CVE-2022-39323: Time-Based Attack Exploiting SQL Injection in GLPI's api REST user_token

The open-source IT asset management tool, Gestionnaire Libre de Parc Informatique (GLPI), recently discovered a security vulnerability affecting its use of the api REST user token. Identified as CVE-2022-39323, this critical bug allows malicious actors to execute time-based attacks and exploit SQL injection vulnerabilities.

To address the issue, the GLPI team has released a security patch in version 10..4, which should be immediately implemented by all users. As an alternative workaround, users may temporarily disable the login functionality using the api REST user token.

In this post, we will provide an in-depth look at the vulnerability, code snippets illustrating the issue, and details on the exploit. We will also share links to essential resources, such as the original references.

CVE-2022-39323: Vulnerability Details

A security flaw within the GLPI's api REST user_token implementation enables attackers to execute a time-based attack. By exploiting this vulnerability, an attacker can potentially gain unauthorized access to sensitive data, perform unauthorized actions, and compromise the targeted system.

The vulnerability is the result of improper handling of SQL queries and a lack of appropriate security measures. Attackers can use specially crafted payloads to manipulate database queries, potentially leading to severe consequences.

Code Snippet

Within the affected GLPI code, there is a lack of proper checks when using user-supplied data in SQL queries:

$query = "SELECT * FROM glpi_users WHERE user_token = '". $user_token ."'";
$result = $mysqli->query($query);

Exploit Details

The exploit takes advantage of the lack of proper input validation, as illustrated in the provided code snippet. Attackers can send specially crafted requests to the api REST endpoint, using payloads that manipulate the SQL query execution time:

Example payload

"user_token":"1' AND SLEEP(5)--"

In this particular payload, the SLEEP(5) function is inserted into the SQL query, causing the database to pause for 5 seconds before returning a response. By using a series of payloads with varying delay times, attackers can execute time-based attacks to deduce and exploit the vulnerable database further.

Mitigation and Recommendations

To address this vulnerability, GLPI has released version 10..4, which includes a security fix for the issue. Users should upgrade their installations as soon as possible. If an immediate upgrade is not possible, users should disable login using the api REST user_token feature temporarily.

// Disable REST API user_token login
define('GLPI_DISABLE_REMEMBER_ME', true);

For more details on this vulnerability and the security patch, kindly refer to the following links

1. GLPI's GitHub repository: https://github.com/glpi-project/glpi
2. CVE-2022-39323 official CVE page: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39323
3. GLPI's API REST documentation: https://glpi-install.readthedocs.io/en/latest/rest.html
4. SQL injection prevention reference: https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet

In summary, CVE-2022-39323 is a critical security vulnerability affecting GLPI's api REST user_token implementation. Users should take immediate action to upgrade their installations to version 10..4 or disable the API's user_token login feature to mitigate potential exploitation. Staying informed and vigilant is essential to maintaining the security and integrity of your IT assets.

Timeline

Published on: 11/03/2022 15:15:00 UTC
Last modified on: 11/03/2022 18:28:00 UTC