forked from aldaor/HackerOneReports
-
Notifications
You must be signed in to change notification settings - Fork 0
/
361341.txt
52 lines (35 loc) · 2.87 KB
/
361341.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
ReportLink:https://hackerone.com/reports/361341
WeaknessName:Deserialization of Untrusted Data
Reporter:https://hackerone.com/kapytein
ReportedTo:Liberapay(liberapay)
BountyAmount:
Severity:
State:Closed
DateOfDisclosure:04.06.2018 17:42:54
Summary:
Hello.
There isn't a direct vulnerability, however a SQL injection would easily be escalated to a Remote Code Execution. I can't directly exploit it due to the restriction on team names (it does not accept hexdecimal values). I, however, submit this issue in advance and will attempt to escalate this issue further, if possible together with you.
**Vulnerability details**
The vulnerability relies in the serializer & deserializier used for notifications of users. It is using [pickles](https://github.com/liberapay/liberapay.com/blob/8546e2212f08f0d0ad71008ccf679744c3e8fb81/liberapay/utils/__init__.py#L370), which is known to be unsafe. You can basically craft any object, and pickles will happily execute the object. This allows unsafe deserialization, which could lead to Remote Code Execution.
In this case, as far as I have seen, it is used for notifications. As far as I have seen, the deserializer is only used to render notifications, in `render_notifications`, as seen [here](https://github.com/liberapay/liberapay.com/blob/8546e2212f08f0d0ad71008ccf679744c3e8fb81/liberapay/models/participant.py#L1083).
```python
for id, event, notif_context, is_new, ts in notifs:
try:
notif_context = deserialize(notif_context)
```
The `render_notifications` function is then used on the notifications template page, as seen here:
```
# NOTE: don't factor the render_notifications() call here, it'll break escaping
[---] application/json via json_dump
participant.render_notifications(state)
[---] text/html
% extends "templates/base.html"
```
There is no other place where the deserializer is used, as far as I have seen. The serializer is used in the `notify` function, as seen [here](https://github.com/liberapay/liberapay.com/blob/9ad0dc79183b052df4e1ca5f23914450991f6888/liberapay/models/participant.py#L1010), thus, in the future, whenever unrestrictive input is taken from the user into this function, it will directly allow Remote Code Execution.
**Proof of Concept**
1. Invite an user into your team.
2. Update the context of the notification in the table notifications, by running the SQL query:
UPDATE notifications SET context = E'\\x80027d710028580400000061736432710158030000006c6f6c71025801000000627103580500000033303030307104580100000063710563706f7369780a73797374656d0a7106580c000000736c656570203530303030307107857108527109752e' WHERE id = 43;`
3. Log in as the user who is invited to your team, browse to notifications and notices that the sleep command was used (basically, it will hang).
## Impact
This could allow remote code execution if a SQL injection is escalated.