漏洞信息
NVD - CVE-2022-24697
Kylin’s cube designer function has a command injection vulnerability when overwriting system parameters in the configuration overwrites menu. RCE can be implemented by closing the single quotation marks around the parameter value of “-- conf=” to inject any operating system command into the command line parameters. This vulnerability affects Kylin 2 version 2.6.5 and earlier, Kylin 3 version 3.1.2 and earlier, and Kylin 4 version 4.0.1 and earlier.
背景介绍
Kylin is a high concurrency, high performance and intelligent OLAP engine that provides low-cost and ultimate data analytics experience.
• 主页:https://kylin.apache.org/
• 源码:https://github.com/apache/kylin
环境搭建
$ docker pull apachekylin/apache-kylin-standalone:4.0.0
$ docker run -d \
-m 8G \
-p 7070:7070 \
-p 8088:8088 \
-p 50070:50070 \
-p 8032:8032 \
-p 8042:8042 \
-p 2181:2181 \
-p 5005:5005 \
apachekylin/apache-kylin-standalone:4.0.0
Kylin Web UI: http://127.0.0.1:7070/kylin/login
默认账号:admin、默认密码:KYLIN
【环境搭建】Apache Kylin 各个版本Docker搭建汇总-CSDN博客
【环境搭建】使用Dockerfile构建容器搭建Kylin特定版本-CSDN博客
漏洞复现
参考:kylin CVE-2022-24697 & CVE-2022-43396 - 先知社区
选择自带的项目learn_kylin,进入cube页面:
编辑kylin_sales_cube,点击Configuration Overwrites,新建一行数据,键值对如下所示,包含了恶意命令拼接:
kylin.engine.spark-conf.spark.driver.memory512M' `touch Mitch311` '
点击 Next 并 Save:
按照如下步骤进行build,日期随便选,最后Submit:
进入docker容器,可以看到恶意命令已经被执行:
$ docker exec -it <container ID> /bin/bash
$ ll
漏洞分析
进入runSparkSubmit方法内可以找到getSparkConfigOverride方法:
它调用了父类的同名方法:
查看super.getSparkConfigOverride(config),首先通过 config.getSparkConfigOverride() 方法获取Map<String, String> sparkConfigOverride 这个字典用来查询配置的键值对,因为可以看到后续会检查键名spark.driver.memory是否存在:
config.getSparkConfigOverride()方法,从全局配置属性中(包括cube配置重写的属性)返回键值开头为kylin.engine.spark-conf.的所有属性:
修复方案
补丁:https://github.com/apache/kylin/pull/1811/files
补丁调用了 ParameterFilter.checkSparkConf 方法检查所有配置属性键值对:
过滤了一些危险字符:
