CVE-2024-55466 PoC — ThingsBoard 安全漏洞

Source

https://github.com/cybsecsid/ThingsBoard-IoT-Platform-CVE-2024-55466

Associated Vulnerability

Title:ThingsBoard 安全漏洞 (CVE-2024-55466)
Description:An arbitrary file upload vulnerability in the Image Gallery of ThingsBoard Community, ThingsBoard Cloud and ThingsBoard Professional v3.8.1 allows attackers to execute arbitrary code via uploading a crafted file.

Readme

# ThingsBoard Privilege Escalation Using Stored XSS

While tinkering with IoT technology, I found vulnerability in the Thingsboard Application that allowed avenues for privilege escalation.

Thingsboard is an open-source application that allows device management, data collection, processing and visulaization for IoT services and deployments. Furthermore, a single Thingsboard instance (managed by a Tenant Administrator) can host services for multiple organizations with separate Company Administrators for each.

While exploring its features, I noticed a file upload functionality in the "Image Gallery" view. Unfortunately, the feature was vulnerable to stored cross-site scripting which allowed an adversary to escalate privileges by leveraging authentication token theft. 

This vulnerability impacts all Thingsboard releases, including Community, Cloud, and Professional editions. I responsibly reported the issue to the Thingsboard security team, who acknowledged it and committed to addressed it in a future release. Subsequently, I reported the vulnerability to MITRE, resulting in the assignment of a CVE.

## TL;DR

- Bug: Stored Cross-Site Scripting
- Severity: **CRITICAL**
- OWASP Vulnerability Category: [A03 Injection](https://owasp.org/Top10/A03_2021-Injection/)
- CVSS 4.0 Score: 8.8 `CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H`
- Affected Software Releases: Community Edition, Professional Edition, Cloud
- Affected Versions: 3.8.1 or earlier
- Vendor Details: Thingsboard (https://github.com/thingsboard/thingsboard)
 

## Pre-Requisites

To demonstrate the vulnerability, one would require an installation of [ThingsBoard](https://thingsboard.io/) ([Github Repository](https://github.com/thingsboard/thingsboard)) with at least one low privileged user.


## Steps to Reproduce

- **Step 1:** Log into a low privileged customer account.
    
    ![low_priv_user](./images/test_user.jpg)

- **Step 2:** Navigate to `Resources > Image Gallery`

    ![image_gallery](./images/image_gallery.jpg)

- **Step 3:** Craft a malicious image file (*here, a SVG file is used with JavaScript Payload*) to exploit the Cross Site Scripting vulnerability.

    ![svg_with_xss_payload](./images/xss_svg_payload.jpg)

- **Step 4:** Upload the file and inspect the response to identify the destination file path where the payload was uploaded.

    ![publicLink](./images/fileupload_publicLink.jpg)

- **Step 5:** Visit the `publicLink` file path to trigger the payload.

    ![XSS_triggered](./images/xss_cookie_alert_firefox.jpg)

## Account Takeover

Since, the payload is stored on the legitimate thingsboard instance, an adversary can easily trick high value targets (eg: Tenant Administrator, Company Administrator etc.) to steal authentication tokens.

A demonstration of above mentioned impact:

- **Step 1:** Log into a high value account (*here Tenant administrator account is used in chrome browser, to demonstrate isolated enviroment from the firefox browser used above*).

    ![tenant_admin](./images/login_as_tenant_admin.jpg)

- **Step 2:** Visit the `publicLink` file path, retrieved earlier.

    ![XSS_triggered](./images/xss_cookie_alert.jpg)

File Snapshot

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →