CVE-2022-34625 – Server-Side Template Injection to Remote Code Execution (SSTI) to (RCE) in Mealie – A lesson in patience

I told you there are more CVEs coming! And this is just the beginning as of right now, I have 14 MORE CVE numbers reserved which are waiting on developer confirmation/responsible disclosure dates to pass.

Anyway, to more important topics like CVE-2022-34625 aka Server-Side Template Injection (SSTI) to Remote Code Execution (RCE); More information about SSTI HERE and RCE HERE.

So my co-worker and I at nVisium, Bruno Hernández (GitHub and LinkedIn) were looking for some CVEs testing an open source web application called Mealie after work hours which I suggested and can be found HERE.

Specifically for this night, we used docker to deploy this application which will later come to bite us (more on that in future posts).

Anyway, we spent a long night, finding things such as Denial of Service (DoS), a shitty password policy, multiple Cross-site Scripting, an arbitrary file write (can write a file to any directory on the entire host?!) and more.

After all these vulnerabilities it was hard to think there was nothing else there. However, to come across an RCE, well that’s the holy grail.

Bruno spent a lot of time working with the Python routes because with the arbitrary file write, we could overwrite a Python route with some extra code and it should execute when that route is accessed. Which it did, when executing the Python locally. The problem was, what we gathered to be a caching issue so after running the application, the malicious .py file wouldn’t be executed until the application was restarted.

I also suggested a crontab and he suggested overwriting/etc/passwd but these like the python route, wouldn’t run on demand which Bruno was unhappy with.

While he tinkered at that for what seemed to be hours I went back to back to page one. Reading the README, looking through the documentation.

It was then, at the crack of dawn, that I realized something,

According to Mealie’s documentation located HERE it supported Jinja2 templates. Now if you know, you know 🙂

So I logged in as an Admin, Uploaded the “recipe” template and exported the backup. and BOOM had code execution.

Here is the payload used:

{{ self._TemplateReference__context.cycler.__init__.__globals__.os.popen('id').read() }}
Here is the output when viewing exported “recipe” template.

What was super cool (beyond finding an RCE in the WILD) was Bruno’s arbitrary file upload allowed low privilege users to also upload a template which would then be executed when exporting the application.

Anyway, Bruno reported it to the dev via HERE

He posted about it HERE in a much more detailed and technical write-up!

The issue being accepted and fixed by the developer can be found HERE

And further information about the CVE itself can be found HERE, HERE and many other places in the near future 🙂

More coming soon!


Leave a Reply