Overview
An attacker with access to the SQL Lab and the ab_user and ab_user_role tables can elevate his privileges to become administrator.
Details
On a more general level, diverse tables who are supposed to be only readable can be modified using the WITH … AS and RETURNING keywords.
Modification of the table key_value can also be done, which could lead to a Remote Code Execution (cf. "V7 - Insecure deserialization leading to remote code execution" report vulnerability).
Proof of Concept
Some tables are supposed to accept only SELECT requests from the SQL tab.
- Attempt to create a new user injected_admin into the ab_user table: PoC_1
But this protection can be bypassed by using the WITH … AS () syntax with RETURNING value after the INSERT / UPDATE / DELETE query.
INSERT query accepted by the database due to the use of WITH … AS ( … RETURNING ) syntax:
WITH a AS ( INSERT INTO ab_user (id, first_name, last_name, username, email, password) VALUES (2, ‘injected_admin’, ‘injected_admin’, ‘injected_admin’, ‘[email protected]’, ‘{PASSWORD_HASH}’) RETURNING id ) SELECT * FROM a;
PoC_2
- injected_admin added to the ab_user table: PoC_3
This method can also be used with UPDATE or DELETE request. A user with access to SELECT on the tables ab_user_role can escalate his privilege to become administrator.
- Locating the ID of the user ‘Auditeur B’, who has no rights and is not an admin. The request is done being ‘Auditeur B’: PoC_4
- Locating the rows that keep the role of the user ‘Auditeur B’. The row 36 stores the value 3, indicating the role ‘Alpha’ for ‘Auditeur B’: PoC_5
- Modification of the row 36 with an UPDATE request embedded in a WITH request: PoC_6
- ‘Auditeur B’ role has been changed to Admin: PoC_7
This technique can also be used to inject or modify values of the table key_value, which can potentially lead to a Remote Code Execution (cf. ...).
Solution
Orange recommendation
To fix this vulnerability, we recommends reenforcing the SELECT filter to spot INSERT / UPDATE / DELETE keywords even in WITH requests.
Security patch
Upgrade to Superset version 2.1.2.
References
https://nvd.nist.gov/vuln/detail/CVE-2023-40610
https://lists.apache.org/thread/jvgxpk4dbxyqtsgtl4pdgbd520rc0rot
Credits
LEXFO for Orange Innovation
Orange CERT-CC at Orange group
Timeline
Date reported: July 27, 2023
Date fixed: November 27, 2023
References
Overview
An attacker with access to the SQL Lab and the ab_user and ab_user_role tables can elevate his privileges to become administrator.
Details
On a more general level, diverse tables who are supposed to be only readable can be modified using the WITH … AS and RETURNING keywords.
Modification of the table key_value can also be done, which could lead to a Remote Code Execution (cf. "V7 - Insecure deserialization leading to remote code execution" report vulnerability).
Proof of Concept
Some tables are supposed to accept only SELECT requests from the SQL tab.
But this protection can be bypassed by using the WITH … AS () syntax with RETURNING value after the INSERT / UPDATE / DELETE query.
INSERT query accepted by the database due to the use of WITH … AS ( … RETURNING ) syntax:
WITH a AS ( INSERT INTO ab_user (id, first_name, last_name, username, email, password) VALUES (2, ‘injected_admin’, ‘injected_admin’, ‘injected_admin’, ‘[email protected]’, ‘{PASSWORD_HASH}’) RETURNING id ) SELECT * FROM a;
PoC_2
This method can also be used with UPDATE or DELETE request. A user with access to SELECT on the tables ab_user_role can escalate his privilege to become administrator.
This technique can also be used to inject or modify values of the table key_value, which can potentially lead to a Remote Code Execution (cf. ...).
Solution
Orange recommendation
To fix this vulnerability, we recommends reenforcing the SELECT filter to spot INSERT / UPDATE / DELETE keywords even in WITH requests.
Security patch
Upgrade to Superset version 2.1.2.
References
https://nvd.nist.gov/vuln/detail/CVE-2023-40610
https://lists.apache.org/thread/jvgxpk4dbxyqtsgtl4pdgbd520rc0rot
Credits
LEXFO for Orange Innovation
Orange CERT-CC at Orange group
Timeline
Date reported: July 27, 2023
Date fixed: November 27, 2023
References