Exploit for Unrestricted Upload of File with Dangerous Type in Formidable Project Formidable CVE-2022-29622

Name: Exploit for Unrestricted Upload of File with Dangerous Type in Formidable Project Formidable CVE-2022-29622
Rating: 5 (195 reviews)
2022-06-05 | CVSS 7.5
## https://sploitus.com/exploit?id=75098883-BA5D-54E4-AFFB-D128B7878147
# CVE-2022–29622: (In)vulnerability Analysis

This codebase was created to help security professionals and developers to understand why I think Formidable was not vulnerable to CVE-2022-29622. I have written up my analysis here:

https://medium.com/@zsolt.imre/cve-2022-29622-in-vulnerability-analysis-5cf783c3721

As some did not understand it, I thought I will illustrate my point using actual, running code.

## The Server

The server is implemented in `index.mjs`. It uses Formidable version `3.1.4` to upload any file of your choosing.

I explicitly configured Formidable as shown below:

```
{
      uploadDir: './uploads/',
      keepExtensions: true,
    }
```

This way, all files will be uploaded to the `uploads` directory. I have enabled `keepExtension` so you can get your files with a malicious filename uploaded.

## Starting the Server

To set up and start the server, issue the following commands from this directory:

```
npm install
npm run start
```

The first command installs all dependencies, including the appropriate version of formidable. The second command will start the server.

Once up and running, you can access the file upload form exposed by the server at: http://127.0.0.1:3000/

## Upload a Malicious File

I have included two files with malicious name in the `examples` directory... as **examples**. 

Files submitted using the form at http://127.0.0.1:3000 will get uploaded to the `uploads` directory.

## CHALLENGE

The challenge is to see if you can prove that `formidable` is vulnerable to CVE-2022–29622. To be able to do that, you have to get this web server to execute code that you include in the uploaded file or in the name of the file.

The rules:

 1. You are allowed to put your malicious payload in the file or within the file's name. (Similar to the examples I have provided.)
 2. You are allowed to tamper with parts of the **HTTP request** that are related to file upload. (e.g.: multipart body, content-type, boundary string)
 3. The **only acceptable attack surface** is port `3000`. You **MUST NOT** modify any files within this directory.

**If** you can get arbitrary code executed by strictly following the above rules, **only then** you have proved that `formidable` was vulnerable to arbitrary code execution.

Suggestion: Probably the simplest visual demostration would be to get the server to print out a string, for example, "I'm awesome, I've got arbitrary code executed" on the console where you started the web server.