A local file coding error could be exploited to trigger RCE
A remote code execution (RCE) attack chain caused by a local file inclusion bug in blogging platform Hashnode has been disclosed by security researchers.
On February 28, Aditya Dixit, a penetration tester and security engineer based in India, said in a security advisory that the RCE had been found in Hashnode, a blogging platform for the engineering and developer community.
Dixit experienced continual errors while attempting to import posts on Hashnode. After examining the issue in Burp Suite, he found coding errors and a local file inclusion (LFI) vulnerability that allowed users to fetch internal server files.
This issue was present in Hashnode’s Bulk Markdown Importer, a feature developed for users to import .ZIP compressed files in Markdown (.md) format.
Together with security researcher Adhyayan Panwar, Dixit was able to escalate the LFI to achieve RCE.
The duo found an Error NO ENTry (ENOENT) error in Markdown – via Burp Suite – when a user tried to insert an image with a specified path.
“From here, it was just a matter of connecting the dots to fetch the internal files from the server,” Dixit said.
“Instead of a non-existent path, we decided to give the location of an actual file like the /etc/passwd hoping it would give us the file contents in the response.”
Hiding in plain sight
Dixit and Panwar were able to directly download files, and now armed with user and home directory path names from the passwd file, the team decided to “try” for RCE.
To turn this attack into remote code execution, the IP address of the server was required. Dixit said that by default, public and private keys are stored in two separate, default directories, and it was possible to modify a payload to fetch the private key.
The server was being “hidden behind Cloudlfare,” the pen tester says, and so Panwar turned to the /proc/net/tcp directory to find the right IP address. The /proc interface revealed active TCP connections, and while addresses are stored as hex values, it was possible to use simple code to convert them into a readable format – exposing the IP address and port number.
Panwar told The Daily Swig that /proc/net/tcp can provide crucial information regarding internal ports, giving investigators a “broader attack surface”. However, an infosec Discord user suggested checking the file for the information required to create an RCE trigger.
“We had never looked at it from a perspective of retrieving IP addresses,” the researcher said. “It contained a list of all the connections that were active on the server, with a list of local and remote addresses. We could identify three local addresses: one was localhost, one was their intranet IP and one was [a] public IP, which allowed SSH connections.”
If an attacker is armed with this information, they could then execute code on the server.
The Hashnode team was informed of the researchers’ findings on February 8. Hashnode told us that “the vulnerability was associated with one of our legacy components and was fixed pretty much immediately. We also rotated all of our keys immediately.”
Dixit commented: “Even though we were able to get the private key for the user, we could not SSH into the server because according to Hashnode, there was IP address whitelisting to prevent unauthorized access”.
“We did not actually try to log in when we got the key because of obvious reasons. But in cases where the admins have not implemented any IP whitelisting [allow listing] or firewalls, this can definitely lead to a full server compromise.”
“The takeaway from our exploit would be to never display descriptive messages to the end-users and always have input validation in place on all the input parameters,” the researcher added. “It’s a really bad idea to trust your users' inputs.”