Vulnerability identified in Smidge

Smidge – A lightweight library for runtime CSS and JavaScript file management, minification, combination & compression in Microsoft .NET.

In Program.cs of a .NET web application a Smidge Javascript bundle is defined with “CreateJs”.

smidge-define-bundle

This module is vulnerable to arbitrary file creation.

Background
Smidge is a file management module that can be integrated with web applications in Microsoft .NET. The module has more than 10M downloads on Nuget (https://www.nuget.org/packages/Smidge) and is integrated in some CMS, for example in Umbraco versions 10,11, 12 and 13.
A vulnerability has been identified that can be used for arbitrary file creation. By exploiting this vulnerability, it might be possible to:

  • Enumerate usernames on the web server.
  • Deplete available hard disk space and thus affect availability.

Details
With the Smidge module you can configure “bundles” which is packaging of multiple files. This is done by defining a name for the bundle/package and paths to files that should be included in the package. When you make a HTTP-request to the bundle, you also need to specify the version, e.g:
https://<domain>/<bundle-name>.js.v123.

The output of this request is cached in files on the server. Files are stored in the folder:
<Web application name>/Smidge/Cache/<Hostname>/<Version>.

By manipulating the version parameter in the request, you can control where the files are stored.
Based on the response of the HTTP-request, you can interpret whether a folder exists or not. This can be used, for example, to enumerate users in “C:\Users\”. It is also possible to specify a unique version string for each request, which leads to allocating file storage on the server. Which ultimately will lead to depleting available storage. This can be exploited by unauthenticated users.

Screenshots

1. No existing user.
Request with version string “c:\users\noexistinguser”. Error message is referring to CreateDirectory which can be interpreted that the folder (user) is not existing. The version string needs to be URL-encoded.
smidge-no-existing-user

2. Existing user
Request with version string “c:\users\John”. Error message is referring to CreateFile which can be interpreted that the folder (user) is existing.
smidge-existing-user

3. Writing to users folder
Request with version string “c:\users\WebAdmin” which is an existing user on the web server. Image below shows files in the users folder before and after the request.
smidge-write-to-users

Affected versions
Up to 4.5.1

Summary of vulnerabilities

  • Arbitrary file creation (CWE-22)
  • Allocation of disk storage (CWE-770)

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.