You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
Nuclei Template Signature Verification Bypass
Moderate severity
GitHub Reviewed
Published
Sep 4, 2024
in
projectdiscovery/nuclei
•
Updated Oct 14, 2024
A vulnerability has been identified in Nuclei's template signature verification system that could allow an attacker to bypass the signature check and possibly execute malicious code via custom code template.
Affected Component
The vulnerability is present in the template signature verification process, specifically in the signer package.
Description
The vulnerability stems from a discrepancy between how the signature verification process and the YAML parser handle newline characters, combined with the way multiple signatures are processed. This allows an attacker to inject malicious content into a template while maintaining a valid signature for the benign part of the template.
Affected Users
CLI Users: Those executing custom code templates from unverified sources. This includes templates authored by third parties or obtained from unverified repositories.
SDK Users: Developers integrating Nuclei into their platforms, particularly if they permit the execution of custom code templates by end-users.
Note
Code templates are disabled as default, users have to explicitly enable with -code option.
Proof of Concept
id: example-templateinfo:
name: Example Template# Other benign content...# digest: <valid_signature_for_benign_content># digest: <another_signature>\rcode:\r
- engine:\r
- sh\r
- bash\rsource: |\r id\r
Patches
The vulnerability is addressed in Nuclei v3.3.2 Users are strongly recommended to update to this version to mitigate the security risk.
Immediate Upgrade: The primary recommendation is to upgrade to Nuclei v3.2.0, where the vulnerability has been patched.
Avoid Unverified Templates: As an interim measure, users should refrain from using custom templates if unable to upgrade immediately. Only trusted, verified templates should be executed.
Workarounds
If you are unable to upgrade nuclei, disable running custom code templates as workaround.
Summary
A vulnerability has been identified in Nuclei's template signature verification system that could allow an attacker to bypass the signature check and possibly execute malicious code via custom code template.
Affected Component
The vulnerability is present in the template signature verification process, specifically in the
signer
package.Description
The vulnerability stems from a discrepancy between how the signature verification process and the YAML parser handle newline characters, combined with the way multiple signatures are processed. This allows an attacker to inject malicious content into a template while maintaining a valid signature for the benign part of the template.
Affected Users
Note
Code templates are disabled as default, users have to explicitly enable with
-code
option.Proof of Concept
Patches
Mitigation
Workarounds
If you are unable to upgrade nuclei, disable running custom code templates as workaround.
Acknowledgments
We would like to thank Guy Goldenberg from Wiz who reported this to us via our security email, security@projectdiscovery.io.
References