Ethical Hacking Automation

Automate Recon and scanning process with Vidoc. All security teams in one place

Apache Flink - Remote Code Execution

By kannthu

Critical
Vidoc logoVidoc Module
#apache#flink#rce#intrusive#unauth
Description

What is "Apache Flink - Remote Code Execution?"

The "Apache Flink - Remote Code Execution" module is designed to detect an unauthenticated remote code execution vulnerability in Apache Flink, a distributed processing framework for big data. This vulnerability can be classified as CWE-77 and has a critical severity level with a CVSS score of 10. The module was authored by pikpikcu.

Impact

If successfully exploited, this vulnerability allows an attacker to execute arbitrary code on the target system. This can lead to unauthorized access, data theft, system compromise, and potential disruption of critical services.

How the module works?

The module sends a POST request to the "/jars/upload" endpoint of the Apache Flink server, attempting to upload a malicious JAR file. The request includes a multipart/form-data payload with a randomly generated alphanumeric filename. The module then applies several matching conditions to determine if the vulnerability is present:

- The response header must contain the word "application/json". - The response body must contain the words "success" and "_poc.jar". - The response status code must be 200.

If all the matching conditions are met, the module reports the vulnerability.

For example, the module's HTTP request template looks like this:

POST /jars/upload HTTP/1.1
Host: <Hostname>
Content-Type: multipart/form-data;boundary=8ce4b16b22b58894aa86c421e8759df3

--8ce4b16b22b58894aa86c421e8759df3
Content-Disposition: form-data; name="jarfile";filename="poc.jar"
Content-Type:application/octet-stream

  <randTextAlphanumeric(10)>
--8ce4b16b22b58894aa86c421e8759df3--

It is important to note that this module is specifically designed to detect the presence of the Apache Flink remote code execution vulnerability and does not attempt to exploit it.

For more information, you can refer to the following references:

- https://www.exploit-db.com/exploits/48978 - https://adamc95.m

Module preview

Concurrent Requests (1)
1. HTTP Request template
Raw request
Matching conditions
word: application/jsonand
word: success, _poc.jarand
status: 200
Passive global matcher
No matching conditions.
On match action
Report vulnerability