SSTI in ERPNext 12

There are many pages/blogs talking about the authenticated SSTI vulnerability in ERPNext but all of them target the email template functionality. The generate_message_preview function is also vulnerable and exploitable from an authenticated perspective.

Below you can see the source code of the said function:

On line 403 we can see the "whitelist" directive which simply means that this function can be called from a web request. However because the allow_guest = True parameter is not passed, this method can only be called from authenticated users.

On the image we can also see that the method accepts an optional parameter, named message and that this parameter is passed directly to the frappe.render_template method on line 407. The render_template method is responsible for parsing and rendering the input and it is also the root cause of the SSTI vulnerability. But this has already been described many times in other posts.

In our case, in order to exploit the generate_message_preview function, we need to reach line 407 without errors and to do so we have to specify a valid reference_dt and reference_doc parameter.

If we go to the definition of the frappe.get_doc method we see a very helpful example:

In specific, on line 726 of the frappe __init__.py file, we see an example on how to get an existing document and some sample parameters (keep in mind that the frappe framework follows the MVC model and refers to its internal building blocks as docs).

If we try to use the same parameters for our case scenario, we get an error simply because the specified ToDo task does not exist:

To move forward with our exploit, we can create a new ToDo task on the web UI and use it as our reference:

Note that the following web request contains the exact todo ID as the one shown on the URL from the previous screenshot:

This time, there are no errors thrown and our SSTI payload gets executed.