the attack work the same method that was used for producing the original tokens must be applied for the forged ones. The easiest way to do this is by making some modification to the existing back-end code of the annotation tool. For example adding the lines provided below in the getSignedJWT function found in app/service/userService.js. Running a locally host version of the modded back-end and logging in with a simple user would also produce a new jwt token with the super_admin role. To use this new token simply read it from /tmp/test.txt inside the running container or host system and change the value of dpst-token found in local storage of your browser for the domain that was used to make the original login.

Proof of Concept

 const fs = require('fs');
    let x = this.app.jwt.sign(
      {
        id: 2,
        email: "[email protected]",
        role: "super_admin",
      },
      "Hm************tA"
    );

    fs.writeFile('/tmp/test.txt', x, err => {
      if (err) {
        console.error(err);
      }
    });