Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

XSS in RSS Feed Summary Tag can lead to RCE or SuperUser Creation #18379

Closed
noxlumens opened this issue Jan 12, 2025 · 3 comments · Fixed by #18424
Closed

XSS in RSS Feed Summary Tag can lead to RCE or SuperUser Creation #18379

noxlumens opened this issue Jan 12, 2025 · 3 comments · Fixed by #18424
Assignees
@jeremystretch
Labels
severity: medium Results in substantial degraded or broken functionality for specfic workflows status: accepted This issue has been accepted for implementation type: bug A confirmed report of unexpected behavior in the application

Comments

@noxlumens
Copy link

Deployment Type

Self-hosted

Triage priority

I'm a NetBox Labs customer

NetBox Version

4.2.1

Python Version

3.12

Steps to Reproduce

I've sent a full list of vulnerabilities I've located to security@netboxlabs.com. The report was sent late last year. I've upgaded to the latest version v4.2.1 and I've confirmed each vulnerability. A malicious RSS feed could potentially create a SuperUser or get a reverse shell via remote code execution. For that to be the case and administrator would need to have the malicious rss feed on their dashboard or have the ability to add rss widgets, create users/superusers, and/or upload scripts.

/netbox-4.2.1/netbox/templates/extras/dashboard/widgets/rssfeed.html

    {% for entry in feed.entries %}
      <div class="list-group-item px-1 py-2">
        <a href="{{ entry.link }}" class="text-body">{{ entry.title }}</a>
        <div class="text-secondary">
          {{ entry.summary|safe }}
        </div>
      </div>
  1. Craft an xml file with the RSS Feed Proof of Concept code.
  2. Start a python3 web server on attacker server in the directory hosting the xml file.
    python3 -m http.server 80
  3. Navigate to the NetBox dashboard and add an RSS widget.
  4. Edit the RSS widget to point to the attacker controlled IP address and save.
  5. Refresh the Dashboard.

RSS Feed Proof of Concept

A general proof of concept is provided below. The SessionID cookie is being protected by httponly flag. The alternative scripts allow the attacker to perform remote code execution for shell access on the NetBox server and create a new superuser but I don't believe I should post them here.

<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0">
  <channel>
    <title>Sample RSS Feed</title>
    <link>https://www.example.com</link>
    <description>Example RSS feed with a summary</description>
    <language>en-us</language>
    <pubDate>Sat, 23 Nov 2024 00:00:00 GMT</pubDate>
    <item>
      <title> Blog Post</title>
      <link>https://www.example.com/first-blog-post</link>
      <guid>https://www.example.com/first-blog-post</guid>
      <pubDate>Sat, 23 Nov 2024 12:00:00 GMT</pubDate>
      <summary>&lt;script&gt;alert(document.cookie)&lt;/script&gt;This is a brief summary of the blog post.</summary>
    </item>

  </channel>
</rss>
Reproduce the Attack
  1. Copy the Proof Of Concept - RSS Remote Code Execution code to an xml file. (not posting it here)
  2. Edit the server_ip in the XML file to the attacker controlled IP Address.
  3. Start a python3 web server in the directory hosting the xml file
python3 -m http.server 80
  1. Start a netcat listener
nc -nlvp 9006
  1. Navigate to the netbox dashboard and add an RSS widget
  2. Edit the RSS widget to point to the attacker controlled IP address and save.
  3. Refresh the Dashboard. After a few seconds the file should be pulled from the attacker server and uploaded to the NetBox server. The shell connection should come back to the attacker controlled netcat listener

Expected Behavior

I do not expect that an external rss feed I've connected to my netbox labs source could create a superuser or get a reverse shell on my netbox server.

Observed Behavior

Remote Code Execution -> Reverse Shell
SuperUser was created
@noxlumens noxlumens added status: needs triage This issue is awaiting triage by a maintainer type: bug A confirmed report of unexpected behavior in the application labels Jan 12, 2025
@jeremystretch
Copy link
Member

I'm a NetBox Labs customer

Could you please provide your account ID?

I've sent a full list of vulnerabilities I've located to security@netboxlabs.com. The report was sent late last year.

I'm sorry but I don't see any correspondence regarding this topic. What was the date you contacted us?

Looks like this is simply an XSS within the configured RSS feed, which is not default behavior and would need to be explicitly configured by the user to point to a malicious or compromised feed. We can probably just pass the RSS content through nh3 for sanitization.

@jeremystretch jeremystretch added status: needs owner This issue is tentatively accepted pending a volunteer committed to its implementation severity: medium Results in substantial degraded or broken functionality for specfic workflows and removed status: needs triage This issue is awaiting triage by a maintainer labels Jan 13, 2025
@noxlumens
Copy link
Author

noxlumens commented Jan 13, 2025
edited
Loading

Hey Jeremy, Sorry. I misunderstood the Netbox Labs Customer identifier. My company only uses the community edition at this time and do not have an account ID. I sent my initial email on Sat, Nov 23, 2024 at 9:20 PM, Fri, Nov 29, 2024 at 11:47 AM, Fri, Dec 27, 2024 at 9:23 AM, Sat, Jan 11, 2025 at 3:33 PM.

@noxlumens noxlumens changed the title XSS in RSS Feed Summary Tag leads to RCE or SuperUser Creation XSS in RSS Feed Summary Tag can lead to RCE or SuperUser Creation Jan 13, 2025
@jeremystretch jeremystretch self-assigned this Jan 17, 2025
@jeremystretch jeremystretch added status: accepted This issue has been accepted for implementation and removed status: needs owner This issue is tentatively accepted pending a volunteer committed to its implementation labels Jan 17, 2025
jeremystretch added a commit that referenced this issue Jan 17, 2025
@jeremystretch
Fixes #18379: Ensure RSS feed content within dashboard widget is sani…
a2b65c6 
…tized
@jeremystretch jeremystretch mentioned this issue Jan 17, 2025
Merged
jeremystretch added a commit that referenced this issue Jan 17, 2025
@jeremystretch
Fixes #18379: Ensure RSS feed content within dashboard widget is sani…
a9f3c74 
…tized
@jeremystretch jeremystretch mentioned this issue Jan 17, 2025
Merged
@noxlumens
Copy link
Author

@jeremystretch Were you able to locate the emails I sent to security@netboxlabs.com? The subject line contained "Vulnerability Disclosure Netbox Community". If it's easier, I can put in a new issue here for the other vulnerabilities since they were also in the community edition. I did verify they were also in version 4.2.1

bctiemann pushed a commit that referenced this issue Jan 28, 2025
@jeremystretch @bctiemann
Fixes #18379: Ensure RSS feed content within dashboard widget is sani…
db69414 
…tized
bctiemann pushed a commit that referenced this issue Jan 29, 2025
@jeremystretch @bctiemann
Fixes #18379: Ensure RSS feed content within dashboard widget is sani…
50321b2 
…tized
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jeremystretch jeremystretch

Labels
severity: medium Results in substantial degraded or broken functionality for specfic workflows status: accepted This issue has been accepted for implementation type: bug A confirmed report of unexpected behavior in the application
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fixes #18379: Ensure RSS feed content within dashboard widget is sanitized netbox-community/netbox
2 participants
@jeremystretch @noxlumens