MultiversX Web IDE Smart Contracts Playground Exploit

Service Description

The MultiversX Play API, accessible at https://play-api.multiversx.com/ and developed using NestJs, functions as a bridge for the browser-based IDE (https://play.elrond.com/). This API facilitates the compilation and deployment of MultiversX smart contracts directly from the browser, thus enabling the creation and management of these contracts within the browser-based IDE itself.

Affected Service

https://play-api.multiversx.com/

https://devnet-play-api.multiversx.com

https://testnet-play-api.multiversx.com

Vulnerability Summary

[CWE-78] - Unauthenticated Remote code execution (RCE).

An unauthenticated, remote OS Command Injection vulnerability (CWE-78) was discovered in the MultiversX Play API. This vulnerability arises from an unsafe implementation of the /build API endpoint, due to inadequate validation of process arguments in the POST request made to https://play-api.multiversx.com/build. A successful exploitation could allow an attacker to execute arbitrary commands on the underlying operating system with ubuntu user privileges.

Reproduction Steps

OS Command Injection - CWE-78.

The /build endpoint of the MultiversX Play API, reachable at https://play-api.multiversx.com/build, can be exploited for a Remote Code Execution (RCE) attack. The issue lies in the command field of the POST request body, which fails to sufficiently validate and sanitize its input.

As a result, arbitrary OS commands can be injected and subsequently executed on the underlying server.

For instance, the following curl command demonstrates an attack that leverages this vulnerability to display the contents of the /etc/passwd file:

Payload

curl -X 'POST' \
  'https://play-api.multiversx.com/build' \
  -H 'accept: application/json' \
  -H 'Content-Type: application/json' \
  -d '{
    "command": "cat /etc/passwd `cat /etc/passwd`",
    "content": {}
  }'

In this example, the command cat /etc/passwd is injected into the command field of the POST request body twice, leading to a situation where the command is executed and its output returned in the response from the server.

This means that an attacker could exploit this vulnerability to execute arbitrary commands with the permissions of the ubuntu user on the server, representing a serious security threat.

We could also exploit this vulnerability to create a reverse shell and potentially pivote into other node 

In addition to using this vulnerability to display the contents of server files, an attacker could also exploit it to create a reverse shell, giving them interactive access to the server.

For instance, the following payload would create a reverse shell that connects back to an attacker-controlled server:

This will give us interactive access to the server with the permissions of the `ubuntu` user.  

Furthermore, having control over a server within a network could also enable the attacker to carry out lateral movement to other systems. This could lead to a broader network compromise, especially if the compromised server has credentials or other sensitive data that could be used to authenticate to other systems.

Recommendation Fixes / Remediation

  1. Input Validation: Enforce strict validation on all user inputs or any data received from a client. Only allow data that meets a very specific criteria or whitelist of accepted values. In this case, you might want to restrict the characters allowed in the command field and disallow special characters that could be used to chain commands.
    1. Sanitize Inputs: Sanitize data used in the command to ensure that it doesn't contain any elements that could modify the command behavior. For instance, characters like backticks (`), semicolons (;), and pipe symbols (|) should be escaped or removed.
      1. Least Privilege Principle: Limit the privileges of the user account that executes the command. If command execution is required, it should run with the minimum privileges necessary to perform the task.
        1. Use Secure APIs: When possible, replace the use of OS commands with secure programming interfaces. Many tasks performed with commands can also be performed directly by the code using APIs, reducing the risk of command injection.

          Reference

          https://play-api.multiversx.com/#/build/BuildController_build

          https://devnet-play-api.multiversx.com/#/build/BuildController_build

          https://testnet-play-api.multiversx.com/#/build/BuildController_build

          Other MultiversX Report

          https://neroteam.com/blog/multiversx-wallet-exploit

          Security researcher