Listen to this Post
The vulnerability is triggered when an unauthenticated user sends a Create or Update API request with an empty JSON body `{}` to the Omni Resource Service. This request is processed by the `resourceServerCreate` or `resourceServerUpdate` endpoints, which pass the request to the `isSensitiveSpec` function. This function calls `grpcomni.CreateResource` without first validating if the `resource.Metadata` field is nil. The `CreateResource` function then immediately attempts to access `resource.Metadata.Version` to check if it’s an empty string. Since `resource.Metadata` is nil, this access causes a nil pointer dereference, resulting in a segmentation fault and a panic that crashes the entire application process, leading to a Denial of Service. The same code path is executed for both create and update operations, making both endpoints vulnerable to a simple, unauthenticated request that requires no complex data manipulation.
Platform: Omni
Version: Pre-1.4.2
Vulnerability: DoS
Severity: High
date: 2024-10-10
Prediction: 2024-10-24
What Undercode Say:
curl -X POST "https://target/api/omni.resources.ResourceService/Create" -H "Content-Type: application/json" -d '{}'
func isSensitiveSpec(resource resapi.Resource) bool {
res, err := grpcomni.CreateResource(resource) // Vulnerable call
if err != nil {
return false
}
func CreateResource(resource resources.Resource) (cosiresource.Resource, error) {
if resource.Metadata.Version == "" { // Nil pointer dereference
resource.Metadata.Version = "1"
}
How Exploit:
Send empty POST requests to the `/Create` and `/Update` API endpoints to trigger a nil pointer dereference, causing a server panic and denial of service.
Protection from this CVE
Patch the `isSensitiveSpec` function to include a nil check on the `resource` and `resource.Metadata` fields before proceeding with the call to grpcomni.CreateResource.
Impact:
Denial of Service, Server Crash.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
