9

CVE-2021-45456 Apache Kylin 命令注入

 2 years ago
source link: https://y4er.com/post/cve-2021-45456-apache-kylin-command-injection/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
1 min read

CVE-2021-45456 Apache Kylin 命令注入

2022-01-13 代码审计 CVE Kylin

ubuntu docker 8g

docker pull apachekylin/apache-kylin-standalone:4.0.0

docker run -d \
-m 8G \
-p 7070:7070 \
-p 8088:8088 \
-p 50070:50070 \
-p 8032:8032 \
-p 8042:8042 \
-p 2181:2181 \
-p 5005:5005 \
apachekylin/apache-kylin-standalone:4.0.0

5005是远程调试端口

Kylin 页面:http://127.0.0.1:7070/kylin/login admin KYLIN HDFS NameNode 页面:http://127.0.0.1:50070 YARN ResourceManager 页面:http://127.0.0.1:8088

具体看官方的docker安装文档 https://kylin.apache.org/cn/docs/install/kylin_docker.html

远程调试配置,修改 /home/admin/apache-kylin-4.0.0-bin-spark2/bin/kylin.sh

在retrieveStartCommand函数修改

$JAVA ${KYLIN_EXTRA_START_OPTS} ${KYLIN_TOMCAT_OPTS} -Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=5005 -classpath ${KYLIN_TOMCAT_CLASSPATH}  org.apache.catalina.startup.Bootstrap start >> ${KYLIN_HOME}/logs/kylin.out 2>&1 & echo $! > ${KYLIN_HOME}/pid &

org.apache.kylin.rest.controller.DiagnosisController#dumpProjectDiagnosisInfo

1.png

跟进dumpProjectDiagnosisInfo

2.png

这里getProject()通过ValidateUtil.convertStringToBeAlphanumericUnderscore(project)处理,但是runDiagnosisCLI(args)中接受的cmd参数仍然是通过project传过来的,相当于命令行可控。

而且getProject(ValidateUtil.convertStringToBeAlphanumericUnderscore(project))将传入的命令进行如下处理。将除数字字母下划线以外的东西替换为空。比如传入命令为 touch 123,将被替换为touch123

    public static String convertStringToBeAlphanumericUnderscore(String toBeConverted) {
        return toBeConverted.replaceAll("[^a-zA-Z0-9_]", "");
    }

刚好解决projectInstance==null抛出异常的问题。

        if (null == projectInstance) {
            throw new BadRequestException(
                    String.format(Locale.ROOT, msg.getDIAG_PROJECT_NOT_FOUND(), project));
        }

最后执行的命令如下

3.png

再来看创建项目的地方

org.apache.kylin.rest.controller.ProjectController#saveProject

4.png

项目名进行ValidateUtil.isAlphanumericUnderscore()校验,不能有数字字母下划线以外的东西。

5.png

完整的利用方式如下,以执行命令touch 123为例

先创建项目,项目名为touch123

6.png

接下来触发命令执行

7.png

8.png

git的diff

9.png

传入cmd的参数改为projectName而非http传入的project,projectName经过了convertStringToBeAlphanumericUnderscore() 处理,所以无法输入非字母数字下划线的字符来触发命令执行。

巧妙利用两个函数对于参数处理的特性来进行命令执行,值得一学。

  1. https://securitylab.github.com/advisories/GHSL-2021-1048_GHSL-2021-1051_Apache_Kylin/

文笔垃圾,措辞轻浮,内容浅显,操作生疏。不足之处欢迎大师傅们指点和纠正,感激不尽。


report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK