Responsible Disclosure
Dealing responsibly
with Security Vulnerabilities

PwnDoc – Incorrect Access Control

“PwnDoc is a pentest reporting application making it simple and easy to write your findings and generate a customizable Docx report.
The main goal is to have more time to Pwn and less time to Doc by mutualizing data like vulnerabilities between users.”

– Official README.md

We at the DGC wanted to streamline our documentation and reporting processes and decided to setup our own internal instance of PwnDoc in order to deliver high quality reports in less time for our clients.

In this process, the following security vulnerability was discovered.

Incorrect Access Control Vulnerability (CVE-2021-31590)

PwnDoc through 2021-05-12 has incorrect JSON Webtoken (JWT) handling, leading to incorrect access control.

With a valid JSON Webtoken that is used for authentication and authorization, a user can keep his admin privileges even if he is downgraded to the “user” privilege.

Even after a user’s account is deleted, the user can still access the administration panel (and add or delete users) and keeps complete access to the system.

The flaw exists because the backend only verifies the JWT itself but misses essential checks against the database to verify that the stored data in the JWT is still applicable.

Furthermore the project used hard coded JWT secrets within the code so the generated JWTs stay valid after the software was re-deployed.

Demo

Tested version: Latest available as on 2021-05-12

In order to demonstrate the vulnerability, two admins need to be created:

second.admin logs in and get’s a valid JWT

Main Admin changes permissions of second.admin to only user rights:

Although second.admin should only have user permissions, he can create a new admin:

The main admin checks that something suspicious is going on and deletes all other users:

Even deleted, the second.admin keeps his admin permissions to view, modify or delete all other data:

Even after deleting all data and rebuilding the docker images…:

… the second.admin user still has admin rights – even though no user exists in the database!

Fix

The authentication and authorization processes must be adjusted to approve that the provided data within the JWT is still valid. In order to fix the issue the user’s existance, role and permissions have to be verfied on each request.

If the verification fails the application must deny access to the backend.

An related security fix for this vulnerability was submitted to the project maintainer, after several attempts to contact failed:

https://github.com/pwndoc/pwndoc/pull/128

The author submitted also a pull request that changes the storage location and provides a fix so the security-related data (certificates and JWT-secret) are changing on each new build or setup as long as there are no overwrites done by the administrator:

https://github.com/pwndoc/pwndoc/pull/74

Responsible Disclosure

DateDescription
2021-01-21Security flaw found and verified
2021-01-22GitHub Security Advisory created / PR#74 submitted to pwndoc
2021-01-25Created demo writeup for the repository maintainer
2021-01-26@github-staff commented to the Security Advisory and asks to create the security advisory not from the fork but from the official repo instead
2021-01-27Project maintainer contacted via GitHub asking to create a related security advisory directly within the pwndoc repo
2021-03-17Project maintainer contacted via email asking to create a related security advisory directly within the pwndoc repo
2021-04-22Requested CVE from MITRE
2021-04-23Received CVE-2021-31590 from MITRE
2021-05-11Created security fix for CVE-2021-31590
2021-05-12Published security fix and vulnerability description
2021-08-23The vendor fixed the vulnerability in pwndoc version 0.4.0

Discovered and reported by Sascha Brendel | Senior IT-Security Engineer & Pentester

Latests posts

Press contact

Romy Weigel
Marketing & PR Manager
Phone: +49 461 995838-97
Email: press@dgc.org

Follow us on