Merge pull request #252 from JD2344/apache_druid

Add apache Druid Exploit

modules/vulnerabilities/unix/http/apache_druid_rce/apache_druid_rce.pp

@@ -0,0 +1,9 @@
+# Apache Druid 0.20 - RCE 
+# https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/apache_druid_js_rce.rb
+# https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/exploit/linux/http/apache_druid_js_rce.md
+contain apache_druid_rce::install
+contain apache_druid_rce::configure
+contain apache_druid_rce::service
+Class['apache_druid_rce::install']
+-> Class['apache_druid_rce::configure']
+-> Class['apache_druid_rce::service']

modules/vulnerabilities/unix/http/apache_druid_rce/files/stretch.list

@@ -0,0 +1,2 @@
+deb http://deb.debian.org/debian/ stretch main
+deb-src http://deb.debian.org/debian stretch main

modules/vulnerabilities/unix/http/apache_druid_rce/manifests/configure.pp

@@ -0,0 +1,20 @@
+# Class: apache_druid_rce::configure
+# Configuration for apache druid
+#
+class apache_druid_rce::configure {
+  $secgen_parameters = secgen_functions::get_parameters($::base64_inputs_file)
+  $user = $secgen_parameters['leaked_username'][0]
+  $leaked_filenames = $secgen_parameters['leaked_filenames']
+  $strings_to_leak = $secgen_parameters['strings_to_leak']
+
+  Exec { path => [ '/bin/', '/sbin/' , '/usr/bin/', '/usr/sbin/' ] }
+
+  ::secgen_functions::leak_files { 'druid-flag-leak':
+    storage_directory => "/home/${user}",
+    leaked_filenames  => $leaked_filenames,
+    strings_to_leak   => $strings_to_leak,
+    owner             => $user,
+    mode              => '0750',
+    leaked_from       => 'apache_druid_rce',
+  }
+}

modules/vulnerabilities/unix/http/apache_druid_rce/manifests/install.pp

@@ -0,0 +1,74 @@
+# Class: apache_druid_rce::install
+# Install process for apache druid RCE
+# https://archive.apache.org/dist/druid/0.20.0/
+class apache_druid_rce::install {
+  Exec { path => [ '/bin/', '/sbin/' , '/usr/bin/', '/usr/sbin/' ] }
+  $modulename = 'apache_druid_rce'
+
+  $secgen_parameters = secgen_functions::get_parameters($::base64_inputs_file)
+  $port = $secgen_parameters['port'][0]
+  $user = $secgen_parameters['leaked_username'][0]
+  $user_home = "/home/${user}"
+
+  # Create user
+  user { $user:
+    ensure     => present,
+    home       => $user_home,
+    managehome => true,
+  }
+
+  # This generates a repo file so we can get packages from debian stretch
+  file { '/etc/apt/sources.list.d/stretch.list':
+    ensure => file,
+    source => "puppet:///modules/${modulename}/stretch.list"
+  }
+  -> exec { 'update-packages':
+    command => 'apt update'
+  }
+  -> package { 'install-jdk8':
+    ensure => 'installed',
+    name   => 'openjdk-8-jdk',
+  }
+  # openjdk8 is required. Since we are buster, we need the repos within stretch for this
+  #ensure_packages(['openjdk-8-jdk'], { ensure => 'installed'})
+
+  $releasename = "${modulename}.tar.gz"
+  $currentsource = ["${releasename}.partaa",
+    "${releasename}.partab",
+    "${releasename}.partac",
+    "${releasename}.partad",
+    "${releasename}.partae",
+    "${releasename}.partaf",
+    "${releasename}.partag"]
+
+  $currentsource.each |String $fsource| {
+    file { "/tmp/${fsource}":
+      ensure => file,
+      source => "puppet:///modules/${modulename}/${fsource}",
+    }
+  }
+
+  exec { 'rebuild-archive':
+    cwd     => '/tmp/',
+    command => "cat ${releasename}.parta* > ${releasename}",
+  }
+  -> exec { 'unpack-druid':
+    cwd     => '/tmp',
+    command => "tar -xf ${releasename}",
+    creates => '/tmp/apache-druid-0.20.0',
+  }
+  -> exec { 'move-druid':
+    cwd     => '/tmp',
+    command => 'mv apache-druid-0.20.0 /usr/local/apache-druid/',
+    creates => '/usr/local/apache-druid'
+  }
+  -> exec { 'chmod-druid':
+    command => 'chmod -R 777 /usr/local/apache-druid/bin/',
+  }
+  -> exec { 'chown-druid':
+    command => "chown -R ${user}:${user} /usr/local/apache-druid/",
+  }
+  -> exec { 'change-port':
+    command => "sed -i 's/8888/${port}/' /usr/local/apache-druid/conf/druid/single-server/nano-quickstart/router/runtime.properties",
+  }
+}

