OwlsNightCatch/CVE-2022-0482-demo

Demonstration of CVE-2022-0482

CVE-2022-0482 Demo Repository

⚠️ Disclaimer: This repository is solely for educational and research purposes. Unauthorized and malicious use is strictly prohibited. The authors will not be held responsible for any misuse or damage resulting from the deployment of any code or exploit provided herein.

Table of Contents

• CVE-2022-0482 Demo Repository
  • Table of Contents
  • About the Vulnerability
  • Setup
    • Development
  • Exploitation
    • Prerequisites
    • Exploit
  • Mitigation
  • Detection
    • Nginx Access Logs
  • Additional Resources

About the Vulnerability

CVE-2022-0482 vulnerability is a critical information disclosure flaw affecting the GitHub repository alextselegidis/easyappointments prior to version 1.4.3.

"Exposure of Private Personal Information to an Unauthorized Actor in GitHub repository alextselegidis/easyappointments prior to 1.4.3."

Source: NIST Vulnerability Database

"The software is a booking management system that has a public form to place bookings, and a private area for the calendar and management of services, users, settings, etc. There is a backend API that allows data manipulation, including listing the appointments for a specific time range. This happens on this endpoint: /index.php/backend_api/ajax_get_calendar_events. Unfortunately, there is no authentication/permissions-check on that endpoint; the only required parameters in a POST request are 'startDate,' 'endDate,' and 'csrfToken.' Because the csrfToken can be obtained by any unauthenticated user just visiting the public form (and is valid for the backend as well), any attacker can query the backend API and obtain all sorts of private information about the appointment, in JSON format."

Source: GitHub Advisory

Setup

To set up the vulnerable environment for demonstration, follow the steps below:

1. Clone this repository:

   git clone https://github.com/OwlsNightCatch/CVE-2022-0482-demo.git

2. Navigate to the easyappointments-1.4.2 directory:

   cd CVE-2022-0482/target/easyappointments-1.4.2

3. Run Docker Compose:

   docker compose up

Sometimes it hangs after the log line easyappointments-142-php-fpm-1 | ➜ Install NPM Dependencies. Just restart the container easyappointments-142-php-fpm-1.

Wait until following log line appears:

2023-10-26 01:08:46 ➜ Listen To Incoming Requests
2023-10-26 01:08:46 [25-Oct-2023 17:08:46] NOTICE: fpm is running, pid 1387
2023-10-26 01:08:46 [25-Oct-2023 17:08:46] NOTICE: ready to handle connections

After running these steps, the vulnerable application should be up and running, accessible at http://localhost.

Complete the initial setup of the server on the webpage and add some appointments for customers.

Development

This environment utilizes version 1.4.2 of alextselegidis/easyappointments. For specific customizations of the docker setup, consult target/custom_changes/. These have been taken by the develop branch of repo alextselegidis/easyappointments develop with some custom adoption and bug fixes.

Exploitation

⚠️ Disclaimer: The following exploitation methods are described for educational and research purposes only. Do not attempt to exploit any system you do not have explicit permission to test.

Prerequisites

• Python 3.x
• requests library

Exploit

Execute python script againts target: python3 cve-2022-0482.py [-h] [--startDate STARTDATE] [--endDate ENDDATE] hostname

usage: cve-2022-0482.py [-h] [--startDate STARTDATE] [--endDate ENDDATE] hostname

CVE-2022-0482 vulnerability is a critical information disclosure flaw affecting the GitHub repository
alextselegidis/easyappointments prior to version 1.4.3.

positional arguments:
  hostname              The hostname to which to exploit

options:
  -h, --help            show this help message and exit
  --startDate STARTDATE
                        The start date for the calendar events in the form YYYY-MM-DD
  --endDate ENDDATE     The end date for the calendar events in the form YYYY-MM-DD

Start and end date have the form YYYY-MM-DD.

Mitigation

Upgrade to alextselegidis/easyappointments version 1.4.3 or later to mitigate this vulnerability.

Detection

Detecting an exploit attempt for CVE-2022-0482 can be done by monitoring logs of the affected service.

Nginx Access Logs

These logs are typically located at /var/log/nginx/access.log. In this example they are located in the nginx docker container at /var/log/nginx/application.access.log.

Search these logs for access to /index.php/backend_api/ajax_get_calendar_events from unusual IPs.

grep "/index.php/backend_api/ajax_get_calendar_events" /var/log/nginx/application.access.log

Additional Resources

• NIST Vulnerability Database
• GitHub Advisory
• Nuclei Templates
• Huntr Report
• Disocverer's Blog Post