In this repository, you will find a proof of concept of the exploitation of the CVE-2021-46398 flaw through a docker compose, as well as an analysis of the impacts of this flaw on information systems.
# Exploit Title: FileBrowser 2.17.2 - Cross Site Request Forgery (CSRF) to Remote Code Execution (RCE)
# Date: 05/02/2022
# Exploit Author: FEBIN MON SAJI
# Vendor Homepage: https://filebrowser.org/
# Software Link: https://github.com/filebrowser/filebrowser
# Version:
FileBrowser <= 2.17.2
# Tested on: Ubuntu 20.04
# CVE : CVE-2021-46398
According to FileBrowser's website, FileBrowser is a popular create-your-own-cloud-kind of software that you can install on a server, direct it to a path and then access your files through a nice web interface developed in the Go language, with many features. It's a bit like Google Drive except that everyone can own and host their own instance.
FileBrowser's admins can create multiple users, even another admin privileged user, and give access to any directory he wants. The user creation is handled by an endpoint /api/users. The endpoint accepts input in JSON format to create users, but fails to verify the Content-Type HTTP header which value should be application/json, but accepts text/plain; and that’s where the vulnerability arises. Also, the Origin is not validated and there are no anti-CSRF tokens implemented either. Hence an attacker can easily exploit this vulnerability to create a backdoor user with admin privileges and access to the home directory or whichever directory the attacker wants to access, just by sending a malicious webpage URL to the legitimate admin and access the whole server's filesystem (more explanation of this process in the demonstration section).
In addition, an admin can run commands on the system, so this vulnerability leads to an RCE.
Here is a sequence diagram that summarises the attack process (Alice being the hacker and Bob being the administrator and host of the FileBrowser instance):
sequenceDiagram
Alice (hacker) ->> Alice (hacker): *Maliciously creates the malicious HTML page*
Alice (hacker) ->> Bob (admin): Here is a cool page! You must check that bro!
Bob (admin) ->> Alice (hacker): Thanks dude, let's open that!
Bob (admin) ->> Bob (admin): *Opens the page thinking it's something cool*
Bob (admin) -->> FileBrowser: *Sends a request to create a user without knowing it*
FileBrowser -->> FileBrowser: *Creates a new admin privileged user as requested*
Alice (hacker) ->> FileBrowser: Eheheh Bob is so dumb! *Connect to FileBrowser with the backdoor user*
FileBrowser ->> Alice (hacker): *Accept Alice connection with the new user created*
Alice (hacker) ->> FileBrowser: *Request shell access to FileBrowser with the appropriate button then makes sytem calls on Bob's computer*
The goal of this demonstration is to set up a mini-architecture composed of two/three machines:
- your personal computer as a FileBrowser's admin's computer on one side, and as the attacker on another side.
- a vulnerable Docker container simulating a remote FileBrowser server.
It is a really simplified architecture which aim is to highlights the technical aspect of the flaw.
For this experiment, you will only need docker.
In this setup, the target machine is based on a FileBrowser v2.17.2 image (which is vulnerable to this flaw), in which the only FileBrowser's account is the administrator account that has admin/admin as login/password.
Launching the target machine:
mkdir srv && docker compose up
From the attacker's side, the malicious webpage will allow us to execute the FileBrowser API call and create our backdoor user from the administrator's computer.
An example of such a page is provided in this repository under the name index.html. It is a simple HTML page with a hidden form that performs a POST request to the /api/users FileBrowser's endpoint with the payload on the input's name. This payload creates an admin privileged user which login is "oui" and password's "oui", and is triggered when the button is clicked.
We could obviously have created a prettier and more attractive page than this one and hide the sending of the HTTP request in another element of the website, it's just so that you can see the technical aspect of the flaw's exploitation. Remember that the goal of this malicious webpage is to be opened by the FileBrowser's admin without them suspecting anything!
From the administrator's side, we are quietly doing admin stuff on FileBrowser. Go to 127.0.0.1:8080 and log in with admins credentials admin/admin.
Then, we received the malicious webpage by any means, like in a phishing email, and perform the action that triggers the exploit. Open the index.html webpage and click on the button; it launches the payload.
Now, back to the attacker's side, we now have an admin privileged backdoor user on the FileBrowser server.
Open your favorite web browser in private browsing to ensure that you are not using any of the administrator's authentication means. Go to localhost:8080 and log in with the backdoor user credentials oui/oui.
Congratulations! You now have access to the FileBrowser's server file system and thus to all server's users files!
And because FileBrowser is a great platform with lots of features, you can launch a terminal instance by pressing the "toggle shell" button... try typing whoami, and do whatever you want as root :)
To allow the backdoor user to use shell commands, they have to be explicitly declared on the payload. See
index.htmlto add yours!
The flaw has been patched from the version v2.18.0. The informations about it are available on their GitHub. The patch was not very expensive to deploy as it only required 6 lines of code to be changed in a single program file. Since the vulnerability came from the parsing failure (cf. flaw description), it was enough to ensure that any request was parsed into application/json format before being processed for anything else.
- CSRF: Cross-Site Request Forgery
- CVE: Common Vulnerabilities and Exposures
- POST: HTTP method
- RCE: Remote Code Execution
- CVE-2021-46398
- ExploitDB
- Exploit example
- Security patch from FileBrowser's GitHub
- Issue thread from FileBrowser's GitHub
This work was done as part of the Information Systems Security course given in the last year of the Information Systems Engineering specialization at Grenoble INP - Ensimag, UGA.