DTStack Taier Authentication Bypass Vulnerability Leading to Unauthenticated Remote Code Execution

An authentication bypass vulnerability has been identified in DTStack Taier versions through 1.4.0. The issue resides in the LoginInterceptor component, specifically within the preHandle function. This vulnerability allows unauthenticated users to execute arbitrary code on the server with root privileges. The exploitation process involves bypassing authentication, injecting malicious JDBC URLs, and leveraging vulnerable PostgreSQL JDBC driver versions to execute commands remotely.

Impact

Exploitation of this vulnerability allows for unauthenticated remote code execution as the root user, potentially leading to a complete takeover of the server.

Reproduction

To reproduce this vulnerability, deploy DTStack Taier using the official Docker image. After the deployment, set a cookie to bypass authentication. Then, add a component configuration that includes a malicious JDBC URL pointing to an attacker-controlled server. Finally, use the injected URL to execute commands on the server via the PostgreSQL JDBC driver.

Remediation

Users are advised to upgrade to DTStack Taier versions after 1.4.0, where this vulnerability has been addressed.