This module is designed to exploit the JNDI injection vulnerability
in Druid. The vulnerability specifically affects the indexer/v1/sampler
interface of Druid, enabling an attacker to execute arbitrary commands
on the targeted server.
The vulnerability is found in Apache Kafka clients versions ranging from
2.3.0 to 3.3.2. If an attacker can manipulate the sasl.jaas.config
property of any of the connector's Kafka clients to com.sun.security.auth.module.JndiLoginModule,
it allows the server to establish a connection with the attacker's LDAP server
and deserialize the LDAP response. This provides the attacker with the capability
to execute java deserialization gadget chains on the Kafka connect server,
potentially leading to unrestricted deserialization of untrusted data or even
remote code execution (RCE) if there are relevant gadgets in the classpath.
To facilitate the exploitation process, this module will initiate an LDAP server
that the target server needs to connect to in order to carry out the attack.
- RedWay Security <firstname.lastname@example.org>
- Jari Jääskelä <https://github.com/jarijaas>