Challenge for you all to prove that CVE-2022–29622 is not false

Related tags

Learning resource CVE-2022-29622
Overview

CVE-2022–29622: (In)vulnerability Analysis

This codebase was created to help security professionals and developers to understand why I think Formidable was not vulnerable to CVE-2022-29622. I have written up my analysis here:

https://medium.com/@zsolt.imre/cve-2022-29622-in-vulnerability-analysis-5cf783c3721

As some did not understand it, I thought I will illustrate my point using actual, running code.

The Server

The server is implemented in index.mjs. It uses Formidable version 3.1.4 to upload any file of your choosing.

I explicitly configured Formidable as shown below:

{
      uploadDir: './uploads/',
      keepExtensions: true,
    }

This way, all files will be uploaded to the uploads directory. I have enabled keepExtension so you can get your files with a malicious filename uploaded.

Starting the Server

To set up and start the server, issue the following commands from this directory:

npm install
npm run start

The first command installs all dependencies, including the appropriate version of formidable. The second command will start the server.

Once up and running, you can access the file upload form exposed by the server at: http://127.0.0.1:3000/

Upload a Malicious File

I have included two files with malicious name in the examples directory... as examples.

Files submitted using the form at http://127.0.0.1:3000 will get uploaded to the uploads directory.

CHALLENGE

The challenge is to see if you can prove that formidable is vulnerable to CVE-2022–29622. To be able to do that, you have to get this web server to execute code that you include in the uploaded file or in the name of the file.

The rules:

  1. You are allowed to put your malicious payload in the file or within the file's name. (Similar to the examples I have provided.)
  2. You are allowed to tamper with parts of the HTTP request that are related to file upload. (e.g.: multipart body, content-type, boundary string)
  3. The only acceptable attack surface is port 3000. You MUST NOT modify any files within this directory.

If you can get arbitrary code executed by strictly following the above rules, only then you have proved that formidable was vulnerable to arbitrary code execution.

Suggestion: Probably the simplest visual demostration would be to get the server to print out a string, for example, "I'm awesome, I've got arbitrary code executed" on the console where you started the web server.

You might also like...

Shopify Backend Developer Intern Challenge - Summer 2022

Shopify-Backend-Developer-Intern-Challenge Shopify Backend Developer Intern Challenge - Summer 2022 Application Features User can add products. User c

May 14, 2022

Moonquake - NASA App Challenge 2022

Moonquake Project presented in the Hackathon Madrid NASA Space App Challenge. Challenge 3d map of seismic moon events. Display data like day, amplitud

Oct 3, 2022

A "Basic-to-Lisp" compiler. But Basic is not real Basic, and Lisp is not real Lisp.

Basic2Lisp A "Basic-to-Lisp" compiler. But Basic is not real Basic, and Lisp is not real Lisp. Syntax Print-Sth Put some-value to standard output. PRI

Jul 10, 2022

This is a platform designed as an addition to Google Classroom for students to gain the best out of online education, look at solutions not just from their but also from the perspective of the peers. This is a platform that not only promotes education but also instills moral integrity within its community.

This is a platform designed as an addition to Google Classroom for students to gain the best out of online education, look at solutions not just from their but also from the perspective of the peers. This is a platform that not only promotes education but also instills moral integrity within its community.

Peer Learning Platform This is a platform designed as an addition to Google Classroom for students to gain the best out of online education, look at s

Jul 21, 2022

🧩 TypeScript utility type in order to ensure to return only properties (not methods) containing values in primitive types such as number or boolean (not Value Objects)

🧩 TypeScript utility type in order to ensure to return only properties (not methods) containing values in primitive types such as number or boolean (not Value Objects)

🧩 TypeScript Primitives type TypeScript utility type in order to ensure to return only properties (not methods) containing values in primitive types

Dec 7, 2022

Todo application is a web app that helps to organise your daily activities. It lists all the activities that you need to be completed and allows you to mark them as complete or not. Tasks can also be dragged and dropped in any position. It's a minimalistic website built using JavaScript ES6, Webpack and CSS

Todo Application Todo application is a web app that helps to organise your daily activities. It lists all the activities that you need to be completed

May 3, 2022

Fun website to challenge naming all districts in Nepal.

Nepal-Districts Live: https://districts.aabishkararyal.com Repo: https://github.com/aabishkaryal/nepal-districts Table Of Content: Inspiration: Techno

Dec 25, 2022

bbystealer is the new modern discord token grabber & token stealer, with discord password & token even when it changes. Terms Educational purpose only. Reselling is forbidden. You can use the source code if you keep credits (in embed + in markdown), it has to be open-source. We are NOT responsible of anything you do with our software.

💎 Premium - 🔧 Builder - 💡 Features Authors GhostyXD#0202 Rundeun#1337 Contributors Florin#5231 Kokto#3333 bbystealer The new modern discord token g

Mar 16, 2023

The proposal of this repository is having a scaffold with some scenarios where you can challenge your front-end knowledge.

Frontend Kata / Interview 👋 Hello developer! The proposal of this repository is having a scaffold with some scenarios where you can challenge your fr

Nov 11, 2022
Comments
  • Error [ERR_MODULE_NOT_FOUND]

    Error [ERR_MODULE_NOT_FOUND]

    Hi, I'm getting this error when trying to run the server, I've run the npm install and checked that koa is indeed installed, but still the server won't start.

    That is what I get when I run npm run start :

    [email protected] start node ./index.mjs

    internal/process/esm_loader.js:74 internalBinding('errors').triggerUncaughtException( ^

    Error [ERR_MODULE_NOT_FOUND]: Cannot find package 'Koa' imported from /opt/CVE-2022-29622/index.mjs at new NodeError (internal/errors.js:322:7) at packageResolve (internal/modules/esm/resolve.js:732:9) at moduleResolve (internal/modules/esm/resolve.js:773:18) at Loader.defaultResolve [as _resolve] (internal/modules/esm/resolve.js:887:11)
    at Loader.resolve (internal/modules/esm/loader.js:89:40) at Loader.getModuleJob (internal/modules/esm/loader.js:242:28) at ModuleWrap. (internal/modules/esm/module_job.js:76:40) at link (internal/modules/esm/module_job.js:75:36) { code: 'ERR_MODULE_NOT_FOUND' }

    opened by tomabai 4
Owner
Zsolt Imre
Founder, CTO, product and application security expert - Do not judge by my profile, I live on GitLab. :P
Zsolt Imre
GitHub
CVE-2022-22629 Proof of Concept

CVE-2022-22629 Proof of concept This post is about the poc for the WebGL bug that was patched in Safari 15.4 security updates. If you want to learn in

PARS Defense 45 Jan 9, 2023
POC OF CVE-2022-21970

CVE-2022-21970 Description Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability. This vulnerability allows an attacker to execute java

Warmonger 8 Dec 9, 2022
It is a simple yet powerful to do list app in which you can add daily to-do tasks.you can edit, remove, check it to change its status to complete or not complete. it would save all the data and changes in local storage and track your daily tasks whether you have completed them or not.Built with vanilla JavaScript

To Do list - minimalist It is a simple yet powerful to do list app in which you can add daily to-do tasks. it would save all the data and changes in l

Zuhaib Amjad 5 Oct 9, 2022
Prove your identity, for example you are BYR.

Usay For what? Prove your identity, for example you are BYR. Code Quality All code is written by Copilot, so if you find any bug, please report it to

null 9 Aug 10, 2022
SAP Community Code Challenge: This repository contains an empty OpenUI5 application and end-to-end tests written with wdi5. Take part in the challenge and develop an app that passes the tests.

SAP Community Code Challenge - UI5 The change log describes notable changes in this package. Description This repository is the starting point for the

SAP Samples 8 Oct 24, 2022
Hot-challenge-solving application for any coding challenge services.

✔️ Solv Hot-challenge-solving application for any coding challenge services. Introduction Solv [sɑːlv] is a cli application for solving coding challen

Sophia 8 Dec 13, 2022
Grupprojekt för kurserna 'Javascript med Ramverk' och 'Agil Utveckling'

JavaScript-med-Ramverk-Laboration-3 Grupprojektet för kurserna Javascript med Ramverk och Agil Utveckling. Utvecklingsguide För information om hur utv

Svante Jonsson IT-Högskolan 3 May 18, 2022
zkPoB is a mobile compatible tool that lets anyone prove they own a Bufficorn (or any NFT) without revealing which Buffi they own or the address they are verifying themselves with

zkPoB is a mobile compatible tool that lets anyone prove they own a Bufficorn (or any NFT) without revealing which Buffi they own or the address they are verifying themselves with

Marto.eth 10 Aug 25, 2022
Hemsida för personer i Sverige som kan och vill erbjuda boende till människor på flykt

Getting Started with Create React App This project was bootstrapped with Create React App. Available Scripts In the project directory, you can run: np

null 4 May 3, 2022
Kurs-repo för kursen Webbserver och Databaser

Webbserver och databaser This repository is meant for CME students to access exercises and codealongs that happen throughout the course. I hope you wi

null 14 Jan 3, 2023