modules/vulnerabilities/unix/http/apache_druid_rce/manifests/service.pp

@@ -0,0 +1,17 @@
+# Class: apache_druid_rce::service
+# Service behaviour
+#
+class apache_druid_rce::service {
+  $secgen_parameters = secgen_functions::get_parameters($::base64_inputs_file)
+  $user = $secgen_parameters['leaked_username'][0]
+
+  file { '/etc/systemd/system/druid.service':
+    content => template('apache_druid_rce/druid.service.erb'),
+    owner   => 'root',
+    mode    => '0755',
+  }
+  -> service { 'druid':
+    ensure => running,
+    enable => true,
+  }
+}

modules/vulnerabilities/unix/http/apache_druid_rce/secgen_metadata.xml

@@ -0,0 +1,58 @@
+<?xml version="1.0"?>
+<vulnerability xmlns="http://www.github/cliffe/SecGen/vulnerability"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://www.github/cliffe/SecGen/vulnerability">
+
+    <name>Apache Druid 0.20.0 RCE</name>
+    <author>James Davis</author>
+    <module_license>MIT</module_license>
+    <description>Apache Druid includes the
+        ability to execute user-provided JavaScript code embedded
+        in various types of requests; however, that feature is disabled by default.
+        In Druid versions prior to `0.20.1`, an authenticated user can send a specially-crafted
+        request that both enables the JavaScript code-execution feature and executes the supplied
+        code all at once, allowing for code execution on the server with the privileges of the Druid
+        Server process. More critically, authentication is not enabled in Apache Druid by default.</description>
+
+    <type>http</type>
+    <privilege>user_rwx</privilege>
+    <access>remote</access>
+    <platform>linux</platform>
+    <difficulty>low</difficulty>
+
+    <read_fact>port</read_fact>
+    <read_fact>strings_to_leak</read_fact>
+    <read_fact>leaked_filenames</read_fact>
+
+    <default_input into="port">
+        <generator module_path=".*/random_unregistered_port" />
+    </default_input>
+
+    <!-- flags or other secrets exposed after exploitation -->
+    <default_input into="strings_to_leak">
+        <generator type="message_generator" />
+    </default_input>
+
+    <default_input into="leaked_filenames">
+        <generator type="filename_generator" />
+    </default_input>
+
+    <default_input into="leaked_username">
+        <value>druid</value>
+    </default_input>
+
+    <!--optional
+    vulnerability details-->
+    <cve>CVE-2021-25646</cve>
+    <cvss_base_score>8.8</cvss_base_score>
+    <cvss_vector>AV:N/AC:L/Au:N/C:C/I:C/A:C</cvss_vector>
+    <reference>
+        https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/apache_druid_js_rce.rb</reference>
+    <reference>
+        https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/exploit/linux/http/apache_druid_js_rce.md</reference>
+    <reference>https://archive.apache.org/dist/druid/0.20.0/</reference>
+    <reference>https://github.com/apache/druid</reference>
+    <software_name>Apache Druid</software_name>
+    <software_license>Apache License 2.0</software_license>
+
+</vulnerability>

modules/vulnerabilities/unix/http/apache_druid_rce/templates/druid.service.erb

@@ -0,0 +1,14 @@
+[Unit]
+Description=Apache Druid Nano Quickstart
+After=network.target
+
+[Service]
+Type=simple
+User=<%= @user %>
+WorkingDirectory=/usr/local/apache-druid/
+ExecStart=/usr/local/apache-druid/bin/start-nano-quickstart
+Restart=always
+RestartSec=1
+
+[Install]
+WantedBy=multi-user.target

scenarios/examples/vulnerability_examples/apache_druid.xml

@@ -0,0 +1,16 @@
+<?xml version="1.0"?>
+
+<scenario xmlns="http://www.github/cliffe/SecGen/scenario"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://www.github/cliffe/SecGen/scenario">
+
+    <system>
+        <system_name>druid</system_name>
+        <base distro="Debian 10" type="desktop" name="KDE" />
+
+        <vulnerability module_path=".*/apache_druid_rce" />
+
+        <network type="private_network" range="dhcp" />
+    </system>
+
+</scenario>