WeKnora Remote Code Execution Vulnerability via SQL Injection Bypass

A remote code execution vulnerability has been identified in WeKnora versions prior to 0.2.12. The issue arises in the application's database query functionality, where the validation system fails to properly inspect child nodes within PostgreSQL array and row expressions. This oversight allows attackers to bypass SQL injection protections by embedding harmful PostgreSQL functions into these expressions. Exploitation involves chaining these functions with large object operations and library loading capabilities, enabling an unauthenticated attacker to execute arbitrary code on the database server with the privileges of the database user.

Impact

Successful exploitation allows for complete system compromise through arbitrary code execution on the database server, with the potential to extract sensitive data, modify database records, disrupt service, establish persistence, and pivot to other connected systems.

Reproduction

The vulnerability can be reproduced by sending a crafted SQL query that includes dangerous PostgreSQL functions smuggled inside array or row expressions. This query can bypass the application's SQL validation framework, which fails to properly handle these expression types. Once the payload is executed, the embedded functions can be used to read files or execute commands on the server.

Remediation

Users are advised to update WeKnora to version 0.2.12 or later. Additionally, PostgreSQL configurations should be reviewed to disable dynamic library loading and restrict database users to SELECT-only permissions.