Full Report
Introduction
Analysis Summary
# Vulnerability: GLPI SQL Injection Leading to Potential RCE via Session Bypass
## CVE Details
- CVE ID: **CVE-2024-37149** (Implied by the disclosure timeline mentioning this CVE against a newly patched version, relating to the described SQLi issue). *Note: The article describes the discovery of a patch bypass leading to further exploit, referencing past CVEs (2023-41320, 2023-43813). The final disclosed vulnerability is associated with the 10.0.16 patch release.*
- CVSS Score: **Not explicitly stated**, but an authenticated SQL injection leading to path traversal/RCE suggests a **High** score (likely 8.0+).
- CWE: **CWE-89** (Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')) and potentially **CWE-20** (Improper Input Validation) for the complex bypass.
## Affected Systems
- Products: **GLPI**
- Versions: **Prior to 10.0.15 / 10.0.16** (The patch for the original SQLi was in 10.0.15, but the patch bypass leading to the final CVE was addressed in 10.0.16).
- Configurations: Authenticated users (Self-Service role or higher) that can perform database CRUD operations, especially utilizing functions that process inputs through `json_encode` or `_exportArrayToDB_`. The bypass relies on variables initialized from the database (e.g., `savedsearches_pinned` in `$_SESSION`).
## Vulnerability Description
This vulnerability is a **patch bypass** for a previously identified SQL Injection vulnerability (related to CVE-2023-43813 and similar issues) occurring due to flawed input sanitization logic within GLPI's custom ORM layer, specifically around the usage of `Sanitizer::dbEscape` and `json_encode`.
The initial SQLi arose because sanitization applied to POST variables could be bypassed by maliciously crafted inputs containing backslashes, causing `addslashes()` to be undermined by subsequent JSON encoding/decoding processes, failing to properly escape single quotes.
The subsequent bypass discovered in this research exploited the fact that the patch only addressed input coming via **`$_POST`**. The attacker can still inject payloads via variables stored in the **`$_SESSION`** that are populated from GLPI's database initialization routine (`Session::init`), specifically targeting fields that are loaded into the session (e.g., `savedsearches_pinned`). By manipulating database data that reflects back into the session, the attacker can achieve authenticated SQL Injection, which the article suggests can be escalated to **Remote Code Execution (RCE)**.
## Exploitation
- Status: **PoC available** (research detailed, leading to RCE scenario).
- Complexity: **Medium** (Requires prior authentication and knowledge of GLPI's internal session initialization routines to craft the bypass payload).
- Attack Vector: **Network** (Authenticated access required).
## Impact
- Confidentiality: **High** (Allows data exfiltration via SQLi).
- Integrity: **High** (Allows unauthorized modification of data via SQLi).
- Availability: **Medium/High** (Potential for DoS or server compromise leading to total system unavailability).
## Remediation
### Patches
- **GLPI 10.0.16** is the version released to address the final discovery associated with this research path. Users should ensure they are running this version or later.
### Workarounds
1. **Disable API Token Login:** If API tokens are not required, disable the configuration that allows login using them.
2. **Principle of Least Privilege:** Ensure user accounts, especially 'Self-Service' users, have only the minimum necessary permissions enforced within GLPI, even though the vulnerability is authenticated.
## Detection
- **Indicators of Compromise (IoCs):** Look for unusual database interactions originating from user session processing, especially when updating objects that interact with the ORM (e.g., search pins, user preferences).
- **Detection Methods and Tools:** Web Application Firewalls (WAFs) or sensitive endpoint monitoring configured to look for suspicious sequences of quotes, backslashes, and JSON control characters within authenticated requests/session data, although tailored signatures might be needed to catch the exact bypass mechanism. Monitor application logs for SQL errors or unexpected application behavior immediately following user operations.
## References
- Vendor advisories: Mentioned timelines suggest the final advisory and patch came out in July 2024.
- Relevant links:
- Linked prior PoC: `github c om/Guilhem7/CVE_2023_41320`
- Quarkslab article reference: `blog q uarkslab com/exploiting-glpi-during-a-red-team-engagement html`
- Download link for vulnerable version evidence: `github com/glpi-project/glpi/releases/download/10.0.14/glpi-10.0.14 tgz`