CVE-2021–39192 Ghost CMS >= 4.0.0 & <= 4.9.0 “Privilege escalation: all users can access Admin-level API keys” — Proof of Concept
This is my first time to post PoC in the blog and more in the future.
I performed vulnerability research in 2021 July . Fortunately , I discovered a vulnerability on the Ghost CMS. Ghost is a free and open source blogging platform written in Node.js and distributed under the MIT License, designed to simplify the process of online publishing for individual bloggers as well as online publications. According to the Ghost website, they have over 2.5 million users globally.
A Ghost CMS Privilege Escalation/Broken Access Control vulnerability was discovered in version between 4.0.0 and 4.9.4. The application is vulnerable to privilege escalation on the “View General Site Setting” module. This vulnerability allows any non-privileged users to retrieve to admin level setting and API keys information stored on the application.
Before we jump into the PoC, we need to understand the user roles on the Ghost. Based on Ghost’s documentation on user roles, there are 5 distinct roles used for different privilege within the Ghost system:
Contributors: Can log in and write posts but cannot publish. Contributors are untrusted users with the most basic access to your publication.
Authors: Can create and publish own posts and tags
Editors: Can invite, manage and edit authors and contributors
Administrators: Have full permissions to view and edit all data and settings
Owner: An admin who cannot be deleted and has access to billing details
Referring to the user roles and permission matrix, the Editor, Author, Contributor are not allowed to access “View General Site Setting” except the administrator. However, this is not the case based on my research.
The screenshot below shows that users with their User Role were created on the Ghost CMS. Owner is the highest privilege and Contributor is the lowest privilege.
Proof of Concept
Logged on to the Ghost CMS as an administrator and browsed through all the admin modules and found a interesting endpoint called
http://URL/ghost/api/canary/admin/setting
This endpoint can only be discovered via either proxy tool (e.g. I was using BurpSuite Pro) or Inspect Element.
With this endpoint, the vulnerability can be exploited. Firstly, logged on to the Ghost CMS as an Contributor and browse to the following endpoint then the responses shown the General Setting Info in JSON format.
http://URL/ghost/api/canary/admin/setting
This allows Contributor to harvest site private password, Integration’s admin API key, third party API keys (including Stripe, Slack webhook, Oauth, Mailgun etc.) for further attacks or abuse Ghost CMS’s customer third-party services. Ghost support more than 100 type third party API integrations stated by Ghost website
Impact of the Vulnerability
A insider or attacker compromise any of the privilege ghost user account could exploit this vulnerability to harvest the Ghost integration API key or third party integration API key for invoking unauthorized API calls to the Ghost application and third party applications.
Timeline
2021/7/14: Submitted the Issues to Ghost
2021/7/16: Acknowledged the Issues
2021/7/20: Fixed released on version 4.10 and issued security advisory for my credit
2021/9/3: CVE-2021–39192 was published