Glances, SQL Injection, CVE-2024-29189 (Critical)

Listen to this Post

The vulnerability exists in the TimescaleDB export module of Glances, a cross-platform system monitoring tool. The module constructs SQL INSERT queries by concatenating unsanitized system monitoring data directly into the query string. The root cause lies in the `normalize()` function (lines 79-93) which handles string values by wrapping them in single quotes without escaping any embedded single quotes. For example, a string value becomes f"'{value}'", so if `value` contains a single quote, it breaks the string context. These normalized values are then used to build a list of values for an INSERT statement (lines 201-205) via string formatting, and the final query is executed with `cur.execute()` without using parameterized queries. An attacker can control various monitored data points such as process names, filesystem mount points, network interface names, or container names. By crafting a malicious string containing a SQL injection payload (e.g., closing the single quote and appending arbitrary SQL commands), they can manipulate the database. The provided Proof of Concept (PoC) demonstrates this by creating a process with the name x'); COPY (SELECT version()) TO '/tmp/sqli_proof.txt' --, which, when monitored by Glances running as root with TimescaleDB export enabled, results in the execution of the injected SQL, writing the PostgreSQL version to a file. This allows an unprivileged local user to execute arbitrary SQL statements with the privileges of the Glances process (typically root), leading to data destruction (DROP TABLE, DELETE), data exfiltration (COPY TO), and potentially remote code execution via PostgreSQL extensions like COPY ... PROGRAM. The vulnerability affects all Glances versions prior to 4.0.1 that include the TimescaleDB export feature.

dailycve form:

Platform: Glances
Version: <=4.0.0
Vulnerability: SQL Injection
Severity: Critical
date: 2024-04-10

Prediction: Patched in 4.0.1

What Undercode Say:

Analytics:

Check Glances version: `glances –version`

Detect vulnerable installs: `grep -r “normalize.f\”‘{\$value}’\”” /usr/lib/python3/site-packages/glances/exports/glances_timescaledb/__init__.py`

Monitor process names for SQLi patterns: `ps aux | grep -E “‘.’\);(DROP|DELETE|COPY|INSERT|UPDATE|SELECT)”`

Exploit:

Create a process with SQL injection payload
exec -a "x'); COPY (SELECT version()) TO '/tmp/sqli_proof.txt' --" python3 -c 'import time; [sum(range(500000)) or time.sleep(0.01) for _ in iter(int, 1)]'
Run Glances as root with TimescaleDB export
sudo glances --export timescaledb --export-process-filter "." --time 5 --stdout cpu
Verify exploit
cat /tmp/sqli_proof.txt

Protection from this CVE:

Upgrade to Glances 4.0.1 or later: `pip install –upgrade glances`
If unable to upgrade, disable TimescaleDB export: remove `–export timescaledb` from invocation.
Use a firewall to restrict database access to trusted hosts only.
Monitor database logs for unexpected queries: `tail -f /var/log/postgresql/postgresql-.log | grep -E “COPY|DROP|DELETE|TRUNCATE”`

Impact:

  • Complete database compromise via SQL injection.
  • Data loss: tables can be dropped or truncated.
  • Data leakage: sensitive information can be exfiltrated using COPY ... TO.
  • Potential remote code execution on the database server through PostgreSQL’s `COPY … PROGRAM` if enabled.
  • Privilege escalation: any local user can become root (if Glances runs as root) and compromise the entire system.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top