first commit

rocketchat/CVE-2021-22911/README.md

@@ -0,0 +1,52 @@
+# Rocket Chat Pre-Auth Blind NoSQL Injection (CVE-2021-22911)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Rocket.chat is an open source team chat platform.
+
+At Rocket Chat from 3.12.1 to 3.13.2, The `getPasswordPolicy` method is vulnerable to NoSQL injection attacks and does not require authentication/authorization. It can be used to take over normal user accounts by leaking password reset tokens.
+
+References:
+
+- https://blog.sonarsource.com/nosql-injections-in-rocket-chat
+- https://www.exploit-db.com/exploits/50108
+- https://github.com/CsEnox/CVE-2021-22911
+- https://paper.seebug.org/1652/
+
+## Vulnerable Application
+
+Executing following command to start a Rocket Chat 3.12.1:
+
+```
+docker compose up -d
+```
+
+Once the server is started, visit `http://your-ip:3000` to see the installation wizard.
+
+After the installation is complete, in order to verify the attack, you need to add a normal user in the administration with the username `vulhub` and the email `vulhub@vulhub.org`.
+
+## Exploit
+
+There is three steps to reproduce the vulnerability:
+
+1. Reset the password on the login page, and the server will generate a Password Reset Token in the database
+2. Use NoSQL injection to expose this Password Reset Token
+3. Use Password Reset Token to change the user's password
+
+At the step two, you can use `$regex` directive to perform the attack.
+
+In my scenario, when `$regex` is equal to `^7`, an error message returned:
+
+![](3.png)
+
+When `$regex` is equal to `^8`, the response is different. It proves that the Token is starts with `8`:
+
+![](4.png)
+
+Use this simple script [CVE-2021-22911.py](CVE-2021-22911.py) to exfiltrate the Password Reset Token:
+
+![](2.png)
+
+Change user password successfully:
+
+![](5.png)