Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2020-14368 PoC — Eclipse Che 跨站请求伪造漏洞

Source
https://github.com/codingchili/CVE-2020-14368
Associated Vulnerability
Title:Eclipse Che 跨站请求伪造漏洞 (CVE-2020-14368)
Description:A flaw was found in Eclipse Che in versions prior to 7.14.0 that impacts CodeReady Workspaces. When configured with cookies authentication, Theia IDE doesn't properly set the SameSite value, allowing a Cross-Site Request Forgery (CSRF) and consequently allowing a cross-site WebSocket hijack on Theia IDE. This flaw allows an attacker to gain full access to the victim's workspace through the /services endpoint. To perform a successful attack, the attacker conducts a Man-in-the-middle attack (MITM) and tricks the victim into executing a request via an untrusted link, which performs the CSRF and the Socket hijack. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
Description
Interactive RCE exploit demo for Eclipse CHE
Readme
# CSWSH-THEIA-CVE-2020-14368

- Report target: Eclipse CHE deployment available on che.openshift.io
- Vulnerability type: Cross-site websocket hijack
- Discovery date: 2020-04-08
- Author: Robin Duda (codingchili@github)

## Summary

The /services websocket endpoint in Eclipse CHE adn Theia is vulnerable to cross-site websocket hijacking.
This vulnerability affects Eclipse CHE servers that uses cookie or basic authentication as the websocket
connection doesn't perform any cross-site checks or in-channel authentication, the browser automatically
includes any credentials when connecting from third-party domains. The attack works just like a cross-site
request forgery attack, except it is much more powerful as it grants an attacker two-way communicaiton.

Read more about CSWSH here: https://portswigger.net/web-security/websockets/cross-site-websocket-hijacking
File Snapshot

 [4.0K]  /data/pocs/7de39e3a8c7e5e30e8b53538ffd6a43563b1d771
├── [1.0K]  LICENSE
├── [4.0K]  poc
│   ├── [6.1K]  che-openshift-con-hack.html
│   ├── [7.3K]  gcp-con-hack.html
│   └── [2.1K]  theia-con-hack.html
├── [ 870]  README.md
├── [ 15K]  report.md
├── [280K]  report.pdf
└── [4.0K]  screenshots
    ├── [ 29K]  e1_1.PNG
    ├── [ 24K]  e2_1.PNG
    ├── [ 35K]  e2_2.PNG
    ├── [ 29K]  e2_3.PNG
    ├── [ 23K]  e2_4.PNG
    ├── [ 46K]  router_ingress_address.PNG
    └── [ 47K]  wireshark_dns_mitm.PNG

2 directories, 14 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →